Researchers at the Vrije Universiteit Amsterdam have revealed a new side-channel attack called SLAM that can be used to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm.
The attack is an end-to-end exploit for Specter based on a new feature in Intel CPUs called Linear Address Masking (LAM) as well as its analogous counterparts from AMD (called Upper Address Ignore or UAI) and Arm (called Top Byte Ignore or TBI).
“SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data,” VUSec researchers said, adding it could be leveraged to leak the root password hash within minutes from kernel memory.
While LAM is presented as a security feature, the study found that it ironically degrades security and “dramatically” increases the Specter attack surface, resulting in a transient execution attack, which exploits speculative execution to extract sensitive data via a cache covert channel.
Intel says in its terminology document, “A transient execution attack exploits microarchitectural side effects of transient instructions, thus allowing a malicious adversary to access information that is normally restricted by architectural access control mechanisms. “
Described as the first transient execution attack targeting future CPUs, SLAM takes advantage of a new covert channel based on non-canonical address translation that facilitates practical exploitation of generic Specter gadgets to leak valuable information. It affects the following CPUs –
- Current AMD CPUs are vulnerable to CVE-2020-12965
- Future Intel CPUs support LAM (both 4- and 5-level paging)
- Future AMD CPUs support UAI and 5-level paging
- Future Arm CPUs support TBI and 5-level paging
“Arm systems already mitigate against Specter v2 and BHB, and it is the software’s responsibility to protect itself against Specter v1,” Arm said in an advisory. “The described techniques only increase the attack surface of existing vulnerabilities such as Specter v2 or BHB by increasing the number of exploitable gadgets.”
AMD also pointed to the current Specter v2 mitigations to address the SLAM exploit. Intel, on the other hand, intends to provide software guidance ahead of future releases of Intel processors supporting LAM. In the interim, Linux maintainers have developed patches to disable LAM by default.
The findings come nearly two months after VUSec shed light on Quarantine, a software-only approach to mitigate transient execution attacks and achieve physical domain isolation by partitioning the Last level cache (LLC) to give every security domain exclusive access to a different part of the LLC with the goal of eliminating LLC covert channels.
“Quarantine’s physical domain isolation isolates different security domains on different cores to prevent them from sharing corelocal microarchitectural resources,” the researchers said. “Furthermore, it unshares the LLC, dividing it between security domains.”
