The hardware-based mitigations introduced in Intel and ARM CPUs over the past few years to fix a serious flaw called Spectre are not as strong as believed. Researchers have devised a new attack method that can defeat the defences, but exploitation is not as easy as with the original flaw.
The new attack, discovered by researchers from the Systems and Network Security Group at VU Amsterdam (VUSec) is called Spectre-BHI, for Branch History Injection, or Spectre-BHB, for Branch History Buffer, because Intel and ARM assigned different names to it.
According to the research team, it is an extension of the 2017 Spectre version 2 attack, also known as Spectre-BTI (Branch Target Injection) and, similarly to Spectre v2, can result in the leak of sensitive information from the privileged kernel memory space.
The proof-of-concept exploit created by the VUSec researchers leaks the hash of the root password from the /etc/shadow file by using an unprivileged account. The /etc/shadow file is a system file on Linux that is only accessible to the root administrative account.
Essentially, the exploit forces the kernel to load the file into memory, where it would normally be protected from access by unprivileged processes, but then leverages the Spectre-BHI attack to access and leak its contents. This is a major security breach of the fundamental security boundary in modern operating systems that separates user mode applications and memory space from privileged kernel memory space.
What is Spectre?
Spectre is a class of security vulnerabilities, originally disclosed by January 2017, that stem from a performance-related feature of modern CPUs called speculative execution where the CPU tries to predict in advance which path a program's execution will take when it reaches a conditional branch and execute instructions on that path in advance.
If the prediction, which is based on internal algorithms, turns out to be bad, the results stored in temporary CPU caches are discarded. Speculative execution attacks like Spectre, and many others that followed, trick this mechanism to leak information from temporary caches that act as side channels.
"Back in the days when Spectre was found, you could easily exploit Branch Target Injection (BTI or Spectre-v2), the most dangerous Spectre variant, across privilege levels," the VUSec researchers explain.
"For example, an unprivileged user land attacker could feed any branch target to the indirect branch predictor from user land and trick the kernel into speculatively jumping into the injected target code location and executing the code found there."
To mitigate the risk, software vendors such as Google and the Linux kernel developers came up with software-based solutions such as retpoline. While these were effective, they introduced a significant performance hit, so CPU vendors later developed hardware-based defences. Intel's is called EIBRS and ARM's is called CSV2.
"These solutions are complex—read the paper to learn more about them—but the gist of them is that the predictor 'somehow' keeps track of the privilege level (user/kernel) in which a target is executed," the VUSec researchers explain.
"And, as you may expect, if the target belongs to a lower privilege level, kernel execution won’t use it (i.e., no more arbitrary attacker-provided code locations to speculatively hijack the kernel control flow into)."
The problem, however, is that the CPU's predictor relies on a global history to select the target entries to speculatively execute and, as the VUSec researchers proved, this global history can be poisoned.
In other words, while the original Spectre v2 allowed attackers to actually inject target code locations and then trick the kernel to execute that code, the new Spectre-BHI/BHB attack can only force the kernel to mis-predict and execute interesting code gadgets or snippets that already exist in the history and were executed in the past, but which might leak data.
"Are Intel eIBRS and Arm CSV2 broken? Sort of," the researchers said. "That is, the mitigations work as intended, but the residual attack surface is much more significant than vendors originally assumed. [...] Nevertheless, finding exploitable gadgets is harder than before since the attacker can’t directly inject predictor targets across privilege boundaries."
Mitigating the new Spectre-BHI vulnerability
Intel tracks the new Spectre-BHI vulnerability as CVE-2022-0001, for the cross-privilege variation and CVE-2022-0002 for the same-privilege variation. ARM tracks it as CVE- 2022-23960 for both variations.
According to Intel, most of the company's CPUs are affected aside from those in the Atom family. For ARM, the vulnerable CPUs are Cortex-A15, Cortex-A57, Cortex-A72, Cortex-A73, Cortex-A75, Cortex-A76, Cortex-A76AE, Cortex-A77, Cortex-A78, Cortex-A78AE, Cortex-A78C, Cortex-X1, Cortex-X2, Cortex-A710, Neoverse N1, Neoverse N2, and Neoverse V1.
Both companies have released advisories and will make software mitigations available for now. ARM has five different mitigations depending on the system.
For their Linux exploit, the VUSec researchers abused eBPF, a technology available since kernel 4.4 that can run sandboxed programs in an operating system kernel.
While eBPF is not part of the underlying problem and other code gadgets can be found to leak data, the presence of unprivileged eBPF "does tremendously facilitate speculative execution (and other) attacks," according to the researchers. That's why they recommend disabling it and some Linux distributions have started disabling it by default.