Photo: Tester128 / Shutterstock.com
A novel transient execution attack, Spectre based on LAM (SLAM), targets AMD CPUs to steal sensitive information. Future Intel and Arm CPUs are also at risk of being exploited.
Unlike previous attacks targeting new transient execution techniques, SLAM focuses on exploiting a previously unexplored class of Spectare disclosure gadgets.
Researchers from VUSec discovered the attack technique. Traditional Spectre disclosure gadgets involve code snippets using secret data to index into an array. Still, SLAM takes a different approach by targeting pointer-chasing snippets — these result in ‘unmasked’ gadgets, leveraging secret data as a pointer.
The code pattern is more prevalent, with SLAM’s gadget scanner identifying tens of thousands of such gadgets in the Linux kernel alone, potentially making them more exploitable. The code and data are available on GitHub, and a more thorough technical analysis is available here.
One of SLAM’s key achievements is its ability to exploit unmasked gadgets, allowing a userland process to leak arbitrary ASCII kernel data. In a video demonstration, researchers showcased the leakage of the root password hash within half a minute on a last-generation Ubuntu system, emulating the upcoming Intel LAM feature.
The affected processors include existing AMP CPUs vulnerable to CVE-2020-12965, future Intel CPUs supporting UAI and 5-level paging, and future Arm CPUs supporting TBI and 5-level paging.
Researchers detailed how they developed a new covert channel to lead data via unmasked gadgets. SLAM demonstrates that existing CPUs with weak canonicality checks may be affected by transiently bypassing canonicality checks and leveraging linear address masking features or microarchitectural race conditions.
In response to SLAM, Intel has announced plans to provide software guidance before the release of processors supporting LAM. Arm also issued a public advisory stating that “whilst Arm’s analysis confirms that these techniques will typically increase the number of exploitable gadgets, Arm systems already mitigate against Spectre v2 and Spectre-BHB. Hence, no action is required in response to the described attack.”
AMD has not implemented specific guidance updates; instead, it points to existing Spectre v2 mitigations to address the SLAM exploit.
In the News: Critical Bluetooth HID flaw affects Linux, iOS, Mac and Android