A group of researchers has discovered a new data leakage attack that affects modern CPU architectures that support speculative execution.
dubbing ghost race (CVE-2024-2193), which is a variation of the temporary execution CPU vulnerability known as Specter v1 (CVE-2017-5753). This approach combines speculative execution and race conditions.
“All common synchronization primitives implemented using conditional branches are micro-architecturally bypassed on speculative paths using branch misprediction attacks, and all critical architecturally conflict-free It turns the domain into a speculative race condition (SRC), allowing the attacker to leak information from the target,” the researchers said.
Research results from IBM Research Europe's Systems Security Research Group and VUSec. The latter revealed another side-channel attack called SLAM targeting modern processors in December 2023.
Specter refers to a class of side-channel attacks that exploit branch prediction and speculative execution on modern CPUs to read privileged data in memory and bypass application-to-application isolation protections.
Speculative execution is a performance optimization technique used by most CPUs, and Specter attacks take advantage of the fact that incorrect predictions leave traces of memory accesses and computations in the processor's cache.
“A Specter attack forces a victim to speculatively perform operations that would not occur if a program's instructions were strictly serialized and processed sequentially, and that operation allows the victim to use a covert channel to “Sensitive information is leaked to adversaries,” researchers behind the Specter attack noted in January. 2018.
What's notable about GhostRace is that unauthenticated attackers can exploit so-called Speculative Concurrent Use-After-Free (SCUAF) attacks to use race conditions to extract arbitrary data from a processor and perform speculative Having access to the executable code path.
A race condition is an undesirable situation that occurs when two or more processes attempt to access the same shared resource without proper synchronization. This results in inconsistent results and opens opportunities for attackers to perform malicious actions.
“In terms of characteristics and exploitation strategies, the SRC vulnerability resembles a classic race condition,” the CERT Coordination Center (CERT/CC) explains in its advisory.
“However, attackers can exploit race conditions on temporarily executed paths originating from incorrectly guessed branches (similar to Specter v1) and racy code snippets or The difference is that it targets gadgets.”
The end result is that an attacker with access to CPU resources can access arbitrary sensitive data from host memory.
“Software such as operating systems, hypervisors, and other ), and speculatively executed branches are vulnerable to SRC,” VUSec said.
Following the responsible disclosure, AMD said its existing guidance for Specter “remains applicable to mitigate this vulnerability.” Administrators of the Xen open source hypervisor acknowledged that all versions are affected, but said it was unlikely to pose a serious security threat.
“Alarmed, the Xen security team has provided an enhanced patch that includes the addition of a new LOCK_HARDEN mechanism on x86 similar to the existing BRANCH_HARDEN,” Xen said.
“LOCK_HARDEN is turned off by default because it is uncertain whether a vulnerability exists in Xen and the performance impact is uncertain. However, we believe that further research will be done in this area. We expect this to happen and believe it is prudent to have mitigation measures in place.”