Researchers from the Vrije Universiteit Amsterdam have disclosed a new side-channel attack called SLAM that could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm.
The attack is an end-to-end exploit for Spectre based on a new feature in Intel CPUs called Linear Address Masking (LAM) as well as its analogous counterparts from AMD (called Upper Address Ignore or UAI) and Arm (called Top Byte Ignore or TBI).
“SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data,” VUSec researchers said, adding it could be leveraged to leak the root password hash within minutes from kernel memory.
While LAM is presented as a security feature, the study found that it ironically degrades security and “dramatically” increases the Spectre attack surface, resulting in a transient execution attack, which exploits speculative execution to extract sensitive data via a cache covert channel.
A transient execution attack exploits the microarchitectural side effects of transient instructions, thus allowing a malicious adversary to access information that architectural access control mechanisms would ordinarily prohibit,” Intel says in its terminology documentation.
Described as the first transient execution attack targeting future CPUs, SLAM takes advantage of a new covert channel based on non-canonical address translation that facilitates the practical exploitation of generic Spectre gadgets to leak valuable information. It impacts the following CPUs –
- Existing AMD CPUs vulnerable to CVE-2020-12965
- Future Intel CPUs supporting LAM (both 4- and 5-level paging)
- Future AMD CPUs supporting UAI and 5-level paging
- Future Arm CPUs supporting TBI and 5-level paging
“Arm systems already mitigate against Spectre v2 and BHB, and it is considered the software’s responsibility to protect itself against Spectre v1,” Arm said in an advisory. “The described techniques only increase the attack surface of existing vulnerabilities such as Spectre v2 or BHB by augmenting the number of exploitable gadgets.”
AMD has also pointed to current Spectre v2 mitigations to address the SLAM exploit. Intel, on the other hand, intends to provide software guidance before the future release of Intel processors that support LAM. In the interim, Linux maintainers have developed patches to disable LAM by default.
The findings come nearly two months after VUSec shed light on Quarantine, a software-only approach to mitigate transient execution attacks and achieve physical domain isolation by partitioning the Last level cache (LLC) to give every security domain exclusive access to a different part of the LLC with the goal of eliminating LLC covert channels.
“Quarantine’s physical domain isolation isolates different security domains on separate cores to prevent them from sharing core local microarchitectural resources,” the researchers said. “Moreover, it unshares the LLC, partitioning it among the security domains.”