Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SLAM attack. Show all posts

Fresh SLAM Attack Extracts Sensitive Data from AMD CPUs and Upcoming Intel Processors

 

Academic researchers have unveiled a novel side-channel attack named SLAM, designed to exploit hardware enhancements meant to bolster security in forthcoming CPUs from major manufacturers like Intel, AMD, and Arm. The attack aims to retrieve the root password hash from the kernel memory through a transient execution technique.

SLAM takes advantage of a memory feature allowing software to utilize untranslated address bits in 64-bit linear addresses for metadata storage. Diverse CPU vendors implement this feature differently, with Intel calling it Linear Address Masking (LAM), AMD labeling it Upper Address Ignore (UAI), and Arm referring to it as Top Byte Ignore (TBI). 

The SLAM attack, an abbreviation for Spectre based on LAM, was identified by researchers at Vrije Universiteit Amsterdam's Systems and Network Security Group (VUSec Group). They demonstrated the attack's viability by emulating the upcoming LAM feature from Intel on a previous-generation Ubuntu system.

According to VUSec, SLAM primarily affects future chips meeting specific criteria due to a lack of robust canonicality checks in their designs. Despite advanced hardware features like LAM, UAI, and TBI improving memory security, they introduce exploitable micro-architectural race conditions.

The attack hinges on a new transient execution technique focusing on exploiting a previously unexplored class of Spectre disclosure gadgets, particularly those involving pointer chasing. Gadgets are manipulable instructions in software code that, when exploited, trigger speculative execution, revealing sensitive information. The SLAM attack specifically targets "unmasked" gadgets using secret data as a pointer, commonly found in software, allowing attackers to leak arbitrary ASCII kernel data.

To demonstrate the attack, researchers developed a scanner identifying hundreds of exploitable gadgets on the Linux kernel. While executing the attack, an attacker must run code on the target system that interacts with unmasked gadgets, measuring side effects with sophisticated algorithms to extract sensitive information like passwords or encryption keys from the kernel memory.

The SLAM attack impacts various processors, including existing vulnerable AMD CPUs, future Intel CPUs supporting LAM, future AMD CPUs supporting UAI and 5-level paging, and future Arm CPUs supporting TBI and 5-level paging. 

In response to SLAM, Arm asserted its systems already mitigate against Spectre v2 and Spectre-BHB, with no further action planned. AMD referenced existing Spectre v2 mitigations, while Intel announced plans for software guidance and the deployment of security extensions before releasing future processors supporting LAM. Meanwhile, Linux engineers have devised patches to disable LAM until further guidance becomes available.