Academic researchers developed a new side-channel attack called SLAM that exploits hardware features designed to improve security in upcoming CPUs from Intel, AMD, and Arm to obtain the root password hash from the kernel memory.
SLAM is a transient execution attack that takes advantage of a memory feature that allows software to use untranslated address bits in 64-bit linear addresses for storing metadata.
CPU vendors implement this in different ways and have distinct terms for it.
Intel calls it Linear Address Masking, AMD names it Upper Address Ignore, and Arm refers to the feature as Top Byte Ignore.
Short for Spectre based on LAM, the SLAM attack was discovered by researchers at Systems and Network Security Group at Vrije Universiteit Amsterdam, who demonstrated its validity by emulating the upcoming LAM feature from Intel on a last-generation Ubuntu system.
According to VUSec, SLAM impacts mainly future chips that meet specific criteria.
While the advanced hardware features improve memory security and management, they also introduce exploitable micro-architectural race conditions.
The attack leverages a new transient execution technique that focuses on exploiting a previously unexplored class of Spectre disclosure gadgets, specifically those involving pointer chasing.
Gadgets are instructions in software code that the attacker can manipulate to trigger speculative execution in a way that reveals sensitive information.
Although the results of speculative execution are discarded, the process leaves traces like altered cache states which attackers can observe to infer sensitive information such as data from other programs or even the operating system.
The researchers developed a scanner with which they found hundreds of exploitable gadgets on the Linux kernel.
The following video demonstrates the attack that leaks the root password hash from the kernel.
In practical scenario, an attacker would need to execute on the target system code that interacts with the unmasked gadgets and then carefully measure the side effects using sophisticated algorithms to extract sensitive information such as passwords or encryption keys from the kernel memory.
The code and data for reproducing the SLAM attack are available on VUSec's GitHub repository.
The researchers also published a technical paper explaining how the attack works.
Vendor response to SLAM. Responding to the researchers' disclosure, Arm published an advisory explaining that its systems already mitigate against Spectre v2 and Spectre-BHB and plan no further action in response to SLAM. AMD also pointed to current Spectre v2 mitigations to address the SLAM attack described by the VUSec research group and did not provide any guidance or updates that would lower the risk.
Intel announced plans for providing software guidance before releasing future processors that support LAM, such as deploying the feature with the Linear Address Space Separation security extention for preventing speculative address accesses across user/kernel mode.
Citrix Hypervisor gets hotfix for new Reptar Intel CPU flaw.
New Reptar CPU flaw impacts Intel desktop and server systems.
New CacheWarp AMD CPU attack lets hackers gain root in Linux VMs. New iLeakage attack steals emails, passwords from Apple Safari.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 07 Dec 2023 00:55:36 +0000