It turns out that the root cause behind several previously disclosed speculative execution attacks against modern processors, such as Meltdown and Foreshadow, was misattributed to 'prefetching effect,' resulting in hardware vendors releasing incomplete mitigations and countermeasures.
Sharing its findings with The Hacker News, a group of academics from the Graz University of Technology and CISPA Helmholtz Center for Information Security finally revealed the exact reason behind why the kernel addresses are cached in the first place, as well as presented several new attacks that exploit the previously unidentified underlying issue, allowing attackers to sniff out sensitive data.
The new research explains microarchitectural attacks were actually caused by speculative dereferencing of user-space registers in the kernel, which not just impacts the most recent Intel CPUs with the latest hardware mitigations, but also several modern processors from ARM, IBM, and AMD — previously believed to be unaffected.
"We discovered that effects reported in several academic papers over the past 4 years were not correctly understood, leading to incorrect assumptions on countermeasures," the researchers told The Hacker News.
"This prefetching effect is actually unrelated to software prefetch instructions or hardware prefetching effects due to memory accesses and instead is caused by speculative dereferencing of user-space registers in the kernel."
Besides analyzing the actual root cause of the prefetching effect, some other key findings from the research are:
Additionally, researchers also demonstrated that the Foreshadow vulnerability on Intel CPUs could be exploited even when the recommended mitigations are enabled. This is made possible due to the fact the attack can be mounted on data not residing in L1 cache on kernel versions containing 'prefetch' gadgets.
The idea behind this is straight-forward. System software relies on the CPU's address translation mechanism to implement isolation among different processes. Each process has its own virtual memory space and cannot access arbitrary physical memory addresses outside of it.
Address translation, thus, acts as an intermediate layer that maps the virtual address space, which is used by a program, to the physical address to a physical address.
The virtual address space also includes a kernel address space to house Linux kernel threads, thus making it easy for the underlying hardware to handle privileged instructions from user threads in kernel mode.
While operating system kernels can be secured against prefetch side-channel attacks via a technique called kernel page-table isolation (KPTI or KAISER) — which enforces a strict kernel and userspace isolation such that the hardware does not hold any information about kernel addresses while running in user mode — the researchers found that it does not guarantee full protection from address-translation attacks, where an attacker tries to check if two different virtual addresses map to the same physical address.
Put differently, the "address-translation attack allows unprivileged applications to fetch arbitrary kernel addresses into the cache and thus resolve virtual to physical addresses on 64-bit Linux systems."
While the original line of thought was that such attacks were related to prefetch instructions, the new finding proves otherwise, thereby validating that KAISER isn't an adequate countermeasure against microarchitectural side-channel attacks on kernel isolation.
Instead, it exploits a Spectre-BTB-SA-IP (Branch Target Buffer, same address, in-place) gadget to cause information leakage, causing speculative execution, and further carry out Meltdown and Foreshadow (L1 Terminal Fault) attacks by bypassing current L1TF mitigations.
Spectre-BTB-SA-IP is a variant of Spectre vulnerability that exploits the Branch Target Buffer — a cache-like component in CPUs that's used for branch prediction — to perform attacks within the same address space and the same branch location.
"The same prefetching effect can be used to perform Foreshadow," the researchers said. "If a secret is present in the L3 cache and the direct-physical map address is derefenced in the hypervisor kernel, data can be fetched into the L1. This reenables Foreshadow even with Foreshadow mitigations enabled if the unrelated Spectre-BTB mitigations are disabled."
"The consequence is that we are able to mount a Foreshadow attack on older kernels patched against Foreshadow with all mitigations enabled and on a fully patched kernel if only Spectre-v2 mitigations are disabled."
To highlight the impact of the side-channel attacks, the researchers established a cache-based covert channel that exfiltrated data from a process running on an Intel Core i7-6500U CPU to another stealthy process, achieving a transmission rate of 10 bit/s to relay a total of 128 bytes from the sender to the receiver process.
Furthermore, the researchers disclosed that it's possible to leak register contents from an SGX enclave of Intel CPUs using a register that's speculatively dereferenced (called "Dereference Trap"), using it to recover a 32-bit value stored in a 64-bit register within 15 minutes.
Lastly, 'certain attacks' can now be mounted remotely using JavaScript in a web browser, and "fill 64-bit registers with an attacker-controlled value in JavaScript by using WebAssembly."
To mitigate these attacks, it's recommended that current CPUs enable Spectre-BTB mitigations, including retpoline (short for "return trampoline"), which aims to prevent branch-target-injection by isolating indirect branches from speculative execution.
Sharing its findings with The Hacker News, a group of academics from the Graz University of Technology and CISPA Helmholtz Center for Information Security finally revealed the exact reason behind why the kernel addresses are cached in the first place, as well as presented several new attacks that exploit the previously unidentified underlying issue, allowing attackers to sniff out sensitive data.
The new research explains microarchitectural attacks were actually caused by speculative dereferencing of user-space registers in the kernel, which not just impacts the most recent Intel CPUs with the latest hardware mitigations, but also several modern processors from ARM, IBM, and AMD — previously believed to be unaffected.
"We discovered that effects reported in several academic papers over the past 4 years were not correctly understood, leading to incorrect assumptions on countermeasures," the researchers told The Hacker News.
"This prefetching effect is actually unrelated to software prefetch instructions or hardware prefetching effects due to memory accesses and instead is caused by speculative dereferencing of user-space registers in the kernel."
Besides analyzing the actual root cause of the prefetching effect, some other key findings from the research are:
- Discovery of several new attacks exploiting the underlying root cause, including an address-translation attack in more restricted contexts, direct leakage of register values in specific scenarios, and an end-to-end Foreshadow exploit targeting non-L1 data.
- A novel cross-core covert channel attack that, in some instances, could let attackers observe caching of the address (or value) stored in a register without relying on shared memory.
- Spectre 'prefetch' gadgets can directly leak actual data, which not only makes ZombieLoad attack efficient on Intel CPUs to leak sensitive data from internal buffers or memory but also impact non-Intel CPUs.
- The speculative dereferencing issue — in certain attacks like Rowhammer, cache attacks, and DRAMA — could let attackers recover the physical addresses of JavaScript variables and exfiltrate information via transient execution remotely via a web browser.
Additionally, researchers also demonstrated that the Foreshadow vulnerability on Intel CPUs could be exploited even when the recommended mitigations are enabled. This is made possible due to the fact the attack can be mounted on data not residing in L1 cache on kernel versions containing 'prefetch' gadgets.
From Address Translation Attack to Foreshadow
The idea behind this is straight-forward. System software relies on the CPU's address translation mechanism to implement isolation among different processes. Each process has its own virtual memory space and cannot access arbitrary physical memory addresses outside of it.
Address translation, thus, acts as an intermediate layer that maps the virtual address space, which is used by a program, to the physical address to a physical address.
The virtual address space also includes a kernel address space to house Linux kernel threads, thus making it easy for the underlying hardware to handle privileged instructions from user threads in kernel mode.
While operating system kernels can be secured against prefetch side-channel attacks via a technique called kernel page-table isolation (KPTI or KAISER) — which enforces a strict kernel and userspace isolation such that the hardware does not hold any information about kernel addresses while running in user mode — the researchers found that it does not guarantee full protection from address-translation attacks, where an attacker tries to check if two different virtual addresses map to the same physical address.
Put differently, the "address-translation attack allows unprivileged applications to fetch arbitrary kernel addresses into the cache and thus resolve virtual to physical addresses on 64-bit Linux systems."
While the original line of thought was that such attacks were related to prefetch instructions, the new finding proves otherwise, thereby validating that KAISER isn't an adequate countermeasure against microarchitectural side-channel attacks on kernel isolation.
Instead, it exploits a Spectre-BTB-SA-IP (Branch Target Buffer, same address, in-place) gadget to cause information leakage, causing speculative execution, and further carry out Meltdown and Foreshadow (L1 Terminal Fault) attacks by bypassing current L1TF mitigations.
Spectre-BTB-SA-IP is a variant of Spectre vulnerability that exploits the Branch Target Buffer — a cache-like component in CPUs that's used for branch prediction — to perform attacks within the same address space and the same branch location.
"The same prefetching effect can be used to perform Foreshadow," the researchers said. "If a secret is present in the L3 cache and the direct-physical map address is derefenced in the hypervisor kernel, data can be fetched into the L1. This reenables Foreshadow even with Foreshadow mitigations enabled if the unrelated Spectre-BTB mitigations are disabled."
"The consequence is that we are able to mount a Foreshadow attack on older kernels patched against Foreshadow with all mitigations enabled and on a fully patched kernel if only Spectre-v2 mitigations are disabled."
Enable Spectre-BTB mitigations such as Retpoline
To highlight the impact of the side-channel attacks, the researchers established a cache-based covert channel that exfiltrated data from a process running on an Intel Core i7-6500U CPU to another stealthy process, achieving a transmission rate of 10 bit/s to relay a total of 128 bytes from the sender to the receiver process.
Furthermore, the researchers disclosed that it's possible to leak register contents from an SGX enclave of Intel CPUs using a register that's speculatively dereferenced (called "Dereference Trap"), using it to recover a 32-bit value stored in a 64-bit register within 15 minutes.
Lastly, 'certain attacks' can now be mounted remotely using JavaScript in a web browser, and "fill 64-bit registers with an attacker-controlled value in JavaScript by using WebAssembly."
To mitigate these attacks, it's recommended that current CPUs enable Spectre-BTB mitigations, including retpoline (short for "return trampoline"), which aims to prevent branch-target-injection by isolating indirect branches from speculative execution.