Researchers have demonstrated the “first native Spectre v2 exploit” for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors.
Spectre V2 is a new variant of the original Spectre attack discovered by a team of researchers at the VUSec group from VU Amsterdam.
The researchers also released a tool that uses symbolic execution to identify exploitable code segments within the Linux kernel to help with mitigation.
The new finding underscores the challenges in balancing performance optimization with security, which makes addressing fundamental CPU flaws complicated even six years after the discovery of the original Spectre.
Speculative execution is a performance optimization technique where modern processors guess what instructions will be executed next and start implementing them before they know they are needed. As modern processors are extremely powerful, they can predict multiple paths a program may take and execute them simultaneously.
If one of the guesses is correct, there is an increase in application performance. If the guesses are wrong, the CPU throws away the previous work and proceeds as usual without changing performance.
However, while this feature improves performance, it also introduces security risks by leaving traces of privileged data in CPU caches, which attackers can potentially access.
Two attack methods are Branch Target Injection (BTI), which involves manipulating the CPU’s branch prediction to execute unauthorized code paths, and Branch History Injection (BHI), which manipulates branch history to cause speculative execution of chosen gadgets (code paths), leading to data leakage.
Intel has already assigned CVE-2022-0001 and CVE-2022-0002 to BTI and BHI, respectively, while CVE-2024-2201 involves a new Spectre v2 exploit that works against the Linux kernel.
As the CERT Coordination Center (CERT/CC) disclosed yesterday, the new flaw, tracked as CVE-2024-2201, allows unauthenticated attackers to read arbitrary memory data by leveraging speculative execution, bypassing present security mechanisms designed to isolate privilege levels.
Current mitigations are designed around isolating exploitable gadgets to remove the attack surface. However, the VUSec researchers, through their custom ‘InSpectre Gadget’ analysis tool, demonstrated that exploitable gadgets in the Linux kernel remain.
Microsoft has released updated guidance to mitigate CVE-2024-2201 as part of the April Patch Tuesday security updates, but the mitigations are disabled by default to allow users and admins to evaluate performance results.
For Linux distributions, various entities have responded to the situation, including Illumos, Linux Foundation, Red Hat, SUSE Linux, Triton Data Center, and Xen. Intel has also updated its mitigation recommendations for Spectre v2.
Leave a Reply