New Exploit Bypasses Existing Spectre-V2 Mitigations in Intel and Arm CPUs

Researchers have disclosed a new technique that could be used to circumvent existing hardware mitigations in modern processors from Intel and Arm, and stage speculative execution attacks such as Spectre to leak sensitive information from host memory.

Attacks like Spectre are designed to break the isolation between different applications by taking advantage of an optimization technique called speculative execution in CPU hardware implementations to trick programs into accessing arbitrary locations in memory and thus leak their secrets.

While chipmakers have incorporated both software and hardware defenses, including Retpoline as well as safeguards like Enhanced Indirect Branch Restricted Speculation (eIBRS) and Arm CSV2, the latest method demonstrated by VUSec researchers aim to get around all these protections.

Called Branch History Injection (BHI or Spectre-BHB), it’s a new variant of Spectre-V2 attacks (tracked as CVE-2017-5715) that bypasses both eIBRS and CSV2, with the researchers describing it as a “neat end-to-end exploit” leaking arbitrary kernel memory on modern Intel CPUs.

“The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel,” the researchers explained.

“However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more ‘interesting’ kernel targets (i.e., gadgets) that leak data,” the Systems and Network Security Group at Vrije Universiteit Amsterdam added. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *