New ‘Retbleed’ attack can swipe key data from Intel and AMD CPUs

Retbleed can leak kernel memory from Intel CPUs at 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs with a bandwidth of 3.9 kB per second. The researchers said they could detect and leak a Linux computer’s root password hash from physical memory in about 28 minutes when running Intel CPUs and about six minutes for AMD CPUs.

Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their predictions. After the poisoning is complete, this BPU makes false predictions that the attacker can control.

“We found that we can also inject branch targets that reside inside the kernel address-space as an unprivileged user,” the researchers wrote in a blog post. “Although we cannot access branch targets inside the kernel address-space—branching to such a target would result in a page fault—the branch prediction unit will update the branch after examining it and assume it was executed legitimately. kernel address.”

Intel and AMD respond to Retbleed

Both Intel and AMD responded with advisories. Intel has confirmed that the vulnerability exists in Skylake-generation processors that lack protection known as Enhanced Indirect Branch Restricted Speculation (eIBRS).

“Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance that will be available on or around today’s public disclosure date,” Intel wrote. Blog post. “Note that Windows systems are not affected as these systems use Indirect Branch Restricted Speculation (IBRS) by default, which is also available for Linux users. Intel is not aware that this issue can be exploited outside of a controlled lab environment.

AMD, meanwhile, is also there Published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending that software suppliers take additional steps to protect against Spectre-like attacks,” a spokesperson wrote in an email. The company also published a white paper.

Both the researchers’ research paper and blog post describe the microarchitectural conditions necessary to exploit retbleed:

Intel. At Intel, returns begin to behave like implicit jumps when the return stock buffer containing return target expectations underflows. This is done by running deep call stocks. In our evaluation we found over a thousand conditions that could be triggered by a system call. An indirect branch target predictor was studied for Intel CPUs Previous work.

AMD. In AMD, returns behave like an indirect branch regardless of their return address stack state. In fact, by poisoning a return instruction using an indirect jump, the AMD branch predictor assumes that it will encounter an indirect jump instead of a return and consequently predicts an indirect branch target. This means that any return we can reach via a system call is vulnerable to exploitation—and there are tons of them.

In an email, Razavi added: “Retbleed is more than just retpolin bypass on Intel, specifically AMD machines. AMD is actually going to release a white paper introducing branch type confusion based on Retbleed. Essentially, Retbleed AMD CPUs are confusing return instructions with indirect branches. This makes exploitation of returns on AMD CPUs very trivial.

The researchers measured the reductions to be between 12 percent and 28 percent higher computational overhead. Organizations relying on affected CPUs should carefully read publications from researchers, Intel and AMD and strictly follow mitigation guidelines.

This story appeared first Ars Technica.

Leave a Comment