A group of researchers from the Graz University of Technology (Austria) and the Helmholtz Center for Information Security (CISPA) have disclosed a vulnerability (CVE-2021-26318) in all AMD processors that allows side-channel attacks of the Meltdown class (it was originally assumed that AMD processors are not affected by the Meltdown vulnerability). From a practical point of view, the attack can be used to organize covert data transmission channels, monitor activity in the kernel, or obtain information about addresses in kernel memory to bypass protection based on address randomization (KASLR) in the process of exploiting vulnerabilities in the kernel.
AMD considers it inappropriate to take special measures to block the problem, since the vulnerability, like the similar attack identified in August, is of little use in real conditions, is limited by the current boundaries of the process's address space, and requires the presence of certain ready-made sequences of instructions (gadgets) in the kernel. To demonstrate the attack, the researchers loaded their own kernel module with an artificially added gadget. In real conditions, to substitute the necessary sequences, attackers can use, for example, regularly emerging vulnerabilities in the eBPF subsystem.
To protect against this new type of attack, AMD has recommended secure coding techniques that help block Meltdown attacks, such as the use of LFENCE instructions. The researchers who identified the issue recommend enabling stricter memory page table isolation (KPTI), which was previously only used on Intel processors.
During the experiment, the researchers managed to leak information from the kernel to the process in user space at a rate of 52 bytes per second, with a gadget in the kernel that performs the operation "if (offset < data_len) tmp = LUT[data[offset] * 4096];" . Several methods have been proposed for retrieving through third-party channels information that settles in the cache during speculative execution. The first method is based on the analysis of deviations in the execution time by the processor instruction "PREFETCH" (Prefetch+Time), and the second one is based on changing the change in power consumption when executing "PREFETCH" (Prefetch+Power).
Recall that the classic Meltdown vulnerability is based on the fact that during the speculative execution of instructions, the processor can access a private data area, and then discard the result, since the set privileges prohibit such access from the user process. In a program, a speculatively executed block is separated from the main code by a conditional jump, which in real conditions always fires, but due to the fact that the conditional statement uses a calculated value that the processor does not know during pre-emptive code execution, all branching options are speculatively executed.
Since the same cache is used for speculatively executed operations as for normally executed instructions, it is possible during speculative execution to set markers in the cache that reflect the contents of individual bits in a private memory area, and then in normally executing code determine their value through time analysis. accessing cached and non-cached data.
Source: opennet.ru