Researchers from the Vrije Universiteit Amsterdam have uncovered a new side-channel attack dubbed SLAM, capable of exploiting current and upcoming CPUs from Intel, AMD, and Arm. The attack exploits a feature in Intel CPUs called Linear Address Masking (LAM), analogous counterparts from AMD (Upper Address Ignore or UAI), and Arm (Top Byte Ignore or TBI).
SLAM serves as an end-to-end exploit for Spectre, utilizing unmasked gadgets to leak arbitrary ASCII kernel data. This could potentially lead to the leakage of sensitive information, such as the root password hash, from kernel memory within minutes.
While LAM is introduced as a security feature, the research indicates that it ironically diminishes security and significantly expands the Spectre attack surface. The attack involves a transient execution attack, leveraging speculative execution to extract sensitive data through a cache covert channel.
Described as the first transient execution attack targeting future CPUs, SLAM exploits a new covert channel based on non-canonical address translation, facilitating the practical exploitation of generic Spectre gadgets. The affected CPUs include existing AMD CPUs vulnerable to CVE-2020-12965, future Intel CPUs supporting LAM, future AMD CPUs supporting UAI and 5-level paging, and future Arm CPUs supporting TBI and 5-level paging.
Arm systems already mitigate against Spectre v2 and BHB, and AMD points to existing Spectre v2 mitigations to address the SLAM exploit. Intel plans to provide software guidance before the release of processors supporting LAM. In the meantime, Linux maintainers have developed patches to disable LAM by default.
This revelation comes shortly after VUSec introduced Quarantine, a software-only approach to mitigate transient execution attacks. Quarantine achieves physical domain isolation by partitioning the Last Level Cache (LLC), preventing security domains from sharing core-local microarchitectural resources.
Comments
Post a Comment