A new side-channel attack affecting multiple generations of Intel processors has been discovered, allowing data to be leaked through the EFLAGS register.

The new attack was discovered by researchers from Tsinghua University, the University of Maryland and a computer lab (BUPT) run by the Chinese Ministry of Education and is different from most other channel attacks. lateral.

Instead of relying on the cache system like many other side-channel attacks, this new attack exploits a flaw in transient execution that allows secret data to be extracted from the user’s memory space through a temporal analysis.

The attack functions as a secondary channel to Meltdown, a critical security flaw discovered in 2018, affecting many x86-based microprocessors.

Meltdown leverages a performance optimization feature called “speculative execution” to allow attackers to bypass memory isolation mechanisms to access secrets stored in kernel memory, such as passwords, encryption keys and other private data.

The collapse was largely attenuated through software patches, microcode updates and hardware redesigns; however, no solution has solved the problem 100%, and the latest attack method may work even in fully patched systems based on hardware, software, and patch configurations.

Transient Execution Temporal Attack

The new side channel attack presented in a technical article published on Arxiv.org describes a flaw in the change of the EFLAGS register in transient execution, affecting the timing of JCC (jump on condition code) instructions.

The EFLAGS register is a CPU register that contains various flags related to the state of the processor, while the JCC instruction is a CPU instruction that allows conditional branching based on the contents of the EFLAGS register.

The attack takes place in two phases, the first being to trigger the transient execution and to encode the secret data via the EFLAGS register, and the second to measure the execution time of the KCC instruction to decode the data.

Overview of the attack
Overview of the attack (arxiv.org)

Experimental data showed that the attack achieved 100% data recovery (leakage) for Intel i7-6700 and Intel i7-7700 processors and had some success against the newer Intel i9-10980XE processor. The experiment was conducted on Ubuntu 22.04 jammy with Linux kernel version 5.15.0.

Pseudocode to time transient execution attack
Pseudocode to time transient execution attack (arxiv.org)

However, the researchers note that this timing attack is not as reliable as cache-state side-channel methods, and to achieve better results in recent chips, the attack would need to be repeated thousands of times.

“In our experience, we have found that the influence of the EFLAGS register on Jcc instruction execution time is not as persistent as the cache state,” reads the evaluation part. experimental data.

“For about 6-9 cycles after the transient run, the Jcc run time will not be about to build a side channel. Empirically, the attack should repeat thousands of times for greater accuracy.

The researchers admit that the root causes of the attack remain elusive and hypothesize that there is a buffer in the Intel processor’s execution unit, which needs time to come back if the execution needs to be removed, a process that causes a deadlock if the next instruction depends on the buffer target.

However, they still offer non-trivial mitigations, such as modifying the implementation of the JCC instruction to make it impossible to measure adversarial execution under all conditions, or rewriting the EFLAGS after transient execution to reduce its influence on the JCC instruction.


Source link