Intel CPU’s are reportedly vulnerable to a new attack: “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks”. The vulnerability takes advantage of speculative execution in the Intel CPU’s, and was discovered by computer scientists at Worcester Polytechnic Institute in Massachusetts, and the University of Lübeck in Germany. According to the research, the flaw is a “novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes.”
“The root cause of the issue is that the memory operations execute speculatively and the processor resolves the dependency when the full physical address bits are available,” says Ahmad Moghimi, one of the researchers who contributed to the paper. “Physical address bits are security sensitive information and if they are available to user space, it elevates the user to perform other micro architectural attacks.”
Intel was informed of the findings in early December, last year. However, they did not immediately respond to the researchers. An Intel spokesperson has now provided Techradar with the following statement on the Spoiler vulnerability: “Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”
Impact of SPOILER by performing Rowhammer attack in a native user-level environment
The research paper defines the Rowhammer attack as : “an attack causing cells of a victim row to leak faster by activating the neighboring rows repeatedly. If the refresh cycle fails to refresh the victim fast enough, that leads to bit flips. Once bit flips are found, they can be exploited by placing any security-critical data structure or code page at that particular location and triggering the bit flip again.”
- In order to perform a Rowhammer attack, the adversary needs to access DRAM rows that are adjacent to a victim row and ensure that multiple virtual pages co-locate on the same bank.
- Double-sided Rowhammer attacks cause bit flips faster owing to the extra charge on the nearby cells of the victim row and they further require access to contiguous memory pages. SPOILER can help boosting both single and double-sided Rowhammer attacks by its additional 8-bit physical address information and result in the detection of contiguous memory.
- The researchers used SPOILER to detect aliased virtual memory addresses where the 20 LSBs of the physical addresses match. These bits were then used by the memory controller for mapping the physical addresses to the DRAM banks.
- The majority of the bits are known using SPOILER. Further, “a attacker can directly hammer such aliased addresses to perform a more efficient single-sided Rowhammer attack with a significantly increased probability of hitting the same bank.”
- The researchers reverse engineered the DRAM mappings for different hardware configurations using the DRAMA tool, and only a few bits of physical address entropy beyond the 20 bits remain unknown.
- To verify if aliased virtual addresses co-locate on the same bank, they used the row-conflict side channel
- It is observed that whenever the number of physical address bits used by the memory controller to map data to physical memory is equal to or less than 20, the researchers always hit the same bank.
You can go through the Research paper for more insights on the SPOILER flaw.
Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix
Intel releases patches to add Linux Kernel support for upcoming dedicated GPU releases
Researchers prove that Intel SGX and TSX can hide malware from antivirus software