Again security issues with CPUs!
Hardly has the problem with SPECTRE been digested, there’s
a new nightmare ahead for users of Intel, AMD and ARM CPUs.
As the universities in Saarland, Germany and California have
detected, there are two main variants breaching the security…
With ret2spec the university in Saarland has discovered that the so-called Spectre v5 method is capable to handle the RSB (Return Stack Buffer) in a way to read out even protected memory areas. Intel, AMD and ARM have already confirmed this security flaw. However there’s no CVS tracking number yet where they would investigate into this problem.
The university in California, Riverside (UCR) has independently found the method SpectreRSB which is similar.
ret2spec can be applied using preparated websites that use malicious javascript or WebAssembly code. However with Spectre being discovered earlier, most browsers that were patched against Spectre, also appear mostly resistant against the new security issues from ret2spec.
To have a proof of concept, they used a modified high-resolution timer as this security issue is based upon very exat timestamps. Firefox 59 with an altered timer scheme has been involved for this. However there are also other methods for very exact time measurement.
The security issue results from predicted backloop addresses that are used to optimize run time. If an attacker can optain one of these backloop addresses, he can also obtain the control over the executed program code and this gain access to the protected memory area.
This can be used to read out passwords from browser sessions or capture keystrokes. Both variants can be considered a Reverse Spectre as they also allow usage of backloop adresses and not just predicted memory jump adresses ahead.
SpectreRSB is another similar variant discovered at the UCR. They are also misusing the RSB in order to gain access to prtected memory areas of processes. SpectreRSB is also capable to capture virtual remote hosts which allows a widespread infection. Since more and more data centers are switching to virtual hosts, the result of SpectreRSB could be fatal.
Luckily there’s a linux patch already available to deal with this problem.
Leave a comment