Retbleed exploitation in realistic setting | Kaspersky official blog

Retbleed exploitation in realistic setting | Kaspersky official blog

/in

In a new paper, Google researchers Matteo Rizzo and Andy Nguyen have detailed an improved Retbleed attack scenario. As we’ve explained in a previous post, the original Retbleed attack exploited vulnerabilities in AMD’s Zen and Zen 2, as well as Intel’s Kaby Lake and Coffee Lake CPUs. Hardware vulnerabilities of this kind are extremely difficult to exploit in realistic settings, which is why the various forms of Spectre and derivative attacks like Retbleed have remained largely theoretical. Despite this, both CPU manufacturers and software developers have implemented methods to mitigate them. The essence of the new Google research is to demonstrate how the effectiveness of the Retbleed attack can be increased. Without fundamentally changing the attack’s architecture, they were able to leverage features of AMD Zen 2 CPUs to read arbitrary data from RAM.

Retbleed in a nutshell

Like Spectre, Retbleed exploits a feature called branch prediction in a computer’s CPU. Branch prediction allows the processor to speculatively execute instructions without waiting for the results of previous computations. Sometimes such predictions are wrong, but normally this only results in a slight, imperceptible slowdown in the application’s performance.

In 2018, the Spectre attack showed that incorrect predictions can be used to steal secrets. This is possible due to two key characteristics. First, the branch prediction system can be trained to access a memory area containing secret data, which then gets loaded into the CPU cache. Second, a way was found to extract this secret data from the cache through a side channel by measuring the execution time of a specific instruction.

Retbleed can be considered an evolution of the Spectre v2 attack: it also exploits the characteristics of the branch prediction system, but differs in how it injects instructions. What’s more, Retbleed can bypass the technology used to protect against Spectre v2, and therefore threatens systems running on more modern hardware. Retbleed remains difficult to implement. A demonstration in ideal conditions by the authors of the original research took a full 90 minutes to extract the secret (in that case a user password).

What the Google researchers accomplished

The researchers from Google were able to significantly accelerate a Retbleed attack. The key takeaway from their work is that arbitrary sections of RAM at 13 KB/s can be read. The accuracy of extracting secret data from the cache is also crucial for such attacks, and in this case it was one hundred percent. The experts demonstrated how the security systems of the operating system kernel – specifically the Linux kernel – can be bypassed. Another significant improvement they made was the use of an attack known as Speculative ROP, which they modified to evade the very same defenses designed for Spectre v2.

According to the researchers, the only limitation of their exploit is the need to know the system’s kernel configuration in advance. This isn’t a major hurdle because many systems use common, standard configurations. Even for unknown configurations, attackers can perform a preliminary analysis.

Should we expect Retbleed attacks in the wild?

Most such attacks explore a scenario where malicious code with low privileges runs on a standard computer – ultimately gaining access to sensitive data. However, the same could be said of attacks using traditional malware. If an attacker has already managed to execute arbitrary code on a system, they don’t necessarily need to resort to extremely complex methods for privilege escalation. There are often simpler ways to achieve the same result, such as exploiting a vulnerability in an application or system software.

Attacks like Spectre and Retbleed pose the greatest danger to cloud systems. For a cloud provider, it’s critically important that clients whose virtual machines share the same hardware can’t gain access to other users’ data or hypervisor information. Google’s researchers claim that this new variant of the Retbleed attack allows for exactly that. As a result, Google has stopped using servers with AMD Zen 2 architecture CPUs in its own cloud services for tasks that involve clients executing arbitrary code. So it does seem they’re taking this threat seriously.

Kaspersky official blog – ​Read More