Academic researchers from the Vrije Universiteit Amsterdam have discovered a new Spectre-based flaw in several major upcoming CPU chips, but the hardware manufacturers are seemingly unfazed by the findings.
As reported by BleepingComputer researchers from the Systems and Network Security Group (VUSec Group) found a side-channel attack and dubbed it SLAM. It exploits hardware features being introduced in upcoming Intel, AMD, and Arm chips, allowing them to obtain root password hashes from the kernel memory.
SLAM, short(ish) for “Spectre based on LAM” is described as a transient execution attack leveraging a memory feature that makes software use untranslated address bits in 64-bit linear addresses for storing metadata. All CPU manufacturers have this feature: on Intel devices, it’s Linear Address Masking (LAM), on AMD, it’s Upper Address Ignore (UAI), and on ARM, it’s Top Byte Ignore (TBI).
Spectre v2 already mitigated, OEMs say
To pull off the attack, the researchers exploited a previously unanalyzed class of Spectre disclosure gadgets - code instructions that can be manipulated to trigger speculative execution which displays sensitive information. The information generated this way is usually discarded, but there are traces (altered cache states and such) that can be observed to extract important data.
To observe the traces, the academics built a scanner and used it to find “hundreds” of exploitable gadgets on the Linux kernel.
But hardware manufacturers don’t seem to be too fazed about the findings, with the majority believing they have already addressed the issue. ARM said its systems already mitigate against Spectre v2 and Spectre-BHB vulnerabilities, and as such need no additional checks. AMD’s comment was in the same vein and did not bother to release new updates.
Intel, however, said it would provide software guidance before publishing new LAM-supported chips.
More from TechRadar Pro
- Working Spectre exploits for Windows and Linux devices uncovered
- Here's a list of the best firewalls today
- These are the best endpoint protection software right now