December 6, 2023 at 07:57PM
Researchers at VUSec discovered “SLAM,” a side-channel attack exploiting memory features in future CPUs from Intel, AMD, and Arm, to leak sensitive information like root password hashes. Despite the intended security improvements, these features inadvertently enable SLAM by not checking address canonicality, creating micro-architectural race conditions. Existing defenses are deemed sufficient by AMD and Arm, while Intel plans to issue software guidance for mitigating SLAM upon the release of vulnerable CPUs.
Meeting Takeaways:
1. A new side-channel attack, named SLAM, has been discovered by academic researchers from the Vrije Universiteit Amsterdam’s Systems and Network Security Group. This attack could allow for the extraction of root password hashes from kernel memory.
2. SLAM targets upcoming CPU designs from Intel, AMD, and Arm that employ memory management features known as Linear Address Masking (LAM), Upper Address Ignore (UAI), and Top Byte Ignore (TBI), respectively.
3. The attack is a transient execution one that takes advantage of memory features which use untranslated address bits in 64-bit linear addresses for storing metadata, leading to micro-architectural race conditions that can be exploited.
4. The vulnerability affects mainly future processors that do not perform strong canonicality checks.
5. SLAM exploits “unmasked” gadgets found in software code, which are common and can be exploited to leak sensitive information from the kernel such as ASCII data.
6. Researchers have developed a scanner that found hundreds of exploitable gadgets in the Linux kernel, and they’ve demonstrated the attack in a video.
7. To exploit SLAM in practice, an attacker needs to run code that interacts with these gadgets on the target system and then use sophisticated algorithms to measure side effects and extract sensitive information.
8. The code and data required for reproducing the SLAM attack are publicly available on VUSec’s GitHub repository, with a detailed technical paper also published.
9. SLAM affects certain existing AMD CPUs, as well as future CPUs from AMD, Intel, and Arm that support UAI, LAM, TBI, and 5-level paging, respectively.
10. In response to the discovery:
– Arm has issued an advisory and considers its Spectre v2 and Spectre-BHB mitigations sufficient, planning no further action.
– AMD referred to current Spectre v2 mitigations and no additional guidance or updates were provided.
– Intel is planning to provide software guidance and is considering deploying future processors with the LASS security extension that prevents speculative address accesses across different modes.
11. Currently, Linux developers have created patches to disable LAM in response to the lack of further guidance.
Actions recommended:
– Monitor for further updates from CPU vendors, particularly Intel, regarding mitigations for the SLAM attack.
– Implement Linux patches to disable LAM as an immediate protective measure.