The latest cybersecurity research has found that a new type of attack technique can be used to bypass existing hardware protections in intel and Arm-architected CPUs and to implement speculative execution attacks such as Spectre that leak sensitive information from host memory.
According to the cybersecurity industry portal Jiniu.com GEEKNB.COM, attacks like Spectre aim to break the isolation between different applications and leak data in memory by tricking programs into accessing anywhere in memory by using an optimization technique called speculative execution in CPU hardware implementations.
While chipmakers have combined software and hardware safeguards, including Repoline and security measures such as Enhanced Indirect Branch Restriction Speculation (eIBRS) and Arm CSV2, the latest attack methods can bypass all of these protections.
Branch history injection (BHI or Spectre-BHB), a new variant of the Spectre-V2 attack (vulnerability number CVE-2017-5715), bypasses eIBRS and CSV2, a vulnerability that security researchers say can completely leak arbitrary kernel memory on Intel CPUs.
Security researchers say hardware mitigations do prevent unprivileged attackers from injecting prediction entries into the kernel, however, predictors rely on global history to select target entries for speculative execution. Attackers can poison this history from user space to force kernel error predictions to leak data to other kernel targets.
In other words, a piece of malicious code can use a shared branch history stored in the CPU branch history buffer (BHB) to influence the false prediction branch in the victim's hardware context, resulting in speculative execution that can then be used to infer information that should otherwise be inaccessible.
The branch history buffer BHI could affect all Intel and Arm CPUs previously affected by Spectre-V2, prompting Intel and ARM to release a software update to fix the vulnerability. Intel also recommends that customers disable Linux's unprivileged extension Berkeley Packet Filter (eBPF), enable both eIBRS and Supervisor Mode Execution Protection (SMEP), and add LFENCE to specific identifying gadgets for discovery availability.