Researchers from VUSec – the Vrije Universiteit, in Amsterdam have disclosed a new side-channel attack called SLAM (Spectre based on LAM) that could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm.
The research paper called ‘Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation’ demonstrates how some architectural extensions can augment the number of potential Spectre gadgets by exploiting the side effects of using non-canonical addresses in the processor’s Translation Lookaside Buffer (TLB).
What this means is that malicious instructions can cause data to be accessed direct from kernel memory – including passwords, tokens, and other information.
The reason for the newly discovered vulnerability lies in how modern CPUs store metadata in 64-bit linear memory address bits. CPU vendors implement this approach in different ways and have distinct terms for it. Intel calls it Linear Address Masking (LAM), AMD calls it Upper Address Ignore (UAI), and Arm refers to the feature as Top Byte Ignore (TBI).
What are Spectre Gadgets?
In the software industry, the term “gadget” is used to describe computer programs that provide services without needing an independent application to be launched for each one, but instead run in an environment that manages multiple gadgets.
Spectre is one of the two original transient execution CPU vulnerabilities (the other being Meltdown), which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation to speed up the processing of data.
A Spectre gadget is a vulnerable code pattern that can be exploited as part of a Spectre attack. Typically, a Spectre gadget is a sequence of instructions ending in a conditional or indirect branch that can be influenced by an attacker to mispredict in a way that leaks confidential information. These gadgets can be present in any software written in any programming language.
How does SLAM work?
SLAM focuses on exploiting a common but previously unexplored class of Spectre disclosure gadgets.
Standard disclosure gadgets (called “masked” gadgets) involve code snippets that use secret data to index into an array.
As this is a relatively uncommon code pattern, regular software does not contain many standard Spectre gadgets. At the time of writing, the Linux kernel is believed to contain no such gadgets that are exploitable to SLAM.
However, SLAM targets different kinds of code patterns, namely pointer chasing snippets. These result in so-called “unmasked” gadgets using secret data as a pointer as opposed to an array. This is a very common code pattern, and as such unmasked gadgets are widespread in regular software.
The researchers at VUSec built a gadget scanner that found tens of thousands of such gadgets in the Linux kernel, out of which at least hundreds are exploitable.
SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data. In the video below, the root password hash is leaked within half a minute on a last-generation Ubuntu system.
