Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability.
Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which was introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled.
Is it a trampoline or a slingshot?
Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren’t susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called “gadget” code, which in turn creates data to leak through a side channel.
Some researchers have warned for years that retpoline isn’t sufficient to mitigate speculative execution attacks because the returns retpoline used were susceptible to BTI. Linux creator Linus Torvalds famously rejected such warnings, arguing that such exploits weren’t practical.
The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.
“Retpoline, as a Spectre-BTI mitigation, fails to consider return instructions as an attack vector,” researchers Johannes Wikner and Kaveh Razavi wrote. “While it is possible to defend return instructions by adding a valid entry to the RSB [return stack buffer] before executing the return instruction, treating every return as potentially exploitable in this way would impose a tremendous overhead. Previous work attempted to conditionally refill the RSB with harmless return targets whenever a perCPU counter that tracks the call stack depth reaches a certain threshold, but it was never approved for upstream. In the light of Retbleed, this mitigation is being re-evaluated by Intel, but AMD CPUs require a different strategy.”
In an email, Razavi explained it this way:
Spectre variant 2 exploited indirect branches to gain arbitrary speculative execution in the kernel. Indirect branches were converted to returns using the retpoline to mitigate Spectre variant 2.
Retbleed shows that return instructions unfortunately leak under certain conditions similar to indirect branches. These conditions are unfortunately common on both Intel (Skylake and Skylake-based) and AMD (Zen, Zen+ and Zen2) platforms. This means that retpoline was unfortunately an inadequate mitigation to begin with.
In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations.
Retbleed can leak kernel memory from Intel CPUs at about 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs with a bandwidth of 3.9 kB per second. The researchers said that it’s capable of locating and leaking a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about 6 minutes for AMD CPUs.
Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses. Once the poisoning is complete, this BPU will make mispredictions that the attacker can control.
“We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user,” the researchers wrote in a blog post. “Even though we cannot access branch targets inside the kernel address-space—branching to such a target results in a page fault—the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it’s to a kernel address.”