Retbleed can leak kernel memory from Intel CPUs at approximately 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs at a bandwidth of 3.9 kB per second. The researchers said it is able to locate and leak the root password hash of a Linux computer from physical memory in about 28 minutes when using the Intel CPUs and in about six minutes for AMD CPUs.
Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses. Once the poisoning is complete, this BPU makes erroneous predictions that the attacker can control.
“We found that we can inject branch targets that reside in the kernel address space, even as an unauthorized user,” the researchers wrote in a blog post. “While we can’t access branch targets in the kernel address space – branching to such a target will result in a page error – the Branch Prediction Unit will update itself when observing a branch and assume it was executed legally, even if it is a kernel address. ”
Intel and AMD respond
Both Intel and AMD have responded with recommendations. Intel has confirmed the vulnerability exists on Skylake generation processors that do not have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS).
“Intel has been working with the Linux community and VMM vendors to provide customers with software restriction guidelines that should be available on or around today’s release date,” Intel wrote in a statement. blog post† “Note that Windows systems are not affected as these systems use Indirect Branch Restricted Speculation (IBRS) by default, which is also the restriction made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”
AMD has meanwhile also published guidance† “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD recommends software vendors take additional measures to protect against Spectre-like attacks,” a spokesperson wrote in an email. The company has also published a white paper.
Both the research paper and the researchers’ blog post explain the micro-architectural prerequisites needed to exploit Retbleed:
Intel† On Intel, returns begin to behave like indirect jumps when the Return Stack Buffer, which contains return target predictions, underflows. This happens when executing deep call stacks. In our evaluation, we found over a thousand such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in previous work†
AMD† On AMD, returns will behave as an indirect branch regardless of the state of their return address stack. By poisoning the return statement with an indirect jump, the AMD branch predictor will even assume that it will encounter an indirect jump instead of a return and thus predict an indirect branch target. This means that any return we can achieve through a system call can be exploited – and there are tons of them.
In an email, Razavi added: “Retbleed is more than just a retpoline bypass on Intel, especially on AMD machines. AMD is going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed will take care of it.” that AMD CPUs confuse return statements with indirect branches, making exploiting returns very trivial on AMD CPUs.”
The limitation comes with costs that the researchers found cost between 12 and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications of the researchers, Intel and AMD and follow the guidelines for mitigation.
This story originally appeared on Ars Technica†