Rebleed can leak core memory from Intel CPUs at around 219 bytes per second and with 98 percent accuracy. Utilization can extract core memory from AMD CPUs with a bandwidth of 3.9 KB per second. second. The researchers said it is able to locate and leak a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about six minutes for AMD CPUs.
Retbleed works by using code that essentially poisons the industry prediction device that CPUs rely on to make their guess. Once the poisoning is complete, this BPU will make error predictions that the attacker can check.
“We found that we can inject branch targets that are inside the kernel’s address range even as an unprivileged user,” the researchers wrote in a blog post. “Although we can not access branch targets inside the kernel address space – branching to such a target results in a page fault – the Branch Prediction Unit will update itself when it observes a branch and assumes it was legally executed, even if it is for a core address. “
Intel and AMD respond
Both Intel and AMD have responded with advice. Intel has confirmed that the vulnerability exists on Skylake generation processors that do not have protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place.
“Intel has worked with the Linux community and VMM vendors to provide customers with software reduction guidance that should be available on or around today’s release date,” Intel wrote in a blog posts. Note that Windows systems are not affected as these systems use Indirect Branch Restricted Speculation (IBRS) by default, which is also the mitigation made available to Linux users. Intel is not aware that this issue is exploited without for a controlled laboratory environment. “
AMD, meanwhile, has too published guide. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD recommends software vendors consider further steps to help protect against Specter-like attacks,” a spokesman wrote in an email. The company has also published a white paper.
Both the researchers’ research article and blog posts explain the microarchitectural conditions needed to exploit Retbleed:
Intel. On Intel, returns begin to behave like indirect jumps when the Return Stack buffer, which contains return target predictions, is underperformed. This is done by performing deep call stacks. In our evaluation, we found over a thousand such states that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in Former job.
AMD. At AMD, returns will behave as an indirect branch regardless of the state of their return address stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return, and consequently predict an indirect branch target. This means that any return that we can achieve through a system call can be exploited – and there are tons of them.
In an email, Razavi added: “Retbleed is more than just a retpoline bypass on Intel, especially on AMD machines. AMD will actually publish a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed gets AMD CPU ‘is to confuse return instructions with indirect branches. This makes the utilization of returns very trivial on AMD CPUs. “
The remedies will come at a price that the researchers measured to be between 12 percent and 28 percent more computationally overhead. Organizations that rely on affected CPUs should carefully read the publications of the researchers, Intel and AMD, and make sure to follow the guidance on mitigation.
This story originally appeared on Ars Technica.