CPU manufacturers Intel, AMD, ARM, and IBM, as well as software vendors, are being affected by a new type of attack called speculative race condition (SRC) or GhostRace, a class of vulnerability in which multiple threads (sort of threads) attempt to access a shared resource without proper synchronization.
A team of researchers from IBM and VU University Amsterdam, in the Netherlands, released on Tuesday, 12, the details of the new type of data leak attack. According to them, GhostRace could allow threat operators to obtain sensitive information from memory, such as passwords and encryption keys, but they would have to have physical or privileged access to the targeted machine and practical exploitation, in most cases, is non-trivial.
Race conditions arise when multiple threads attempt to access a shared resource at the same time, which can create vulnerabilities that can be exploited for a variety of purposes, including executing arbitrary code, bypassing security defenses, and obtaining data.
Operating systems use synchronization primitives, low-level functions or application objects that the application uses to synchronize and avoid race conditions that can affect the execution of processes or threads.
A security analysis of these primitives by researchers at IBM and VU Amsterdam showed that race conditions can be combined with speculative execution, a technique that has been frequently leveraged in recent years in CPU attacks.
“Our key finding is that all common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed in speculative paths using a Spectre-v1 attack, turning all architecturally race-free critical regions into speculative race conditions, allowing attackers to leak information of the target software,” the researchers explained in a blog post accompanying their research paper.
To launch an attack and overcome a speculative race condition, the execution of the victim process must be stopped at the right point and kept there to allow the attacker to execute what researchers describe as a Speculative Concurrent Use-After-Free (SCUAF) attack . They achieved this using a new technique called Inter-Process Interrupt (IPI) Storming, which involves flooding the target process’s CPU core.
A scan of SCUAF gadgets in the Linux kernel led to the discovery of nearly 1,300 potentially exploitable gadgets. Researchers demonstrated a SCUAF information disclosure attack on the Linux kernel, achieving a 12 Kb/s (kilobytes per second) kernel memory leak.
The research focused on x86 and Linux architectures, but experts said they confirmed that all major hardware vendors are affected, as well as software other than Linux. “In short, any software, e.g., operating system, hypervisor, etc., implementing synchronization primitives via conditional branches without any serialization instructions in that path and running on any microarchitecture — e.g., x86, ARM, RISC-V, etc. —, which allows conditional branches to be executed speculatively, is vulnerable to SRCs,” the researchers said.
Intel, AMD, ARM, and IBM were notified of the GhostRace attack in late 2023, which in turn notified operating system and hypervisor vendors, all of which reportedly acknowledged the issue.
In addition to a blog post from VU University and a technical article, the researchers made available on GitHub a proof-of-concept (PoC) exploit, scripts to scan the Linux kernel for SCUAF gadgets, and a list of the gadgets they identified. To access, click here.
Source: CisoAdvisor
