Hertzbleed, nonetheless, exhibits that frequency scaling generates timing variations in computations and these could be noticed even remotely with none energy measurement interface. The novelty is that Hertzbleed works even towards so-called fixed time cryptographic implementations that had been deliberately designed to stop leaking info by way of timing evaluation.
The researchers used Hertzbleed to implement a novel chosen-ciphertext assault towards SIKE (Supersingular Isogeny Key Encapsulation), a post-quantum key encapsulation mechanism that can be a NIST competitors finalist and is applied as fixed time. The crew was capable of carry out a full key extraction by way of distant timing.
Intel printed steerage for builders of cryptographic libraries to mitigate Hertzbleed utilizing software program countermeasures. One other doable mitigation is to disable “Turbo Increase” at runtime on the system, however this has a major system-wide efficiency influence.
SQUIP (CVE-2021-46778)
SQUIP is a aspect channel assault and vulnerability impacting AMD CPUs that was disclosed in August 2022. The assault was devised by researchers from Lamarr Safety Analysis, Graz College of Know-how, and Georgia Institute of Know-how, and it exploits scheduler queues used throughout simultaneous multithreading (SMT) operations to schedule directions that might be executed in CPUs. By measuring the competition stage on scheduler queues an attacker could doubtlessly leak delicate info, AMD stated.
Zenbleed (CVE-2023-20593)
Zenbleed is a vulnerability patched in July 2013 within the Zen 2 household of AMD CPUs. The flaw was discovered by security researchers from Google and is described as a user-after-free reminiscence vulnerability however for CPUs. It’s attributable to incorrectly applied speculative execution of the SIMD Zeroupper instruction and may enable attackers to leak stale knowledge from bodily {hardware} registers. Such knowledge can embody delicate info comparable to passwords or encryption keys.
Downfall (CVE-2022-40982)
Downfall, technically known as Collect Data Sampling (GDS) by Intel, is a transient execution vulnerability disclosed in August 2023 that impacts a number of generations of Intel CPUs. Discovered by security researchers from Google, the flaw is much like Zenbleed in that it permits attackers to leak delicate knowledge belonging to different processes and customers sharing the identical CPU core as a result of stale knowledge saved in bodily {hardware} registers on account of speculative execution is forwarded to subsequent directions. The information could be extracted utilizing methods much like these utilized by Meltdown. The flaw additionally impacts the security of Intel’s Software program Guard Extensions (SGX) security subsystem.
Reptar (CVE-2023-23583)
Reptar is a 3rd CPU vulnerability discovered by Google security researchers final yr and was patched in November 2023. It impacts Intel CPUs that help a brand new function known as quick quick repeat transfer (FSRM) and can lead to privilege escalation. The flaw is attributable to the CPU microcode not ignoring redundant instruction prefixes when FSRM is lively and deciphering them in bizarre methods.
Inception (CVE-2023-20569)
Inception is a vulnerability in AMD CPUs that may result in discovered by researchers from ETH Zurich that was disclosed in August 2023 and may result in delicate info disclosure. Inception is a brand new kind of speculative execution assault that hijacks the transient control-flow of return directions and permits attackers to insert new predictions into the CPU department predictor at an attacker-controlled handle register.
SLAM
Spectre primarily based on Linear Tackle Masking (SLAM) is a proof-of-concept assault approach devised by researchers from Vrije Universiteit Amsterdam that exhibits how beforehand unexplored Spectre devices could possibly be exploited on upcoming AMD, Intel, and ARM CPUs that implement linear handle masking, a brand new security function deliberate by CPU distributors: Intel’s Linear Tackle Masking (LAM), AMD’s Higher Tackle Ignore (UAI), and ARM’s Prime Byte Ignore (TBI). SLAM is notable for being the primary speculative execution assault concentrating on CPU options that had been introduced however not but launched.
GhostRace (CVE-2024-2193)
GhostRace is a brand new kind of CPU assault disclosed in March 2024 by researchers from Vrije Universiteit Amsterdam that reap the benefits of race situations on speculatively executed code paths. The analysis exhibits that synchronization primitives applied utilizing conditional branches on the OS stage could be bypassed on speculative paths utilizing a Spectre v1 assault, doubtlessly permitting for info leaks from focused software program.
TikTag
TikTag is an assault that leverages speculative execution to bypass a brand new security function in ARM CPUs known as the Arm Reminiscence Tagging Extension (MTE). This function, when utilized by working methods, makes it tougher to use out-of-bounds reminiscence violations comparable to buffer overflows that may result in arbitrary code execution. The TikTag assault was developed by a crew of researchers from Seoul Nationwide College, Samsung Analysis and Georgia Institute of Know-how and was described in a analysis paper in June 2024. Individually, researchers from Vrije Universiteit Amsterdam already confirmed that MTE is susceptible to speculative execution probing with an assault they dubbed Spectre-MTE and proposed a proposed a mitigation known as StickyTags.
Indirector
Indirector is a brand new speculative execution assault that could be a variation of Spectre v2 and was disclosed in July 2024. The assault, developed by researchers from College of California San Diego exploits the oblique department predictor (IBP) and the department goal buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake) to carry out exact department goal injections and leak delicate knowledge throughout processes and privilege ranges.
DRAM reminiscence assaults
- Rowhammer
- Rowhammer.js
- Drammer
- Flip Feng Shui
- ECCploit
- Throwhammer
- RAMBleed
Rowhammer
Rowhammer is a bodily impact with security implications that happens inside SDRAM chips when the identical bodily row of reminiscence cells is learn for numerous occasions in speedy succession — an motion dubbed hammering. This may trigger electrical fees from cells within the hammered row to leak into adjoining rows, modifying the worth of the cells in these rows. This is named bit flipping and doable due to the elevated cell density of contemporary SDRAM chips, significantly DDR3 and DDR4.
Whereas the Rowhammer impact has been recognized or documented for a very long time, members of Google’s Undertaking Zero crew had been the primary to show it may possibly have security implications in March 2015 once they revealed two privilege escalation exploits primarily based on it.
Rowhammer.js
Rowhammer.js was an implementation of the Rowhammer assault by way of JavaScript, proving that this flaw could be exploited remotely by way of the browser, just by visiting a malicious internet web page. Browser distributors have added mitigations towards this exploit.
Drammer – CVE-2016-6728
Drammer is a Rowhammer-type exploit demonstrated in 2016 towards Android gadgets. Till then the reminiscence chips in cellular gadgets had been regarded as unaffected.
Flip Feng Shui
An implementation of the Rowhammer assault towards digital machines, the place a malicious visitor VM can flip bits within the bodily reminiscence affecting a special digital machine in a managed method. The researchers demonstrated this by breaking the OpenSSH public key authentication within the goal VM.
ECCploit
ECCploit is an assault that demonstrates that Rowhammer-type assaults can work even towards SDRAM chips which have error-correcting code (ECC) capabilities. Any such reminiscence, which is usually utilized in servers, was regarded as proof against Rowhammer.
Throwhammer
A Rowhammer assault that may be exploited over a community by leveraging the distant direct reminiscence entry (RDMA) function current in quick community playing cards like these utilized in servers.
RAMBleed
RAMBleed is the primary assault that has proven it’s doable to make use of the Rowhammer impact to steal knowledge from reminiscence cells as an alternative of merely modifying it. Earlier Rowhammer assaults compromised reminiscence integrity by way of bit flips, which may result in privilege escalation and different situations. In the meantime, RAMBleed makes use of row hammering and a side-channel with a purpose to infer details about and finally extract knowledge from adjoining reminiscence cells. In that respect it’s much like the consequences of Meltdown and Spectre.
Editor’s notice: This text, initially printed in July 2019 and amended in August 2022, has been up to date to incorporate new vulnerabilities as they arrive to gentle.
