New ‘Retbleed’ Attack Can Swipe Key Data From Intel and AMD CPUs


Share post:

Retbleed is able to leak kernel memory from Intel CPUs at a rate of approximately 219 bytes per seconds and with 98 percent accuracy. This exploit can be used to extract kernel memory from AMD processors at a rate of 3.9 kB/second. The researchers said that it’s capable of locating and leaking a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about six minutes for AMD CPUs.

Retbleed is a method that poisons the branch prediction units that CPUs depend on to make their predictions. Once the poisoning is completed, the BPU will make mispredictions which the attacker can control.

“We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user,” the researchers wrote in a blog post. “Even though we cannot access branch targets inside the kernel address-space—branching to such a target results in a page fault—the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it’s to a kernel address.”

Respond to Intel and AMD

Both AMD and Intel have issued advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place.

“Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today’s public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”

AMD has, however, been a part of the same Published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. A whitepaper has also been published by AMD.

Both the researchers’ research paper and blog post explain the microarchitectural conditions necessary to exploit Retbleed:

Intel. When the Return Stack Buffer (which holds target return predictions) is low, Intel returns begin to behave like indirect jumps. Executing deep call stacks can cause this. We found more than a thousand conditions that could be triggered by system calls in our evaluation. Study of the indirect branch target predictor in Intel CPUs was done in Previous work.

AMD. AMD will treat returns as an indirect branch, regardless of whether they are in the Return Address Stack. By poisoning the return instruction with an indirect jump, the AMD branch prediction will assume it will encounter a return instead of a jump and predict an indirect branch target. This means that any return that we can reach through a system call can be exploited—and there are tons of them.

In an email, Razavi added: “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD will release a whitepaper introducing Branch Type Confusion, based on Retbleed. Retbleed causes AMD CPUs to confuse indirect branches with return instructions. This makes exploitation of returns very trivial on AMD CPUs.”

Researchers estimated that mitigations would result in a 12 percent to 28 percent increase in computational overhead. Companies that depend on the affected CPUs are advised to carefully read the published papers from Intel and AMD and to ensure they follow the mitigation guidance.

This story first appeared on Ars Technica.


Please enter your comment!
Please enter your name here


Related articles

The Benefits of a Creative Subscription with Envato Elements

If you’re looking to find and use royalty-free images and other creative resources, it can be tough to...

Get an Additional ₹100 Cashback When You Pay with Domino’s Digital Wallet Partners

How does ₹100 cashback sound? Find out more about the additional cashback you can get when you pay...

Get Unlimited Access to DataCamp’s Library of Online Courses

DataCamp subscriptions enable access to over 300 courses, as well as projects, assessments, and additional content. Whether you're...

Why You Should Buy from DaMENSCH: The Best in Quality, Service, and Value

Buying products online can be dangerous; you never know if you’re getting an authentic product, or one that’s...