SLAM漏洞曝光：影响Intel、AMD和Arm CPU的新Spectre漏洞

Researchers from the Vrije Universiteit Amsterdam have disclosed a new side-channel attack called SLAM that could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm.

来自阿姆斯特丹自由大学的研究人员披露了一种名为SLAM的新侧信道攻击，可以利用当前和即将推出的Intel、AMD和Arm CPU的内核内存泄露敏感信息。

The attack is an end-to-end exploit for Spectre based on a new feature in Intel CPUs called Linear Address Masking (LAM) as well as its analogous counterparts from AMD (called Upper Address Ignore or UAI) and Arm (called Top Byte Ignore or TBI).

该攻击是基于Intel CPU中一项名为线性地址屏蔽（LAM）的新功能的Spectre的端到端利用，以及AMD（称为Upper Address Ignore或UAI）和Arm（称为Top Byte Ignore或TBI）的相应对应物。

"SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data," VUSec researchers said, adding it could be leveraged to leak the root password hash within minutes from kernel memory.

VUSec的研究人员表示：“SLAM利用未屏蔽的小工具让用户空间进程泄露任意ASCII内核数据”，并补充说，可以利用它在几分钟内从内核内存中泄漏根密码哈希。

While LAM is presented as a security feature, the study found that it ironically degrades security and "dramatically" increases the Spectre attack surface, resulting in a transient execution attack, which exploits speculative execution to extract sensitive data via a cache covert channel.

尽管LAM被提出作为一项安全功能，但该研究发现其讽刺地降低了安全性，并“显着”增加了Spectre攻击面，导致一种称为瞬态执行攻击的攻击，该攻击利用推测执行通过缓存隐蔽信道提取敏感数据。

"A transient execution attack exploits the microarchitectural side effects of transient instructions, thus allowing a malicious adversary to access information that would ordinarily be prohibited by architectural access control mechanisms," Intel says in its terminology documentation.

英特尔在其术语文档中表示：“一种瞬态执行攻击利用瞬时指令的微体系结构副作用，因此允许恶意对手访问通常被体系结构访问控制机制禁止的信息。”

Described as the first transient execution attack targeting future CPUs, SLAM takes advantage of a new covert channel based on non-canonical address translation that facilitates the practical exploitation of generic Spectre gadgets to leak valuable information. It impacts the following CPUs -

SLAM被描述为针对未来CPU的第一种瞬态执行攻击，利用了一种基于非规范地址转换的新隐蔽信道，有利于利用通用Spectre小工具泄露宝贵信息。它影响以下CPU -

• Existing AMD CPUs vulnerable to CVE-2020-12965

  现有的AMD CPU易受CVE-2020-12965影响

• Future Intel CPUs supporting LAM (both 4- and 5-level paging)

  支持LAM的未来英特尔CPU（4级和5级分页）

• Future AMD CPUs supporting UAI and 5-level paging

  支持UAI和5级分页的未来AMD CPU

• Future Arm CPUs supporting TBI and 5-level paging

  支持TBI和5级分页的未来Arm CPU

  
  

"Arm systems already mitigate against Spectre v2 and BHB, and it is considered the software's responsibility to protect itself against Spectre v1," Arm said in an advisory. "The described techniques only increase the attack surface of existing vulnerabilities such as Spectre v2 or BHB by augmenting the number of exploitable gadgets."

Arm在一份建议中表示：“Arm系统已经对抗了Spectre v2和BHB，认为软件有责任保护自己免受Spectre v1的攻击。所描述的技术只增加了现有漏洞（如Spectre v2或BHB）的攻击面，通过增加可利用小工具的数量。”

AMD has also pointed to current Spectre v2 mitigations to address the SLAM exploit. Intel, on the other hand, intends to provide software guidance prior to the future release of Intel processors that support LAM. In the interim, Linux maintainers have developed patches to disable LAM by default.

AMD也指出了当前的Spectre v2缓解措施来解决SLAM攻击。另一方面，英特尔打算在支持LAM的未来处理器发布之前提供软件指导。与此同时，Linux维护者已经开发了补丁，以默认禁用LAM。

The findings come nearly two months after VUSec shed light on Quarantine, a software-only approach to mitigate transient execution attacks and achieve physical domain isolation by partitioning the Last level cache (LLC) to give every security domain exclusive access to a different part of the LLC with the goal of eliminating LLC covert channels.

这一发现是在阿姆斯特丹自由大学几乎两个月前揭示了Quarantine之后，Quarantine是一种仅基于软件的方法，用于缓解瞬态执行攻击，并通过将末级缓存（LLC）分区来实现物理域隔离，使每个安全域独占LLC的不同部分，从而达到消除LLC隐蔽信道的目的。

"Quarantine's physical domain isolation isolates different security domains on separate cores to prevent them from sharing corelocal microarchitectural resources," the researchers said. "Moreover, it unshares the LLC, partitioning it among the security domains."

研究人员表示：“隔离的物理域可将不同的安全域隔离在不同的核心上，以防止它们共享核心本地的微体系结构资源。此外，它可取消共享LLC，将其分区给安全域。”

原文始发于微信公众号（知机安全）：SLAM漏洞曝光：影响Intel、AMD和Arm CPU的新Spectre漏洞