GhostRace-新的数据泄漏漏洞影响现代CPU

A group of researchers has discovered a new data leakage attack impacting modern CPU architectures supporting speculative execution.

一组研究人员发现了一种影响支持预测执行的现代CPU架构的新数据泄漏攻击。

Dubbed GhostRace (CVE-2024-2193), it is a variation of the transient execution CPU vulnerability known as Spectre v1 (CVE-2017-5753). The approach combines speculative execution and race conditions.

被称为GhostRace（CVE-2024-2193），它是一种称为Spectre v1（CVE-2017-5753）的瞬时执行CPU漏洞的变体。这种方法结合了预测执行和竞争条件。

"All the common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths using a branch misprediction attack, turning all architecturally race-free critical regions into Speculative Race Conditions (SRCs), allowing attackers to leak information from the target," the researchers said.

研究人员表示：“所有使用条件分支实现的常见同步原语都可以通过分支误预测攻击在预测路径上被微架构绕过，将所有架构上无竞争的关键区域转换为瞬时竞争条件（SRCs），从而允许攻击者从目标中泄漏信息。”

The findings from the Systems Security Research Group at IBM Research Europe and VUSec, the latter of which disclosed another side-channel attack called SLAM targeting modern processors in December 2023.

来自IBM Research Europe的系统安全研究小组和披露了另一种名为SLAM的侧信道攻击，该攻击针对于2023年12月针对现代处理器的攻击。

Spectre refers to a class of side-channel attacks that exploit branch prediction and speculative execution on modern CPUs to read privileged data in the memory, bypassing isolation protections between applications.

Spectre指的是一类利用现代CPU上的分支预测和预测执行的侧信道攻击，以读取内存中的特权数据，绕过应用程序之间的隔离保护。

While speculative execution is a performance optimization technique used by most CPUs, Spectre attacks take advantage of the fact that erroneous predictions leave behind traces of memory accesses or computations in the processor's caches.

虽然预测执行是大多数CPU使用的性能优化技术，但Spectre攻击利用了错误预测留下的痕迹，这些痕迹可以在处理器的缓存中留下内存访问或计算的痕迹。

"Spectre attacks induce a victim to speculatively perform operations that would not occur during strictly serialized in-order processing of the program's instructions, and which leak victim's confidential information via a covert channel to the adversary," the researchers behind the Spectre attack noted in January 2018.

Spectre攻击的研究人员在2018年1月指出：“Spectre攻击诱使受害者在规范上执行程序指令的严格串行处理期间不会发生的操作，并通过隐蔽信道将受害者的机密信息泄漏给对手。”

The discovery of the vulnerabilities – alongside Meltdown – have since led to broader a review of microprocessor architecture over the years, even prompting the MITRE Common Weakness Enumeration (CWE) program to add four new weaknesses related to hardware micro architectures arising from transient execution (from CWE-1420 to CWE-1423) late last month.

这些漏洞的发现，连同Meltdown，导致了多年来对微处理器架构的更广泛审查，甚至促使MITRE Common Weakness Enumeration（CWE）计划在上个月底增加了四个与瞬时执行相关的硬件微体系结构（从CWE-1420到CWE-1423）的新弱点。

What makes GhostRace notable is that it enables an unauthenticated attacker to extract arbitrary data from the processor using race conditions to access the speculative executable code paths by leveraging what's called a Speculative Concurrent Use-After-Free (SCUAF) attack.

GhostRace的显着之处在于，它使未经身份验证的攻击者能够利用竞争条件从处理器中提取任意数据，通过利用所谓的Speculative Concurrent Use-After-Free（SCUAF）攻击来访问预测执行代码路径。

A race condition is an undesirable situation that occurs when two or more processes attempt to access the same, shared resource without proper synchronization, thereby leading to inconsistent results and opening a window of opportunity for an attacker to perform malicious actions.

竞争条件是指当两个或更多进程尝试访问相同的共享资源而没有适当同步时发生的不良情况，从而导致不一致的结果，并为攻击者执行恶意操作打开了机会。

"In characteristics and exploitation strategy, an SRC vulnerability is similar to a classic race condition," the CERT Coordination Center (CERT/CC) explained in an advisory.

CERT协调中心（CERT/CC）在一份咨询中解释说：“在特征和利用策略方面，SRC漏洞类似于经典的竞争条件。”

"However, it is different in that the attacker exploits said race condition on a transiently executed path originating from a mis-speculated branch (similar to Spectre v1), targeting a racy code snippet or gadget that ultimately discloses information to the attacker."

然而，它的不同之处在于攻击者利用了瞬时执行路径上的来自误预测分支的竞争条件（类似于Spectre v1），针对最终向攻击者披露信息的竞争性代码片段或小工具。

The net result is that it permits an attacker with access to CPU resources to access arbitrary sensitive data from host memory.

其最终结果是允许访问CPU资源的攻击者从主机内存中访问任意敏感数据。

"Any software, e.g., operating system, hypervisor, etc., implementing synchronization primitives through conditional branches without any serializing instruction on that path and running on any microarchitecture (e.g., x86, ARM, RISC-V, etc.), which allows conditional branches to be speculatively executed, is vulnerable to SRCs," VUSec said.

VUSec表示：“任何软件，例如操作系统、hypervisor等，在没有在该路径上运行任何串行指令的情况下通过条件分支实现同步原语，并在任何微体系结构上运行（例如x86、ARM、RISC-V等），允许条件分支进行预测执行，都容易受到SRC的影响。”

Following responsible disclosure, AMD said its existing guidance for Spectre "remains applicable to mitigate this vulnerability." The maintainers of the Xen open-source hypervisor acknowledged that all versions are impacted, although they said it's unlikely to pose a serious security threat.

在负责披露之后，AMD表示，其针对Spectre的现有指导“仍然适用于减轻此漏洞”。Xen开源hypervisor的维护者们承认所有版本都受到影响，尽管他们表示这不太可能构成严重的安全威胁。

"Out of caution, the Xen Security Team have provided hardening patches including the addition of a new LOCK_HARDEN mechanism on x86 similar to the existing BRANCH_HARDEN," Xen said.

Xen表示：“出于谨慎起见，Xen安全团队提供了加固补丁，包括在x86上添加了类似于现有BRANCH_HARDEN的新LOCK_HARDEN机制。”

"LOCK_HARDEN is off by default, owing to the uncertainty of there being a vulnerability under Xen, and uncertainty over the performance impact. However, we expect more research to happen in this area, and feel it is prudent to have a mitigation in place."

“LOCK_HARDEN默认情况下是关闭的，这是因为不确定在Xen下是否存在漏洞，以及对性能影响的不确定性。但是，我们预计在此领域将进行更多研究，并认为有必要采取相应的措施。”

参考资料

[1]https://thehackernews.com/2024/03/ghostrace-new-data-leak-vulnerability.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：GhostRace-新的数据泄漏漏洞影响现代CPU