A new variant of BHI affects Linux on computers with Intel and also Apple silicon

inspectre-gadget

InSpecter Gadget has proven its effectiveness by introducing the first native Specter-v2 exploit

Recently in team Researchers released the news about a new variant of BHI, called "Native BHI" and already cataloged under CVE-2024-2201. This method allows Intel-based systems to gain access to the memory contents of the Linux kernel by executing an exploit from user space.

This new variant was discovered by “InSpectre Gadget” a tool designed by researchers to detect common vulnerabilities. Uses advanced symbolic execution techniques to examine Specter devices in detail and evaluate its exploitability. This tool not only identifies exploitable devices, but also models sophisticated exploitation techniques to better understand the threat these devices pose.

The tool has proven its effectiveness by introducing the first native Specter-v2 exploit against the Linux kernel on next-generation Intel CPUs. This exploit, based on the recent BHI variant, is capable of leaking kernel memory at a significant rate, and has shown that in the case of virtualization systems, this attack could allow an attacker on a guest system to access the content. of the memory of the host system or other guest systems.

Native BHI presents a different technique to exploit the BHI vulnerability evading previously implemented protection methods. BHI involved exploiting a vulnerability in the CPU at the privilege level, by executing a user-loaded eBPF program in the kernel. To mitigate this type of attack, access to eBPF code execution was restricted to non-privileged users.

The new method does not require access to eBPF and allows an unprivileged user to carry out an attack from user space. This method relies on the execution of existing elements in the kernel code, specifically scripts that induce speculative execution of instructions.

BHI represents an evolution of the Specter-v2 attack, where the Branch History Buffer (BHB) instead of the Branch Target Buffer (BTB) is manipulated to bypass additional protections (Intel eIBRS and Arm CSV2) and gain access to sensitive data. The BHB is crucial to improve the accuracy of branch prediction by considering the history of past transitions in the CPU. During the BHI attack, the transition history is manipulated to cause incorrect prediction and execute speculative instructions resulting in leakage of data in the cache.

Unlike the Specter-v2 attack, BHI focuses on the use of BHB instead of BTB, as the attacker creates conditions for a speculative operation take the address of the area being determined, followed by a speculative indirect jump that leaves the jump address in the cache. An analysis of cache and non-cache access times is then used to retrieve data from the cache.

To counter Native BHI attack, instructions like Intel IBT are used (Indirect Branch Tracking) and the FineIBT protection mechanism in the Linux kernel. FineIBT combines IBT hardware instructions with kCFI (kernel Control Flow Integrity) software protection to block deviations from normal control flow. This is achieved by allowing indirect jump execution only in case of a jump to the ENDBR instruction, placed at the beginning of the function, and by checking hashes to ensure the integrity of the pointers.

It is worth mentioning that was implemented in the Linux kernel, an additional mode of protection offered by Intel and additionally an alternative software protection implemented for the KVM hypervisor. The solution has been integrated into all current versions of the Kernel and in addition, the developers of the Xen hypervisor have released a solution based on the BHI_DIS_S mode to limit predictions based on transition history.

To demonstrate the vulnerability, the researchers have developed an exploit from the identified devices, allowing a string with the hash of the root user's password to be extracted from the /etc/shadow file located in the kernel buffers. This process has a data recovery speed of approximately 3,5 KB per second.

If you are interested in knowing more about it, you can check the details In the following link.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.