The Bitdefender researchers have identified a new vulnerability in the mechanism for the speculative execution of instructions in modern processors, who received the name SWAPGS, A corresponding to the name of the processor instruction causing the problem.
Vulnerability allows an unprivileged attacker to determine the contents of the kernel memory areas or running virtual machines. The issue is confirmed on Intel processors (x86_64) and partially affects AMD processors for which the primary attack vector does not appear.
The previously implemented Specter and Meltdown anti-vulnerability methods do not protect against SWAPGS attacks using Intel processors, but solutions for Linux, ChromeOS, Android and Windows have already been proposed.
The vulnerability belongs to the Specter v1 class and is based on the idea of retrieving data from the processor cache that remains after the speculative execution of the instructions.
The conversion prediction blocks of modern CPUs use the proactive execution of some instructions, which are more likely to be executed, to improve performance, but without waiting for the calculation of all the factors that determine their execution (for example, when instructions transition conditions or access parameters have not yet been calculated).
If the forecast is not confirmed, the processor discards the result of the speculative run, but the data processed during the run is cached by the processor and can be restored using methods to determine the content of the cache across channels. third parties that analyze the change in access time to cached and non-cached data.
About SWAPGS
The peculiarity of the new attack is the use of a leak that arises during the speculative execution of the SWAPGS instruction, which is used in operating systems to replace the GS register value when control is transferred from user space to the operating system kernel (the GS value used in user space is replaced by the value used in kernel operations) .
Linux kernel in GS stores per_cpu pointer, which is used to access the kernel data, and points to TLS (Thread Local Storage) in user space.
To exclude double invocation of the SWAPGS instruction after repeated kernel access from kernel space or when executing code that does not require GS register replacement, a check and conditional transition is performed before the instruction.
The speculative execution mechanism precedes the execution of the code with the SWAPGS instruction, without waiting for the verification result, and if the selected branch is not confirmed, it discards the result.
Therefore, a situation may arise when a branch specifying the execution of SWAPGS is speculatively selected, but during speculative execution the value of the GS register will be changed by the SWAPGS instruction and will be used in memory dependent operations that are cached by the CPU.
The researchers proposed two attack scenarios for which exploit prototypes were prepared.
- The first scenario is based on the situation where the SWAPGS instruction is not executed speculatively, even though it is used in actual execution, and the second scenario is the opposite, when the SWAPGS instruction is executed speculatively, although it really shouldn't.
- For each scenario, there are two operational options: the attacker can determine the value in a specific address in the core area, and the attacker can search for a specific value in random addresses in the core.
The solution requires the installation of a kernel update on both the host and guest environments, followed by a system reboot. To disable protection in Linux, you can use the "nospectre_v1" option, which also disables the measures to block the SWAPGS vulnerability.
The solution is available as a patch for the Linux kernel, which is already included in versions 4.19.65, 5.2.7, 4.14.137, 4.9.188 and 4.4.188, while for the different Linux distributions the pertinent fixes will be arriving during the period of this and the following week .