While speculative execution attacks remain a persistent vulnerability of modern processors, new research has revealed an “industry failure” in adopting mitigation measures published by AMD and Intel, posing a threat to the firmware supply chain.
Double firmware bleed According to Binarly, information leaks are caused by the continued disclosure of microarchitectural attack surfaces by enterprise vendors, either because they don’t integrate patches properly or only partially use them.
“The impact of such attacks is focused on exposing the contents of privileged memories (including those protected by virtualization technologies) in order to obtain sensitive data from processes running on the same processor (CPU),” the firmware protection company said. said in a report shared with The Hacker News.
“Cloud environments can have a greater impact when a physical server can be shared by multiple users or legal entities.”
In recent years, implementations of speculative execution, an optimization technique that predicts the outcome and destination of branch instructions in a program’s execution pipeline, have been found to be vulnerable to Specter attacks on processor architectures, potentially allowing a malicious actor to steal cryptographic keys to lose and other secrets.
It works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be denied to an unprivileged application, and then retrieves the data after aborting the operation due to a misprediction.
A key countermeasure to prevent the damaging effects of speculative execution is a software defense called Repoline (aka “Return Trampoline”), introduced in 2018.
Although recent findings such as Retbleed have conclusively shown that retpoline alone is not sufficient to stop such attacks in some scenarios, the latest analysis shows a lack of consistency even when applying these defenses.
Specifically, it targets a best practice called Return Stack Buffer (RSB) Padding, introduced by Intel to avoid overflows when using retpoline. RSBs are address predictors for return instructions (aka RET).
“Some processors may use branch predictors other than the return stack buffer (RSB) when the RSB is under capacity,” Intel said. Notes in its documentation. “This could impact software using the retpoline mitigation strategy on these processors.”
“On processors with different empty RSB behavior [System Management Mode] The code should fill the RSB with CALL statements before returning from SMM to avoid interfering with non-SMM usage of the retpoline technique.”
Intel also recommends RSB padding as a mechanism to thwart buffer overflow attacks like Retbleed, and alternatively urges vendors to “fix bugs.” [Indirect Branch Restricted Speculation] before RET instructions where there is a risk of underflow due to deep call stacks.”
However, the binary search identified up to 32 firmware from HP, 59 from Dell, and 248 from Lenovo as RSB jam fixes not included, indicating a “failure in the firmware supply chain.”
Additionally, an in-depth code analysis uncovered cases where the mitigation was present in firmware but contained implementation bugs that caused their own security issues, even in updates released in 2022 and for devices with the latest hardware generation.
“Firmware supply chain ecosystems are quite complex and often exhibit repeatable failures when it comes to applying new industry-wide mitigation measures or patching code vulnerabilities,” the researchers said. “Even if a mitigation is present in the firmware, that doesn’t mean it’s applied correctly without creating security vulnerabilities.”
#study #shows #enterprise #vendors #unable #defend #speculative #execution #attacks