New Working Speculative Execution Attack Sends Intel and AMD Scrambling

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability. Ars Technica reports: Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which was introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled. […] The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations. […] Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place. “Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today’s public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.” AMD, meanwhile, has also published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. The company has also published a whitepaper.

[Research Kaveh Razavi added:] “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs.” The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD and be sure to follow the mitigation guidance.