Academic researchers developed a new side-channel attack called SLAM that exploits hardware features designed to improve security in upcoming CPUs from Intel, AMD, and Arm to obtain the root password hash from the kernel memory.
SLAM is a transient execution attack that takes advantage of a memory feature that allows software to use untranslated address bits in 64-bit linear addresses for storing metadata.
CPU vendors implement this in different ways and have distinct terms for it. Intel calls it Linear Address Masking (LAM), AMD names it Upper Address Ignore (UAI), and Arm refers to the feature as Top Byte Ignore (TBI).
Short for Spectre based on LAM, the SLAM attack was discovered by researchers at Systems and Network Security Group (VUSec Group) at Vrije Universiteit Amsterdam, who demonstrated its validity by emulating the upcoming LAM feature from Intel on a last-generation Ubuntu system.
According to VUSec, SLAM impacts mainly future chips that meet specific criteria. The reasons for this include the lack of strong canonicality checks in future chip designs.
Additionally, while the advanced hardware features (e.g. LAM, UAI, and TBI) improve memory security and management, they also introduce exploitable micro-architectural race conditions.
Leaking the root password hash
The attack leverages a new transient execution technique that focuses on exploiting a previously unexplored class of Spectre disclosure gadgets, specifically those involving pointer chasing.
Gadgets are instructions in software code that the attacker can manipulate to trigger speculative execution in a way that reveals sensitive information.
Although the results of speculative execution are discarded, the process leaves traces like altered cache states which attackers can observe to infer sensitive information such as data from other programs or even the operating system.
The SLAM attack targets “unmasked” gadgets that use secret data as a pointer, which the researchers report are common in software and can be exploited to leak arbitrary ASCII kernel data.
The researchers developed a scanner with which they found hundreds of exploitable gadgets on the Linux kernel. The following video demonstrates the attack that leaks the root password hash from the kernel.
[embedded content]
In practical scenario, an attacker would need to execute on the target system code that interacts with the unmasked gadgets and then carefully measure the side effects using sophisticated algorithms to extract sensitive information such as passwords or encryption keys from the kernel memory.
The code and data for reproducing the SLAM attack are available on VUSec’s GitHub repository. The researchers also published a technical paper explaining how the attack works.
VUSec notes that SLAM impacts the following processors:
- Existing AMD CPUs vulnerable to CVE-2020-12965
- Future Intel CPUs supporting LAM (both 4- and 5-level paging)
- Future AMD CPUs supporting UAI and 5-level paging
- Future Arm CPUs supporting TBI and 5-level paging
Vendor response to SLAM
Responding to the researchers’ disclosure, Arm published an advisory explaining that its systems already mitigate against Spectre v2 and Spectre-BHB and plan no further action in response to SLAM.
AMD also pointed to current Spectre v2 mitigations to address the SLAM attack described by the VUSec research group and did not provide any guidance or updates that would lower the risk.
Intel announced plans for providing software guidance before releasing future processors that support LAM, such as deploying the feature with the Linear Address Space Separation (LASS) security extention for preventing speculative address accesses across user/kernel mode.
Until further guidance becomes available, Linux engineers have created patches that disable LAM.