A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data

Presented at REcon 2022, June 5, 2022, 2 p.m. (60 minutes).

Back in 2018 when Spectre was found, you could exploit its second and most dangerous variant (Spectre-v2) to easily leak arbitrary data across privilege levels. As a result, OS developers initially deployed various stopgap software mitigations—with non-negligible performance overhead. Luckily Intel and Arm released more efficient hardware defenses which now are the de-facto solutions on every modern system.

In this talk, we introduce “Branch History Injection” (BHI): a new attack primitive that bypasses Intel's eIBRS and Arm's CSV2 hardware mitigations against cross-privilege Spectre-v2 attacks. In particular, we will discuss our black-box reverse engineering approach of these complex mitigations, sharing both the successful and failed attempts towards understanding their inner-workings. We will then use BHI to build an end-to-end exploit leaking arbitrary kernel memory on the fully patched Intel 11th gen CPUs. Finally, we will conclude by describing the latest Spectre defense deployed after our BHI disclosure, showing how software and hardware can mitigate these new attacks.


Presenters:

  • Enrico Barberis
    Enrico is a Ph.D. candidate at VUSec. His current research focuses on microarchitectural attacks and all intrinsic threats introduced by hardware design flaws. In his recent works, he disclosed microarchitectural vulnerabilities such as Floating Point Value Injection and Branch History Injection.
  • Pietro Frigo
    Pietro is a PhD candidate [@VUSec](https://twitter.com/vu5ec). His research focuses on hardware security, investigating attack vectors such as Rowhammer and microarchitectural side channels. He disclosed the first WebGL-based Rowhammer attack and was recently behind TRRespass (Rowhammer on DDR4) and the discovery of Intel’s MDS and BHI vulnerabilities.

Links:

Similar Presentations: