TRACKFLAW
Posts News About
TRACKFLAW

Contents

GhostRace: New concern CPU vulnerability

Thibaud Robin
   637 words   3 minutes 
/images/GhostRace-nouvelle-vulnérabilité-CPU-préoccupante/logo.en.png

👻 GhostRace: Specter v2.0?

TL;DR

A new class of speculative execution vulnerabilities, named GhostRace, has been discovered in March 2024. This attack is particularly dangerous as it can be used to exploit a wide array of software, including web browsers, operating systems, and critical applications.

The Theory

But how does the GhostRace attack work? 🤔

The GhostRace attack (CVE-2024-2193) exploits flaws in synchronization primitives, which are software tools used to coordinate the execution of multiple processes or threads.

It relies on the fact that modern processors can speculatively execute code before ensuring it’s actually needed.

This allows an attacker to bypass the protections established by synchronization primitives, like mutexes, and access sensitive data that should not be accessible.

The Practice

Example

🤔 Theory can be complex. Consider this concrete example:

Imagine a web browser displaying a malicious webpage. This webpage can execute JavaScript code that may create a malicious thread. This malicious thread then prompts the browser to share a memory resource with it, such as a buffer containing sensitive data.

The malicious thread then uses specific instructions to influence the execution order of instructions in the processor’s pipeline. This allows it to access the sensitive data from the buffer before the browser has had time to protect it.

In summary:

  1. The attacker induces the victim to share a memory resource with a malicious thread.
  2. The malicious thread uses specific instructions to influence the order of execution of instructions in the processor’s pipeline.
  3. By exploiting the flaws of synchronization primitives, the attacker can access sensitive data that should not be accessible before the victim thread’s execution ends.

Exploitation

The GhostRace article: https://www.vusec.net/projects/ghostrace/ presents an example of an attack against the Linux kernel.

The attack exploits a synchronization flaw in the tty device driver. The attacker can use this flaw to influence speculative execution in the kernel and thus disclose the contents of kernel memory.

The researchers detail a minimalist PoC illustrating the SRC concept step-by-step on their GitHub: https://github.com/vusec/ghostrace, allowing them to leak kernel memory at 12 KB/s.

Differences from Spectre and Meltdown

/images/GhostRace-nouvelle-vulnérabilité-CPU-préoccupante/Meltdown-spectre.jpg

So, this vulnerability seems very similar to Spectre and Meltdown, right? 🤔

A quick reminder:

  • Spectre and Meltdown are two major security vulnerabilities discovered in 2018. They affect most modern processors manufactured by Intel, AMD, and ARM.
  • These attacks exploit flaws in the design of modern processors to access data that should be inaccessible.

Spectre

  • Exploits the processor’s branch prediction to induce speculative execution of malicious code.
  • Allows the attacker to read sensitive data in the victim process’s memory.

Meltdown

  • Exploits processor load speculation to bypass virtual memory protections.
  • Allows the attacker to read sensitive operating system kernel data.

Similarities

The GhostRace attack is similar to the Spectre and Meltdown attacks but exploits a different flaw in modern architectures. Spectre and Meltdown exploited flaws in branch prediction, while GhostRace exploits flaws in synchronization primitives.

The Risks!

What are the implications of GhostRace? Should we panic? 😱

No! For several reasons:

  • The GhostRace attack is still under research, and there is no evidence yet that it has been exploited in the wild.
  • Solutions exist to mitigate the attack, such as updating processor microarchitectures and developing new compilation techniques.
  • Security software can also be used to detect and block GhostRace attacks.

The GhostRace attack is a serious threat to computer security. It affects a large number of software, and there is no miracle solution yet to protect against this attack.

The Protections

What can be done to protect ourselves? 🛡️

Some advice (a bit generic, yes, but there’s no better option at the moment 😅):

  • Install the latest security updates for your operating system and software.
  • Use a powerful antivirus and firewall.
  • Be cautious when visiting websites or opening suspicious attachments.
  • Stay informed about the latest cybersecurity threats.

Sources

Updated on 19/03/2024
Read Markdown
 Test d'intrusionPentestAudit
Back | Home