In a recent development, academic researchers have unveiled a novel side-channel attack, dubbed SLAM, which poses a threat to the security of computer processors from leading manufacturers such as Intel, AMD, and Arm. The SLAM attack, which stands for Spectre based on Linear Address Masking, is designed to exploit hardware features intended to bolster security in next-generation CPUs. By leveraging these features, the attack can extract sensitive data, such as the root password hash, from the kernel memory.
The SLAM attack is classified as a transient execution attack and utilizes a memory feature that permits software to employ untranslated address bits in 64-bit linear addresses for metadata storage. This feature is implemented differently by various CPU vendors, with Intel referring to it as Linear Address Masking (LAM), AMD as Upper Address Ignore (UAI), and Arm as Top Byte Ignore (TBI).
The discovery of the SLAM attack was made by the Systems and Network Security Group (VUSec Group) at Vrije Universiteit Amsterdam. The researchers successfully demonstrated the attack’s feasibility by emulating Intel’s upcoming LAM feature on an older Ubuntu system. According to VUSec, the attack primarily affects future processors that lack robust canonicality checks in their designs.
One of the attack’s key strategies involves exploiting a new class of Spectre disclosure gadgets, particularly those associated with pointer chasing. These gadgets are sequences of instructions within software code that can be manipulated to initiate speculative execution, inadvertently revealing sensitive information. Despite the speculative execution results being discarded, the process alters cache states, which can be observed by attackers to deduce confidential information from other programs or the operating system itself.
The SLAM attack specifically targets “unmasked” gadgets that incorporate secret data as pointers. Such gadgets are reportedly prevalent in software and can be exploited to leak arbitrary ASCII kernel data. VUSec researchers have developed a scanner that identified numerous exploitable gadgets within the Linux kernel.
For an attack to be successful in a real-world scenario, an attacker would need to execute code on the target system that interacts with these unmasked gadgets. Subsequently, the attacker would measure the side effects and employ complex algorithms to retrieve sensitive information like passwords or encryption keys from the kernel memory.
VUSec has made the code and data necessary to replicate the SLAM attack available on their GitHub repository and has also published a technical paper detailing the attack’s mechanics.
The processors that are susceptible to the SLAM attack include existing AMD CPUs vulnerable to CVE-2020-12965, future Intel CPUs with LAM support, future AMD CPUs with UAI and 5-level paging, and future Arm CPUs with TBI and 5-level paging.
In response to the disclosure of the SLAM attack, Arm issued an advisory stating that its systems are already safeguarded against Spectre v2 and Spectre-BHB, with no additional actions planned. AMD also referred to existing Spectre v2 mitigations as a means to counter the SLAM attack and did not provide further details. The industry’s response underscores the ongoing challenge of balancing advanced hardware features with the need to protect against evolving cybersecurity threats.
