A new attack dubbed Inception can be used to leak sensitive data from any AMD CPU.
In the wake of Zenbleed, researchers from ETH Zurich have designed a new class of transient execution attacks, dubbed Training in Transient Execution (TTE). Using TTE, the researchers built an end-to-end exploit called Inception. It can leak kernel memory at a rate of up to 39 bytes per second on AMD Zen 4, and the researchers were able to leak /etc/shadow on a Linux machine in 40 minutes. This file contains hashed user account passwords and is safeguarded by the system, only accessible by the root user. In other words, this exploit is really bad.
How does Inception work?
Like with Zenbleed, Inception (CVE-2023-20569, via Bleeping Computer) abuses speculative execution in how it works. Branch prediction and speculative execution broadly refer to when your computer performs operations that are not yet needed but will likely be needed in subsequent cycles. It’s often done in times when your system has free resources, as it speeds up overall processing when instructions or data would otherwise not yet be ready for the CPU. If the work done is not needed, it’s typically discarded and the processor can jump back to where it needs to in order to execute the next, correct, instruction. When it does this, this is called a branch misprediction.
There are many problems when it comes to speculative execution though, and vulnerabilities like Spectre and Zenbleed are as a result of it. Those researchers paired an older exploit called “Phantom” (which affected Zen 1 and Zen 2 architectures) with their TTE attack to create Inception.
“Inception” is a reference to the movie of the same name, wherein the premise of the movie relies on planting an idea in someone’s head when they are dreaming. In this case, the researchers state that they are planting an “idea” in the CPU while it is, in a sense, “dreaming.” This causes it to execute incorrect instructions, which allows for Inception to hijack the control flow of the CPU.
BTB is the Branch Target Buffer and RSB is the Return Stack Buffer. Taken from Inception’s white paper:
“In the first training step T1, the attacker executes a training branch at TJ , which collides with the BTB entry of PHANTOMJMP source PJ . Residing in the kernel address space, PJ is the address that initiates the recursive PHANTOMCALL. The victim return VR is allocated after PJ in the control flow. The target of the PHANTOMJMP is set to PC, at which the recursive PHANTOMCALL will be triggered. In training step T2, the attacker executes a training call at TC that collides with PC in the BTB, which will establish the prediction for the PHANTOMCALL. The target of this training call at is set to PC, establishing a recursive PHANTOMCALL prediction. Upon execution of PC, the CPU will thus recursively inject RSB predictions to disclosure gadget G, whose location immediately follows the PHANTOMCALL at PC. As PC resides in kernel space, the training branches TJ and TC will trigger page faults, which we recover from.”
Where Inception differs from most transient execution attacks is that during the transient window, it inserts new predictions into the branch predictor instead. Each insertion create further transient windows that can be more powerful than previous ones. In the case of Phantom (CVE-2022-23825), a transient window can be created using arbitrary instructions. This means that instructions (such as an exclusive-or, or XOR) can be used as a call instruction and create further transient windows. This is then used to overflow the Return Stack Buffer.
What can you do?
There isn’t a whole lot that you can do at the moment, and even in AMD’s case, it’s hard to say what they can actually do about it either. To fully mitigate its impact, AMD would need to flush the branch predictor while switching between contexts, which can be incredibly performance costly.
AMD has proposed a different mitigation, and one that makes it so AMD has opted for all indirect branches forcibly mispredict to a benign location. Until patches roll out, though, your hardware will be susceptible.
A paper about Inception is going to be presented at USENIX Security 2023 and a paper about Phantom speculation is going to be presented at MICRO 2023. You can read these papers to learn more about the exploit.