The new technique uses a flaw in the SWAPGS system and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre.
The vulnerability was discovered by Bitdefender and was reported to Intel almost a year ago. Since then, it has followed a lengthy coordination process that also involved Microsoft, which released mitigations during last month’s Patch Tuesday.
SWAPGS allows the kernel to gain access to internal, per-CPU data structures when a process transitions from user-mode to kernel mode. However, researchers from Bitdefender found that the instruction’s behavior when executed speculatively is poorly documented and has security implications.
There are three attack scenarios involving SWAPGS. One allows attackers to bypass KASLR (Kernel Address Space Layout Randomisation), a mechanism in modern operating systems designed to make exploitation of vulnerabilities harder.
The second allows attackers to test if a certain value exists at a given kernel memory address from user space and the third, and the most serious one, can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability and in fact, the new technique is cataloged as a variant of Spectre version 1.
It is not a really good hack though. The researchers estimate that attackers could leak a few bytes every few minutes by using their proof-of-concept exploit. However, they also believe that the leak rate can be significantly diminished in the future.
What’s interesting about the attack is that it bypassed all existing software mitigations, including the Kernel Page Table Isolation (KPTI) mechanism that is supposed to fully isolate kernel memory in its own virtual address space, making Spectre- and Meltdown-like attacks harder.
Microsoft said it has released security updates in July and customers who have Windows Update enabled and applied the security updates are protected automatically.”
“A quick analysis of the Linux kernel revealed that although it contains a gadget which may be used in an attack, it lies inside the Non-Maskable Interrupt (NMI) handler”, Bitdefender researchers said in their paper. “We therefore believe that Linux would be difficult (if not impossible) to attack.”