A team of researchers from Amsterdam Free University and IBM have developed a new attack on the speculative execution mechanism in modern processors, which they have named Ghostrace (CVE-2024-2193). This vulnerability affects processors from Intel, AMD, ARM, and IBM. To demonstrate this attack, they have released a prototype exploit that can extract data from the memory of a Linux kernel at a rate of 12 KB per second, similar to the Spectre class attacks. This attack also allows an attacker in a virtualized environment to access memory from the host or other guest systems.
The Ghostrace attack revolves around manipulating speculative execution to create a race condition that can result in the release of new memory. By exploiting the incorrect prediction of branching within the processor when handling conditional operations involving synchronization primitives like MUTEX and SpinLOCK, the attacker can extract sensitive information. Even though these speculative memory accesses are ultimately discarded by the processor, traces of the operation remain in the processor cache, making them accessible to third-party analysis.
This attack is akin to Spectre V1 vulnerabilities, where specific sequences of instructions (gadgets) in the processor core can be manipulated to trigger speculative execution based on external conditions controlled by the attacker. The processor begins executing these gadgets speculatively but then reverts to the original state if the prediction was incorrect.
One example of the gadget used in the Ghostrace attack involves checking a condition in an infinite loop and bypassing resource access restrictions. Through speculative execution, the attack can bypass these restrictions and execute instructions that should have been blocked, exploiting the processor’s speculative execution capabilities.
An analysis of the Linux 5.15.83 kernel code revealed 1283 gadgets that can trigger speculative memory accesses (Scuaf – Speculative Concurrent Use-AFTER-FREE). This attack has the potential to be highly damaging if exploited.