Researchers from the Swiss Higher Technical School of Zurich have uncovered two methods to bypass the protection offered by the SPECTRE vulnerability. These methods exploit the use of IBPB processor instructions (Indirect Branch Prediction Barriers) to reset the state of the transitional prediction unit for each switching context. The first method targets Intel processors, while the second method impacts AMD processors. Additionally, the researchers have successfully developed a functioning exploit that leverages the Spectre vulnerability to leak memory content between processes, demonstrating its effectiveness in extracting passwords from memory of SUID processes like SUDO, SU, and Polkit.
The first method of evading Spectre protection stems from an error in Intel processors’ microcode and affects systems from the 12th, 13th, and 14th generations of Intel Core processors, as well as the 5th and 6th generations of Intel Xeon processors. This issue has been addressed by Intel through a microcode update released in March. The error caused the results of transition predictions to be retained after executing the IBPB instruction, which should have nullified them, enabling access to data left over from speculatively executed instructions in other processes or virtual machines.
Throughout the study, particular focus was placed on devising a method to leak memory contents of other processes, including privileged ones like SUDO. Given the absence of effective techniques to exploit Spectre-class vulnerabilities aimed at breaching process isolation, defense implementation primarily concentrated on the nuclei and hypervisor, leaving the issues related to speculative execution of processes handling confidential data unaddressed. Therefore, attacking processes typically does not require bypassing the IBPB base, as process-level protection using IBPB was seldom used. The exploit crafted during the study showcased how Spectre vulnerabilities can be exploited to target SUID-bit processes, elevating their privileges.