A group of researchers from Amsterdam Free University introduced a new attack technique called PLM (Spectre Linear Address Masking), which exploits microarchitectural vulnerabilities in the SPECTRE class. This attack exploits data leakage when non-canonical addresses are broadcast, and the new Expansion processors for masking linear addresses involve canonical addresses. The researchers have published tools with the implementation of this method and have provided a demonstration of how to extract data using this technique.
The PLM attack targets Intel processors with LAM (Linear Address Masking), AMD processors with UAI (UPPER Address IGNORE), and ARM processors with TBI (Top Byte IGNORE). These processor extensions allow for the use of some of the bits in 64-bit addresses for storage unrelated to metadata addressing. Interestingly, these processors are still announced but not yet widely produced, making SLAM the first speculative attack on future CPUs. However, the attack can also be executed on older AMD Zen+ and Zen 2 CPUs with vulnerabilities CVE-2020-12965.
Similar to the Spectre vulnerabilities, the SLAM attack requires the presence of specific instruction sequences (gadgets) in the core that lead to speculative execution of instructions. These instructions cause speculative reading of data from memory, which can be influenced by external conditions controlled by the attacker. Although the result of speculative execution is discarded, the processed data remains in the cache and can be extracted through analysis by third-party channels. The Evict+Reload method is used to extract data from the cache, which involves creating conditions to displace data and performing operations based on the execution time to determine data availability in the processor cache.