Friday , October 7 2022

SWAPGS: A security hole specific to x86 processors


The detection of security vulnerabilities by Meltdown and Specter in early 2018 caused a waterfall of similarly annoying side channel attack and sync issues. The bad thing is that while they can't be abused in practice due to complexity (hackers have easier trivial vulnerabilities or social engineering to choose from), they are threatened directly at the main processor level. This breaks down the notion that it's enough to detect and troubleshoot software code to protect your computer from attack without having to watch the hardware architecture it runs on. Now to these problems is added another security hole similar to Specter. Interestingly, this time it is not common and does not refer to alternative instruction sets, but only to x86 / x86-64 architecture processors.

A new attack of this type was discovered by BitDefender researchers and named SWAPGS (CVE-2019-1125). The name is derived from the x86 instruction, which is the source of the abuse. Because it is specific to this instruction set, it does not need ARM, Power or MIPS chips, which makes it unique in its own way. The problem is caused by the speculative execution of the SWAPGS instruction, which is used to load the selected value into the segment register (this indicates compensation for the memory range used).

This instruction should be relatively new, along with the FSGSBASE-related operation, Intel added it to the Ivy Bridge kernel from 2012 for speedy context switching in certain cases. Only processors of this generation and newer, ie 22nm chips such as Core i7-3770K, i5-3750K and of course mobile variants, should be affected.

According to BitDefender, exploiting this error can cause the same damage as Specter or Meltdown. Speculative implementation of using these instructions in code may result in caching of data from privileged memory areas belonging to, for example, the kernel, to another user, or even to another computer or hypervisor in the event of virtualization. In case of javascript abuse, then it can theoretically suck up data from the memory attack site of the computer and send it to its server. Since this is a different attack from the original Specter, it is not covered by existing fixes.

BitDefender researchers publish a document entitled "Overcoming KPTIs Using SWAPGS Instructive Behavior".

The repair will be entirely on the OS side

According to the researchers, it is not realistic to correct this error on the hardware side, or it may be best to correct it in a similar way. Specter V1 is better to refer to this layer (the formulations used vary depending on the source). Therefore, it will be solved purely by adapting operating systems. Microsoft corrected this error – possibly by changing the code using these instructions – in patches released on July 9, before it was discovered. However, the problem with SWAPGS was not mentioned at that time, the error was below the NDA. Thanks to this responsible approach, updates were widely distributed before the vulnerability was made public.

<img class = "wp-image-170144 full-size” title=”ivy processor ivory bridge” src=”” alt=”Intel ivy bridge processor "width =" 500 "height =" 406 "srcset =" 500w, https : //×244.jpg 300w "size =" (max-width: 500px) 100vw, 500px”/>
Intel Ivy Bridge processors

Initial reports said that only Windows could be used. On Linux, it is reported that the potentially affected site is also (when processing insoluble interruptions), but according to BitDefender it should be difficult to use in practice. However, Linux should already have patches on these potential weaknesses, for example Red Hat has the right connection for it. Therefore, even in Linux, the error will not be left, despite the minimal danger. On Apple MacOS according to BitDefender should not be used.

Little but probably no null effect on performance

According to Red Hat, repairs have a minimal but likely measurable impact on productivity. This happens when switching between user and kernel execution modes, so that in applications that run a large number of such switches (interrupts, system calls), the impact can be worse. On Linux, the fix is ​​included in the Specter V1 security kit and can be disabled with the same parameter ("nospectre_v1"). It may have a similar effect on Windows, but there is nothing to worry about. It is generally recommended that you always have a full update to your operating system and active protection to minimize the risks.

Intel has a page error and states that the July fix for Windows addresses it completely. AMD wrote in its response that its processors were not speculating on the new user-written value of the SG registry (which Intel seems to be doing) with the SWAPGS instruction, so the processors of that brand seem a little less malleable. They are obviously not part of the attack, but the other part is.

According to the SWAPGS Register, BitDefender has four types of operations described. Depending on whether SWAPGS was not speculatively executed when it should have been applied (1) or whether it was speculatively executed when it should not have been executed (2). For both options, the attacker can either determine whether certain data already in the cache comes from a specific kernel address (a), or establish the value of the data at any address (b). Only option 2a applies to AMD processors. Patches are still needed, however, AMD recommends that you look at the vulnerable variant in the same way as Specter V1. John Masters with Red Hat on Twitter wrote that in their Linux version of the kernel obviously there are only the necessary repair shops for AMD processors, not all the ones needed for Intel, We don't know if Windows does it this way or whether it's a flat rate.

Additional resources for SWAPGS:

Gallery: Hygon Dhyana processor (Chinese x86 processor with AMD Zen license cores)

Another security hole in processors similar to Specter. SWAPGS is unique to the x86 processor

Rate this article! 5 (100%) 2 voice / s

Source link