With speculative execution attacks remaining a persistent vulnerability for modern processors, new research has revealed an “industry flaw” in adopting AMD and Intel-released mitigations, threatening the firmware supply chain.
Binarly dubbed FirmwareBleed, the information leak attacks stem from the continued exposure of micro-architectural attack surfaces by enterprise vendors, either as a result of not properly including the fixes or as a result of using them only partially.
“The impact of such attacks is aimed at releasing the contents of privileged memory (including protected by virtualization technologies) to obtain sensitive data from processes running on the same processor (CPU),” the firmware security company said. said in a report shared with The Hacker News.
“Cloud environments can have a greater impact when a physical server can be shared by multiple users or legal entities.”
In recent years, implementations of speculative execution, optimization technique predicting the outcome and purpose of branch instructions in a program’s execution pipeline have been considered susceptible to Specter-like attacks on processor architectures, which could allow a threat actor to leak cryptographic keys and other secrets.
This works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would not normally be accessible by an unprivileged application, then extracting the data after the operation is undone after a wrong prediction.
An important countermeasure to prevent the harmful effects of speculative execution is a software defense known as: repoline (also known as “Return Trampoline”), which was introduced in 2018.
While recent findings such as Retbleed have shown conclusively that retpoline alone is insufficient to stop such attacks in certain scenarios, the final analysis shows a lack of consistency in even applying these mitigations in the first place.
In particular, it focuses on a best practice called Return Stack Buffer (RSB) stuffing introduced by Intel to to prevent undercurrents when using repoline. RSBs are address predictors for return instructions (also known as RET).
“Certain processors may use branch predictors other than the Return Stack Buffer (RSB) when the RSB floods,” Intel says. notes in its documentation. “This could affect software that uses the retpoline mitigation strategy on such processors.”
“On processors with other empty RSB behavior, [System Management Mode] code should populate the RSB with CALL statements before returning from SMM to avoid interference with non-SMM use of the retpoline technique.”
Intel is also recommend RSB stuffing as a mechanism to thwart buffer underflow attacks like Retbleed insist on suppliers to “set” [Indirect Branch Restricted Speculation] before RET statements at risk of undercurrent due to deep call stacks.”
However, the Binarly study found that as many as 32 firmware from HP, 59 from Dell and 248 from Lenovo did not include the RSB padding patches, underscoring a “failure in the firmware supply chain”.
In addition, the deep code analysis has uncovered cases where mitigation was present in the firmware, but contained implementation flaws that caused vulnerabilities of their own, even in updates released in 2022 and for devices with recent-generation hardware.
“Firmware supply chain ecosystems are quite complex and often contain repeatable errors when it comes to adopting new industry-wide solutions or resolving vulnerabilities in reference codes,” the researchers said. “Even if a limitation is present in the firmware, it does not mean that it is applied correctly without creating vulnerabilities.”