IBM and VU Amsterdam researchers reveal a new vulnerability in all major CPU architectures
In early 2018, the "Spectre" and "Meltdown" vulnerabilities turned the security of modern microprocessors upside down within days. Manufacturers and operating systems rushed to find mitigations to these critical vulnerabilities leaking passwords and other sensitive data. After six years, one would believe that this class of vulnerabilities is well understood and fixed. But not so fast.
Researchers from IBM and Vrije Universiteit Amsterdam recently discovered "GhostRace" — a new version of the attack on the Linux core that allows attackers to access and leak sensitive data. After reporting the vulnerability in a responsible manner to the Linux team in November 2023, and several months of collaboration on mitigations, the attack has been publicly disclosed today as CVE-2024-2193 and CVE-2024-26602.
The attack exploits a combination of two types of attacks (speculative execution and race conditions) to enable spying on and extracting sensitive information in the Linux kernel, the core of the majority of devices shipped worldwide. This attack improves our understanding of speculative execution attacks, allowing for more comprehensive defenses to be designed and adopted.
Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities. To prevent their occurrence, operating systems rely on synchronization primitives such as mutexes and spinlocks. The key idea behind GhostRace is that these synchronization primitives can be bypassed during speculative execution, a CPU optimization designed to massively improve performance.
When this occurs in specific pieces of code in the kernel (also called “gadgets”), this leads to an exploitable condition that attackers can use to leak secret information from the operating system core. To learn more about this work, read the researchers’ upcoming USENIX Security 2024 paper for more details, including scripts to find vulnerable gadgets, their suggested mitigation, and the mitigations adopted by Linux.