New Slam Hacks AMD Future Intel CPUs to Steal Sensitive Data

Recently, academic researchers created a new side-channel assault called SLAM to get the root password hash from the kernel memory. This hack takes advantage of hardware characteristics intended to enhance security in forthcoming CPUs from Intel, AMD, and Arm. A memory quirk that permits applications to use untranslated address bits in 64-bit linear addresses for storing metadata is exploited by the transient execution hack known as SLAM.

CPU suppliers use various terminologies and implement them in different ways. Arm refers to the feature as Top Byte Ignore (TBI), AMD calls it Upper Address Ignore (UAI), while Intel calls it Linear Address Masking (LAM). The SLAM attack was found by researchers at Vrije Universiteit Amsterdam's Systems and Network Security Group (VUSec Group). They validated the attack by simulating Intel's planned LAM functionality on a last-generation Ubuntu system.

VUSec claims that SLAM mostly affects upcoming processors that satisfy particular requirements. One of the reasons for this is that upcoming chip designs will likely lack robust canonicality checks. Furthermore, whereas cutting-edge hardware features like LAM, UAI, and TBI enhance memory security and management, they also create micro-architectural race conditions that can be exploited.

Disclosing the Hash of Your Root Password

Using a novel transient execution strategy, the hack targets a class of Spectre disclosure devices that had not been studied before pointer-chasing devices. Software code instructions called gadgets are what a hacker can change to cause speculative execution in a way that exposes private data.

Speculative execution discards its findings, but it leaves behind traces, such as changed cache states, that a hacker can use to deduce sensitive information—like operating system or program data—from observation. The researchers indicate that "unmasked" devices that employ secret data as a pointer are frequently found in software.

Also, can be used to leak arbitrary ASCII kernel data. These devices are the focus of the SLAM hack. Using a scanner they created, the researchers discovered hundreds of Linux kernel exploits. The hack that extracts the hash of the root password from the kernel is shown in the video link below.

In a real-world scenario, a hacker would have to run the target system code that communicates with the devices that aren't disguised, then carefully assess the consequences by applying advanced methods to retrieve private data from the kernel memory, including encryption keys and passwords.

You can find the data and code needed to replicate the SLAM hack on VUSec's GitHub repository. A technical document outlining the hack's mechanism was also released by the researchers. According to VUSec, SLAM affects the following processors: 

  1. Existing AMD CPUs vulnerable to CVE-2020-12965
  2. Future Intel CPUs supporting LAM (both 4 & 5-Level Paging)
  3. Future ARM CPUs supporting TBI and 5-level Paging
  4. Future AMD CPUs supporting UAI and 5-level Paging

Seller Reaction to SLAM

Arm released an alert in reaction to the researchers' revelation, stating that its systems already mitigate against Spectre v2 and Spectre-BHB and that it has no plans to take any action in response to SLAM. Additionally, AMD did not offer any advice or upgrades that would have reduced the risk.

Instead referred users to the current Spectre v2 mitigations to address the SLAM hack as reported by the VUSec research group. Before the release of upcoming CPUs that support LAM, Intel revealed intentions to release software guidelines. One such proposal is to deploy the technology in conjunction with the Linear Address Space Separation security extension. It inhibits speculative address accesses in both user and kernel modes.