Linux systems running on Intel processors may be far more vulnerable to Spectre v2 than previously thought

Researchers at the Vrije Universiteit (VU) Amsterdam recently discovered what they’ve called the “first native Spectre v2 exploit” targeting the Linux kernel on Intel systems, warning the findings indicate a “nontrivial attack surface.”

Spectre refers to a family of processor vulnerabilities associated with speculative execution, a workload optimization technique that involves running predicted future processes instead of waiting for a prior operation to complete. Researchers first discovered it and the related Meltdown vulnerability in 2018, finding flaws in speculative execution that could allow attackers to gain glimpses at protected kernel memory. The bugs affected nearly every modern processor, and illustrated tradeoffs between speed and security in hardware design.

One of the most potentially harmful variants of Spectre was Spectre v2 (branch target injection); SecurityWeek reported in 2022 that VU Amsterdam researchers had discovered a new “extension” to Spectre v2 related to another technique called “branch history injection” (BHI), which bypassed hardware updates designed to mitigate the flaws. In the newest study, those researchers announced they had discovered a “native BHI” vulnerability—specifically, a native flaw in the Linux kernel run on Intel processors capable of leaking sensitive data at 3.5 kb/sec.

“[That] is more than enough to disclose sensitive data from the kernel in realistic time,” Cristiano Giuffrida, a VU Amsterdam associate professor who worked on the research, told IT Brew via email. In a proof-of-concept video of a native BHI attack released alongside the research, the method leaked the “root password hash from kernel memory end-to-end in only 1 minute,” Giuffrida wrote.

Spectre v2 attacks involve tricking the kernel into speculatively executing specific code paths known as gadgets, some of which have flaws that could leak bits of data to the attacker. Mitigation efforts to date have focused on ensuring no vulnerable gadgets are accessible to unprivileged users. As part of their native BHI research, the VU Amsterdam team released InSpectre Gadget, a Linux kernel scanner that has revealed that a concerning number of flawed gadgets are still exposed to attackers.

“Our efforts led to the discovery of 1,511 Spectre gadgets and 2,105 so-called ‘dispatch gadgets,’” the researchers wrote. “The latter are very useful for an attacker, as they can be used to chain gadgets and direct speculation towards a Spectre gadget.”

“The number of gadgets we found point to a nontrivial attack surface,” they added.

“For the attack to work, you need a vulnerable microarchitecture but also vulnerable victim software” with exploitable gadgets, Giuffrida told IT Brew.

“With our InSpectre Gadget analysis tool, we found thousands of exploitable gadgets in the Linux kernel (and similar results can be obtained on the other major OS kernels and hypervisors),” he added. “Previous research found none, unless special features such as eBPF were enabled.”

The VU Amsterdam researchers say native BHI flaws are similar to previous versions of Spectre in that they’re hard to develop but easy to deploy.

“Working out an exploit requires knowledge of microarchitectural details and of the victim software,” Giuffrida wrote. “But once the exploit is available, it’s just a matter of running it in the target machine.”

As Bleeping Computer reported, Intel has updated its Spectre v2 mitigation recommendations and “indicated” that it will include BHI protections in future processors.