Researchers have discovered a new and powerful transient execution attack called 'Inception' that can leak privileged secrets and data using unprivileged processes on all AMD Zen CPUs, including the latest models.
Transient execution attacks exploit a feature present on all modern processors named speculative execution, which dramatically increases the performance of CPUs by guessing what will be executed next before a slower operation if completed.
If the guess is correct, the CPU has increased performance by not waiting for an operation to finish, and if it guessed wrong, it simply rolls back the change and continues the operation using the new outcome.
The problem with speculative execution is that it can leave traces that attackers can observe or analyze to retrieve valuable data that should be otherwise protected.
Researchers at ETH Zurich have now combined an older technique named 'Phantom speculation' (CVE-2022-23825) with a new transient execution attack called 'Training in Transient Execution' (TTE) to create an even more powerful 'Inception' attack.
Phantom speculation allows attackers to trigger mispredictions without needing any branch at the misprediction source, i.e., create a speculative execution period ("transient window") at arbitrary XOR instructions.
TTE is the manipulation of future mispredictions by injecting new predictions into the branch predictor to create exploitable speculative executions.
The Inception attack, tracked as CVE-2023-20569, is a novel attack that combines the concepts described above, allowing an attacker to make the CPU believe that an XOR instruction (simple binary operation) is a recursive call instruction.
This causes it to overflow the return stack buffer with a target address controlled by the attacker, allowing them to leak arbitrary data from unprivileged processes running on any AMD Zen CPU.
Transient execution attacks exploit a feature present on all modern processors named speculative execution, which dramatically increases the performance of CPUs by guessing what will be executed next before a slower operation if completed.
If the guess is correct, the CPU has increased performance by not waiting for an operation to finish, and if it guessed wrong, it simply rolls back the change and continues the operation using the new outcome.
The problem with speculative execution is that it can leave traces that attackers can observe or analyze to retrieve valuable data that should be otherwise protected.
Researchers at ETH Zurich have now combined an older technique named 'Phantom speculation' (CVE-2022-23825) with a new transient execution attack called 'Training in Transient Execution' (TTE) to create an even more powerful 'Inception' attack.
Phantom speculation allows attackers to trigger mispredictions without needing any branch at the misprediction source, i.e., create a speculative execution period ("transient window") at arbitrary XOR instructions.
TTE is the manipulation of future mispredictions by injecting new predictions into the branch predictor to create exploitable speculative executions.
The Inception attack, tracked as CVE-2023-20569, is a novel attack that combines the concepts described above, allowing an attacker to make the CPU believe that an XOR instruction (simple binary operation) is a recursive call instruction.
This causes it to overflow the return stack buffer with a target address controlled by the attacker, allowing them to leak arbitrary data from unprivileged processes running on any AMD Zen CPU.
