NATIVE BHI Grants Access to Linux Nucleus on Intel Computers

Scientists from the University of Amsterdam discovered a new methodology of attacks known as NATIVE BHI, which enables hackers to access data in the memory of Linux kernels on computers with Intel processors. This method poses a significant threat in virtualization conditions as it allows attackers to breach the memory of the host or other virtual machines from their virtual environment.

NATIVE BHI (CVE-2024-2201) represents an enhancement of the previous vulnerability BHI (Branch History Injection) CVE-2022-0001, which was identified in 2022. Unlike the initial approach that required special EBPF code implementation in the kernel for a successful attack, the new method does not necessitate such privileges and can be executed by any user.

This technique revolves around the utilization of specific sequences of commands (gadgets) in the kernel code that trigger speculative execution of instructions. Experts developed the inspectre gadget, which identified a significant number of such gadgets in the 6.6-RC4 kernel. This discovery allows the development of an exploit to extract confidential information (e.g., hashed passwords from the /etc/shadow file) at a rate of approximately 3.5 kb/s.

BHI is a Spectre-V2 attack aimed at bypassing the protective measures of processors and operating systems. The concept behind this attack is to manipulate the processor’s transition history to induce improper speculative execution and retrieve data from the cache. Unlike earlier Spectre attacks that utilized branch prediction, BHI relies on altering the history of transitions within the processor.

The traditional protective mechanisms, such as Intel IBT (Indirect Branch Tracking) and FineBT software, are inadequate against this new attack method. In response, additional protection measures were implemented in the Linux kernel, including hardware protections against Intel (bhi_dis_s) and

/Reports, release notes, official announcements.