A group of researchers from Amsterdam Free University revealed several new vulnerabilities of the SPECTRE-V2 class published under the code name training Solo and allowing to circumvent the mechanisms of memory insulation. In the context of virtualization systems, vulnerabilities make it possible to determine the contents of the memory of the host system or other guest systems, and in the context of servers-determine the content of the kernel memory execution of exploit in the user space. Examples of exploits for performing such attacks published on GitHub. The presented exploits allow you to extract arbitrary data from the nucleus at a speed of 17 kb/s, and from the memory of the hypervisor – 8.5 kb/s.
In the attacks of the SPECTRE-V2 class, to organize data leakage, the substitution of values is used in the Branch Target Buffer address or the Branch History Buffer, used to predict the next branching operation. Through manipulations with the history of transitions, the conditions of an incorrect prediction of the transition during speculative execution of instructions are created. The task of the attacker is that when performing a speculative branch operation, the address for the transition is taken from the memory area made. After performing a speculative transition, the address of the transition, which is a matter of memory (under the guise of the address, is read the necessary data from the memory), remains in the processor cache. To extract information from the cache, one of the ways to determine the contents of the cache can be used based on an analysis of changes in access time to damned and not damaged data.
The TRAINING SOLO methods presented by researchers are aimed at bypassing the insulation mechanisms of Domain Isolation, such as IBPB, EIBRS, and BHI_NO, used to block SPECTRE-V2 class attacks. For example, the IBPB instruction (Indirect Branch Prediction Barriers) ensures the reset of the state of the transitional prediction unit for each switching context – when transmitting control between the user’s space and the nucleus or between the guest system and the host of the environment. The reset of the state blocks the possibility of using its own code to influence the behavior of the prediction block of indirect transitions.
The essence of the TRAINING SOLO methods is that to influence the transitional prediction unit, it is proposed not to launch the code controlled by the attacking code, but to use the code that is already available on the side of the privileged area of execution (