Unmasking SLAM: Exploiting CPU Security Features for Spectre Attacks

Recent revelations by cybersecurity researchers from the Systems and Network Security Group at VU Amsterdam have brought to light a sophisticated new attack vector known as SLAM (Spectre based on Linear Address Masking). This attack exploits vulnerabilities inherent in modern CPUs, particularly those anticipated in upcoming products from Intel, AMD, and Arm.

SLAM takes advantage of speculative execution vulnerabilities, such as those found in Spectre, allowing unauthorized access to sensitive data within microprocessors. By manipulating the speculative execution capabilities of CPUs, hackers can extract confidential information, bypassing traditional security measures.

One of the key targets for SLAM is the hardware security features being implemented by major CPU vendors like Intel, AMD, and Arm. These features, including Intel’s Linear Address Masking (LAM), AMD’s Upper Address Ignore (UAI), and Arm’s Top Byte Ignore (TBI), were designed to bolster security. However, SLAM demonstrates that these enhancements inadvertently increase the attack surface for Spectre-based attacks.

SLAM delves into the residual attack space of Spectre, particularly on current and future CPUs equipped with features like Intel LAM. By bypassing new transient execution methods and exploiting overlooked Spectre disclosure gadgets, SLAM can circumvent standard security measures. This includes avoiding typical “masked” gadgets that use secret data to index arrays, which are commonly used in software.

The attack methodology of SLAM involves identifying and exploiting unmasked gadgets within code patterns, particularly those related to pointer-chasing snippets. These unmasked gadgets, which exploit confidential data as pointers, are prevalent in software. Despite efforts to mitigate such vulnerabilities, the researchers discovered tens of thousands of exploitable gadgets in the Linux kernel alone, with hundreds posing immediate risks.

One of the most concerning aspects of SLAM is its ability to quickly extract sensitive data, such as root password hashes, in under 30 seconds. This was demonstrated on the latest Ubuntu system, emulating Intel LAM. Moreover, SLAM’s impact extends beyond current vulnerabilities, targeting future CPUs expected to support LAM, UAI, and TBI features.

While CPU vendors have been informed about SLAM, responses vary. Intel, acknowledging its sponsorship of the research, plans to offer software guidance prior to releasing CPUs with LAM support. Meanwhile, Linux developers have already taken steps to disable certain security features by default until further guidance is available.

AMD and Arm have taken different approaches. Arm believes its existing mitigations for Spectre v2 and Spectre BHI should suffice, while AMD points to current mitigations for Spectre v2, without providing further updates.

In summary, SLAM represents a significant advancement in side-channel attacks, exploiting hardware features intended to enhance security. As CPU vendors work to address these vulnerabilities, it underscores the ongoing arms race between cybersecurity researchers and threat actors in the ever-evolving landscape of computer security.

Scroll to Top