Why it matters: A side-channel attack called SLAM could exploit vulnerabilities in Intel, Arm and AMD chips that are under development, researchers have found. So far, the chip makers say their systems have enough protection against SLAM, but this is the first transient execution attack targeting future CPUs and it is unclear how well the companies’ security will hold up.
Researchers from the Vrije Universiteit Amsterdam have discovered a new side-channel attack called SLAM that can be exploited to mine information from kernel memory, including accessing the root password, opening up a new set of Spectre attacks not only for some current CPUs but also those in development from Intel, Arm and AMD. The researchers said SLAM, the first transient execution attack targeting future CPUs, has proven adept at evading security features chip developers are incorporating into their newest products such as Intel’s Linear Address Masking (LAM) and AMD’s Upper Address Ignore (UAI).
The idea behind LAM, as well as AMD’s similar UAI, is to allow software to efficiently make use of untranslated bits of 64-bit linear addresses for metadata, VUSec researchers wrote in a white paper. Their assumption is that with LAM or UAI enabled, more efficient security measures, such as memory safety, can be implemented, and ultimately production systems’ security will be improved.
What SLAM does is use certain paging levels in the newer CPUs, a type of allocation managing method for the system’s physical memory. Tom’s Hardware notes that these CPUs ignore this attack method and exploit the same paging method, which is how SLAM, which is short for Spectre-based on LAM, got its acronym.
According to VUSec, the following CPUs are affected:
- Future Intel CPUs supporting LAM (both 4- and 5-level paging)
- Future AMD CPUs supporting UAI and 5-level paging
- Future Arm CPUs supporting TBI and 5-level paging
These CPUs lack strong canonicality checks in the new paging levels and hence bypass any CPU level security, Tom’s said.
Arm has published an advisory on SLAM noting that while “these techniques will typically enhance the number of exploitable gadgets, Arm systems already mitigate against Spectre v2 and Spectre-BHB. Hence no action is required in response to the described attack.” AMD has also pointed to existing Spectre v2 mitigations to address the SLAM exploit, and Intel plans to supply software guidance before it releases processors which uphold LAM.