Computer scientists from the Federal Polytechnic University of Zurich (ETH Zurich) have discovered a new vulnerability of the Specter type, which they have named. Retbled and this applies to older generations of Intel and AMD processors.

Side channel Specter vulnerabilities have been with us for years and have become a nightmare. The story goes back to early 2018, when the first two variants of Specter were released along with Meltdown, another vulnerability that, at least at the time, only affected Intel processors.

Meltdown was fairly easily resolved in exchange for a loss of performance, but the Specter issue was and is much more delicate, not only because it involves Intel, AMD and ARM processors, but mainly because it is intractable. This situation has forced the incorporation of patches at the microcode, kernel, driver and even application levels to minimize the attack radius. To make matters worse, as we see, new variants emerge from time to time, presenting new challenges for developers and security experts.

Back on topic, scientists have defined Retbleed as a Specter variant 2 family member, also known as Spectre-BTI. It was located, like all security flaws of its kind, in a speculative execution feature that has been present in processors for some time and can be exploited by software specifically designed to obtain passwords, keys and other secrets as well as data. kernel used by the operating system.

In their statement to The Register, the researchers explained that compared to their sisters, “which trigger speculation with harmful jump targets by using calls or indirect jumps, Retbleed uses instructions to return. This means a lot because it undermines some of our current defenses against Spectre-BTI. In other words, Rebleed mitigation will require the development of new patches that will have a negative impact on performance.

Currently, one of the main means of mitigating the Specter vulnerability in x86 processors (Intel and AMD) is the Retpoline technique, which is responsible for replacing indirect jump instructions (from the jump predictor) with a return instruction subroutine ( return ). However, Retbleed has the ability to rely on those instructions to return, so it is able to bypass Retpoline.

Retbleed directly affects AMD Ryzen’s Zen, Zen+ and Zen 2 processors, and Intel’s original Kaby Lake and Coffee Lake (8th generation) processors. In combination with BHI, another vulnerability like Specter, which came to light last March, Alder Lake and the redesigned Coffee Lake (Intel’s ninth generation) will be added to the mentioned generations of processors. Zen 3 seems to have leaked in all scenarios. At this point, it’s nothing new that Intel processors are more affected by this type of vulnerability than AMD processors.

Intel 9th ​​and 12th generation processors were able to withstand direct Retbleed execution thanks to eIBRS, a mitigation against Spectre, but apparently not when the exploit was combined with BHI. Researchers believe that AMD probably took extra steps around the speculative execution with Zen 3, which is why it was apparently spared.

Both AMD and Intel are currently working to mitigate Retbleed. The former tries, at least up front, to provide mitigation via a microcode update, while the latter will enable eIBRS by default and do additional work to mitigate the vulnerability without the aforementioned component. At the operating system level, only Linux seems to have problems, because Windows has all necessary defenses enabled by default. It stands to reason that the Linux kernel developers are currently working to fix the problem.

Many may have remembered another Specter-type vulnerability that surfaced recently, Hertzbleed, which is based on measuring the energy consumed to detect when AES cryptographic keys have been processed, thereby opening the door to stealing them. Although the method used by Hertzbleed was not new, the additional options it offered against other vulnerabilities that are exploited in a similar way raised alarm. We leave you a demonstration video on using Retbleed.