The Threat of 'SLAM'

A growing issue in technology and security concerns a newly discovered side-channel attack called 'SLAM.' This advanced threat specifically targets the hardware aspects of contemporary CPUs, more so those intended by major tech companies like Intel, AMD, and Arm for future releases.

The origins of this new attack category can be traced back to the findings by the academic researchers at Systems and Network Security Group (VUSec), which operates out of Vrije Universiteit Amsterdam. Having discovered this unique attack, the group named it 'SLAM,' an abbreviation for Spectre based on LAM (Linear Address Masking).

The basis of the SLAM attack is closely related to the more recent variant of the Spectre BHI attack. The attack essentially leverages the memory feature permitting software to use untranslated address bits present in 64-bit linear addresses for metadata storage.

Bringing to the fore a significant aspect of data security, the SLAM attack introduces techniques that can potentially expose sensitive data held within memory. This is done by undertaking a transient execution attack using the metadata storage feature. The issue lies in the CPU vendors' implementation of this metadata-storing method in several ways and under various terminologies. For example, Intel calls it Linear Address Masking (LAM), AMD names it Upper Address Ignore (UAI), and Arm refers to the feature as Top Byte Ignore (TBI).

Studies indicate that this SLAM attack presents a significant threat to future chips meeting certain criteria. A primary contributor to this vulnerability is the lack of strong canonicality checks in future chip designs. Additionally, despite the advanced hardware features, such as LAM, UAI, and TBI, which aim to bolster memory security and management, these elements have introduced exploitable micro-architectural race conditions.

Impact on Current and Future Processors

The newly discovered SLAM attack presents a security concern for the current CPUs at hand and a potential problem for future processors. The research indicates that existing AMD processors are already susceptible to the SIDE channel attack, enabling malicious parties to steal sensitive information from the chips.

The gravity of the situation can escalate significantly when one considers the future CPUs that are currently under design and development, with their security features enhanced via the integration of LAM (Linear Address Masking), UAI (Upper Address Ignore), and TBI (Top Byte Ignore). These chips are also, unfortunately, at potential risk of falling prey to the SLAM attack. With these features included to improve memory management and security, they instead invite exploitable micro-architectural race conditions, creating an environment conducive to a SLAM attack.

Even more disturbing is the potency demonstrated by the SLAM attack in terms of breaching and exposing private information. A detailed analysis of the impact suggests that the attack can extract the root password hash from a system's kernel memory within minutes. The SLAM attack can leave the security apparatus helpless while exposing sensitive data under its radar by leveraging the memory feature that utilizes untranslated address bits in 64-bit linear addresses for metadata storage. These disturbing revelations are a clarion call for optimizing and revamping security protocols for CPU designs currently under development to ensure immunity against this formidable side-channel attack named SLAM.

Response from CPU Vendors

In response to the revelations regarding the SLAM attack, three major players in the CPU industry, namely Intel, AMD, and Arm, have demonstrated ample awareness and proactivity. This acts as a reassurance towards the efforts made to address the potential threat posed by the SLAM attached to their current and future products.

Intel has shown significant initiative in its plans to provide software guidance before introducing CPUs that support LAM into the market. The company is considering deploying the Linear Address Masking (LAM) feature alongside Linear Address Space Separation (LASS). This strategic move would prevent speculative address accesses across the user/kernel mode, mitigating any potential attack points from the SLAM exploit.

Moving in tandem with these industry giants, Linux developers have also taken heed of the situation and acted to counter the potential security threat. Until new and more robust guidance from the CPU manufacturing industry becomes available, Linux engineers have decided to deploy patches that would disable the LAM security feature by default. This cautious yet assertive stance can serve as an effective stopgap measure in curbing the dangers posed by the SLAM attack.

Furthermore, Arm's strategy against the SLAM attack begins with an open dialogue. This tech giant has issued a security advisory designed to inform and educate customers about the implications and management of the SLAM attack.

On the other hand, AMD adopts a distinctive stance of confidence in its existing security protocols. Instead of issuing new guidance or updates, AMD points to their current Spectre v2 mitigations as a solution to address SLAM and asserts that they should sufficiently protect against the potential threats described by the VUSec research team.

Disclosure and Demonstration

To achieve complete transparency and create awareness about the SLAM attack, the researchers responsible for discovering the exploit have released a technical paper. This document gives an in-depth analysis of the SLAM attack, outlining its workings and potential impact. This includes a detailed account of how the attack leverages a new transient execution technique that exploits previously unexplored categories of Spectre disclosure gadgets, specifically those involving pointer chasing.

In this context, Gadgets refer to certain sets of instructions embedded within the software code. These can be manipulated by attackers to trigger speculative execution, causing the exposure of sensitive information. Even though the results of this speculative execution are supposedly discarded, they inadvertently leave traces, such as altered cache states, from which attackers can observe and infer sensitive data. These could be data from other programs or the operating system itself.

The researchers further shed light on how the SLAM attack targets unmasked gadgets that use secret data as a pointer. According to reports, these are commonly found in software and can be exploited to leak arbitrary ASCII kernel data. To further their findings, the researchers have developed a scanner that successfully discovered hundreds of such exploitable gadgets on the Linux kernel.

In conjunction with the technical paper, the researchers have made the code on the SLAM attack available on VUSec's GitHub repository for public perusal. Moreover, a video demonstrating the exploit in action, showcasing the extraction of the root password hash from the kernel, has also been released. This follows a practical scenario where an attacker needs to execute their code on the target system, interacting with the unmasked gadgets. By carefully monitoring the side effects using sophisticated algorithms, the attacker could extract sensitive information such as passwords or encryption keys from the kernel memory.