arstechnica.com
Open in
urlscan Pro
3.131.220.100
Public Scan
Submitted URL: https://t.co/wKuydfo5y9
Effective URL: https://arstechnica.com/information-technology/2022/07/intel-and-amd-cpus-vulnerable-to-a-new-speculative-execution-attack/
Submission: On July 12 via manual from US — Scanned from US
Effective URL: https://arstechnica.com/information-technology/2022/07/intel-and-amd-cpus-vulnerable-to-a-new-speculative-execution-attack/
Submission: On July 12 via manual from US — Scanned from US
Form analysis 4 forms found in the DOM
GET /search/
<form action="/search/" method="GET" id="search_form">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search..." class=" js-bound">
</form>POST https://arstechnica.com/civis/ucp.php?mode=login
<form id="login-form" action="https://arstechnica.com/civis/ucp.php?mode=login" method="post">
<input type="text" name="username" id="username" placeholder="Username or Email" aria-label="Username or Email" class=" js-bound">
<input type="password" name="password" id="password" placeholder="Password" aria-label="Password">
<input type="submit" value="Submit" class="button button-orange button-wide" name="login">
<label id="remember-label">
<input type="checkbox" name="autologin" id="autologin"> Stay logged in</label> <span>|</span> <a href="/civis/ucp.php?mode=sendpassword" data-uri="53ec6d3f65bb7762a489b7a13824e81f">Having trouble?</a>
<input type="hidden" name="redirect" value="./ucp.php?mode=login&autoredirect=1&return_to=%2Finformation-technology%2F2022%2F07%2Fintel-and-amd-cpus-vulnerable-to-a-new-speculative-execution-attack%2F">
<input type="hidden" name="return_to" value="/information-technology/2022/07/intel-and-amd-cpus-vulnerable-to-a-new-speculative-execution-attack/">
<input type="hidden" name="from_homepage" value="1">
</form>POST https://api.bounceexchange.com/capture/submit
<form id="bx-form-1643623-step-1" bx-novalidate="true" method="post" action="https://api.bounceexchange.com/capture/submit" onsubmit="return bouncex.submitCampaignStep(1643623); return false" onreset="bouncex.close_ad(1643623); return false"
tabindex="0" aria-labelledby="bx-campaign-ally-title-1643623"><input type="hidden" name="campaign_id" value="1643623">
<div class="bx-group bx-group-default bx-group-1643623-rQWiaQ5 bx-group-rQWiaQ5" id="bx-group-1643623-rQWiaQ5">
<div class="bx-row bx-row-image bx-row-image-logo bx-row-ICDTsc2 bx-element-1643623-ICDTsc2" id="bx-element-1643623-ICDTsc2"><img src="//assets.bounceexchange.com/assets/uploads/clients/2806/creatives/78dbf26fc8687b650f46e91adf23f5fa.svg"
alt="logo"></div>
</div>
<div class="bx-group bx-group-default bx-group-1643623-9V7DjRk bx-group-9V7DjRk" id="bx-group-1643623-9V7DjRk">
<div class="bx-row bx-row-text bx-row-text-default bx-row-eLuSF9U bx-element-1643623-eLuSF9U" id="bx-element-1643623-eLuSF9U">
<div>Join Ars Technica and</div>
</div>
<div class="bx-row bx-row-text bx-row-text-headline bx-row-nNHNozp bx-element-1643623-nNHNozp" id="bx-element-1643623-nNHNozp">
<div>Get Our Best Tech Stories</div>
</div>
<div class="bx-row bx-row-text bx-row-text-subheadline bx-row-IMQMdcF bx-element-1643623-IMQMdcF" id="bx-element-1643623-IMQMdcF">
<div>Delivered Straight to your Inbox.</div>
</div>
</div>
<div class="bx-group bx-group-default bx-group-1643623-7Y4PFWQ bx-group-7Y4PFWQ" id="bx-group-1643623-7Y4PFWQ">
<div class="bx-row bx-row-input bx-row-input-default bx-row-VYWXDZZ bx-element-1643623-VYWXDZZ" id="bx-element-1643623-VYWXDZZ">
<div class="bx-inputwrap"><input class="bx-el bx-input js-bound" id="bx-element-1643623-VYWXDZZ-input" type="email" name="email" placeholder="Email address" aria-required="true"></div>
<div class="bx-component bx-component-validation bx-vtext bx-error-1643623-email" id="bx-error-1643623-email">Please enter above</div>
</div>
<div class="bx-row bx-row-submit bx-row-submit-default bx-row-KmYHkpO bx-element-1643623-KmYHkpO" id="bx-element-1643623-KmYHkpO"><button type="submit" class="bx-button" data-click="submit" data-step-delay="0" data-submit-jump="0"
data-submit-force="0">SIGN ME UP</button></div>
</div>
<div class="bx-group bx-group-micro bx-group-1643623-yAl252D bx-group-yAl252D" id="bx-group-1643623-yAl252D">
<div class="bx-row bx-row-text bx-row-text-sosumi bx-row-0aOCKMV bx-element-1643623-0aOCKMV" id="bx-element-1643623-0aOCKMV">
<div>By signing up, you agree to our <a href="https://www.condenast.com/user-agreement" target="_blank" style="text-decoration: underline; display: inline;">user agreement</a> (including the
<a href="https://www.condenast.com/user-agreement#section-viii-g" target="_blank" style="text-decoration: underline; display: inline;"> class action waiver and arbitration provisions</a>), our
<a href="https://www.condenast.com/privacy-policy" target="_blank" style="text-decoration: underline; display: inline;">privacy policy and cookie statement</a>, and to receive marketing and account-related emails from Ars Technica. You can
unsubscribe at any time.</div>
</div>
</div><input autocomplete="carb-trap" type="input" name="carb-trap" tabindex="-1" aria-hidden="true" class="bx-input bx-carb-trap">
</form>POST https://api.bounceexchange.com/capture/submit
<form id="bx-form-1643623-step-2" bx-novalidate="true" method="post" action="https://api.bounceexchange.com/capture/submit" onsubmit="return bouncex.submitCampaignStep(1643623); return false" onreset="bouncex.close_ad(1643623); return false"
tabindex="0" aria-labelledby="bx-campaign-ally-title-1643623"><input type="hidden" name="campaign_id" value="1643623">
<div class="bx-group bx-group-default bx-group-1643623-VnlQ1Q6 bx-group-VnlQ1Q6" id="bx-group-1643623-VnlQ1Q6">
<div class="bx-row bx-row-image bx-row-image-logo bx-row-wuBSHw3 bx-element-1643623-wuBSHw3" id="bx-element-1643623-wuBSHw3"><img src="//assets.bounceexchange.com/assets/uploads/clients/2806/creatives/78dbf26fc8687b650f46e91adf23f5fa.svg"
alt=""></div>
</div>
<div class="bx-group bx-group-default bx-group-1643623-YytTDny bx-group-YytTDny" id="bx-group-1643623-YytTDny">
<div class="bx-row bx-row-text bx-row-text-default bx-row-73sFtao bx-element-1643623-73sFtao" id="bx-element-1643623-73sFtao">
<div>Thanks!</div>
</div>
<div class="bx-row bx-row-text bx-row-text-headline bx-row-YJNA5ZQ bx-element-1643623-YJNA5ZQ" id="bx-element-1643623-YJNA5ZQ">
<div>You Are Successfully Subscribed</div>
</div>
</div>
</form>Text Content
Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe Close NAVIGATE * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints FILTER BY TOPIC * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums SETTINGS Front page layout Grid List Site theme Black on white White on black Sign in COMMENT ACTIVITY Sign up or login to join the discussions! Stay logged in | Having trouble? Sign up to comment and more Sign up RETBLEED — NEW WORKING SPECULATIVE EXECUTION ATTACK SENDS INTEL AND AMD SCRAMBLING BOTH COMPANIES ARE ROLLING OUT MITIGATIONS, BUT THEY ADD OVERHEAD OF 12 TO 28 PERCENT. Dan Goodin - 7/12/2022, 4:00 PM Enlarge READER COMMENTS 39 with 28 posters participating SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability. Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which was introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled. IS IT A TRAMPOLINE OR A SLINGSHOT? FURTHER READING “Meltdown” and “Spectre:” Every modern processor has unfixable security flaws Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren’t susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called “gadget” code, which in turn creates data to leak through a side channel. Some researchers have warned for years that retpoline isn’t sufficient to mitigate speculative execution attacks because the returns retpoline used were susceptible to BTI. Linux creator Linus Torvalds famously rejected such warnings, arguing that such exploits weren’t practical. The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 microarchitectures. Advertisement “Retpoline, as a Spectre-BTI mitigation, fails to consider return instructions as an attack vector,” researchers Johannes Wikner and Kaveh Razavi wrote. “While it is possible to defend return instructions by adding a valid entry to the RSB [return stack buffer] before executing the return instruction, treating every return as potentially exploitable in this way would impose a tremendous overhead. Previous work attempted to conditionally refill the RSB with harmless return targets whenever a perCPU counter that tracks the call stack depth reaches a certain threshold, but it was never approved for upstream. In the light of Retbleed, this mitigation is being re-evaluated by Intel, but AMD CPUs require a different strategy.” In an email, Razavi explained it this way: > Spectre variant 2 exploited indirect branches to gain arbitrary speculative > execution in the kernel. Indirect branches were converted to returns using the > retpoline to mitigate Spectre variant 2. > > Retbleed shows that return instructions unfortunately leak under certain > conditions similar to indirect branches. These conditions are unfortunately > common on both Intel (Skylake and Skylake-based) and AMD (Zen, Zen+ and Zen2) > platforms. This means that retpoline was unfortunately an inadequate > mitigation to begin with. In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations. Retbleed can leak kernel memory from Intel CPUs at about 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs with a bandwidth of 3.9 kB per second. The researchers said that it’s capable of locating and leaking a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about 6 minutes for AMD CPUs. Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses. Once the poisoning is complete, this BPU will make mispredictions that the attacker can control. “We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user,” the researchers wrote in a blog post. “Even though we cannot access branch targets inside the kernel address-space—branching to such a target results in a page fault—the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it's to a kernel address.” Page: 1 2 Next → ARS VIDEO HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 READER COMMENTS 39 with 28 posters participating SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit Enter your email to get the Ars Technica newsletter close dialog Join Ars Technica and Get Our Best Tech Stories Delivered Straight to your Inbox. Please enter above SIGN ME UP By signing up, you agree to our user agreement (including the class action waiver and arbitration provisions), our privacy policy and cookie statement, and to receive marketing and account-related emails from Ars Technica. You can unsubscribe at any time. Thanks! You Are Successfully Subscribed close dialog Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. CHANNEL ARS TECHNICA UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to answer once and for all the lingering questions we have about his enduringly popular show. Was Dr. Sam Beckett really leaping between all those time periods and people or did he simply imagine it all? What do people in the waiting room do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years following the series finale, answers to these mysteries and more await. * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL? * SITREP: BOEING 707 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * THE F-35'S NEXT TECH UPGRADE * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM STUDIOS * US NAVY GETS AN ITALIAN ACCENT * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES * TEACH THE CONTROVERSY: FLAT EARTHERS * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND SPACEX GETS A CRUCIAL GREEN-LIGHT * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO * THE GREATEST LEAP, EPISODE 1: RISK * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES More videos ← Previous story Next story → RELATED STORIES Sponsored Stories The Best States to Retire in 2022 SmartAsset Ad is Hidden Please tell us why you hid this ad? * Inappropriate * Misleading * Misinformation * Repetitive * Irrelevant * Distracting Best Car Insurance For Seniors Living in Florida Save Money | Car Insurance Ad is Hidden Please tell us why you hid this ad? * Inappropriate * Misleading * Misinformation * Repetitive * Irrelevant * Distracting If you're over 40 - this game is a must! raid: shadow legends Ad is Hidden Please tell us why you hid this ad? * Inappropriate * Misleading * Misinformation * Repetitive * Irrelevant * Distracting Do This if You Have Toenail Fungus (Try Tonight) Health Tips Journal Ad is Hidden Please tell us why you hid this ad? * Inappropriate * Misleading * Misinformation * Repetitive * Irrelevant * Distracting Florida Will Cover The Cost To Install Solar if You Live in Miami Solar Advice Today Ad is Hidden Please tell us why you hid this ad? * Inappropriate * Misleading * Misinformation * Repetitive * Irrelevant * Distracting Actors Who Fell In Love With Their Onscreen Siblings Definition Ad is Hidden Please tell us why you hid this ad? * Inappropriate * Misleading * Misinformation * Repetitive * Irrelevant * Distracting Recommended by TODAY ON ARS * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints NEWSLETTER SIGNUP Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Cookies Settings The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices