Researchers at IBM and VU Amsterdam have developed a new attack that exploits speculative execution mechanisms in modern computer processors to bypass checks in operating systems against what are known as race conditions.
The attack leverages a vulnerability (CVE-2024-2193) that the researchers found affecting Intel, AMD, ARM, and IBM processors. It works against any operating system, hypervisor, and software that implements synchronization primitives — or integrated controls against race conditions. The researchers have dubbed their attack “GhostRace” and described it in a technical paper released this week.
“Our key finding is that all the common synchronization primitives can be microarchitecturally bypassed on speculative paths, turning all architecturally race-free critical regions into speculative race conditions (SRCs),” the researchers said.
Speculative Execution Bugs Persist Despite Scrutiny
A race condition, as the researchers explain in their paper, can arise when two or more processes, or threads, try to access a shared computing resource — such as memory locations or files — at the same time. It’s a relatively common cause for data corruption and vulnerabilities that lead to memory information leaks, unauthorized access, denial of service, and security bypass.
To mitigate against the issue, operating system vendors have implemented what are known as speculative primitives in their software that control and synchronize access to shared resources. The primitives, which go by names such as “mutex” and “spinlock,” work to ensure that only one thread can access or modify a shared resource at a time.
What the researchers from IBM and VU Amsterdam discovered was a way to bypass these mechanisms by targeting the speculative execution or out-of-order processing feature in modern processors. Speculative execution basically involves a processor predicting the outcome of certain instructions and executing them ahead of time instead of executing them in the order received. The goal is to speed up processing time by having the processor work on subsequent instructions even while waiting for the result from previous instructions.
Speculative execution burst into the spotlight in 2017 when researchers discovered a way to exploit the technique to access sensitive information in system memory — such as passwords, encryption keys, and emails — and use that data for further attacks. The so-called Spectre and Meltdown vulnerabilities affected virtually every modern microprocessor and prompted a review of microprocessor architecture that in many ways is still ongoing.
As part of an effort to help microprocessor designers and other stakeholders better secure processors against vulnerabilities such as Spectre and Meltdown, MITRE in February 2024 rolled out four new common weakness enumerators (CWE) that describe and document different microprocessor weaknesses.
A New Spin on a Known Exploit
The attack that the IBM and VU Amsterdam researchers developed relies on conditional branch speculation similar to a type of Spectre attack. “Our key finding is that all the common (write-side) primitives (i) lack explicit serialization and (ii) guard the critical region with a conditional branch,” the researchers said. In other words, they found that when the synchronization primitives use a conditional “if” statement to control access to a shared resources, they are vulnerable to a speculative execution attack.
“In an adversarial speculative execution environment, i.e., with a Spectre attacker mistraining the conditional branch, these primitives essentially behave like a no-op,” they noted. “The security implications are significant, as an attacker can speculatively execute all the critical regions in victim software with no synchronization.”
In a blog post, the researchers noted that they have informed all major hardware vendors of their discovery, and the vendors have, in turn, notified all affected operating system and hypervisor vendors. All the vendors acknowledged the issue, the researchers said.
In an advisory, AMD recommended that software developers follow its previously published guidance on how to protect against Spectre type attacks.
