GhostRace Speculative Attack Threatens Major Processor Manufacturers
A team of researchers has developed a new side-channel attack called GhostRace, which can trigger data leaks on modern processors. The issue affects not only Intel, AMD, ARM, and IBM processors that support speculative execution, but also popular software.
Experts from IBM and Vrije Universiteit Amsterdam describe GhostRace (CVE-2024-2193) as a speculative race condition (SRC). This type of attack allows potential extraction of confidential information from memory, such as passwords and encryption keys. However, carrying out the attack requires physical or privileged access to the target machine, making practical exploitation quite challenging.
According to the researchers’ report, a race condition occurs when multiple threads simultaneously try to access a shared resource, which can lead to vulnerabilities that may be exploited in various ways, including arbitrary code execution, bypassing security measures, and data extraction. Modern operating systems use synchronization primitives to prevent such situations, but the researchers’ analysis showed that race conditions can be combined with speculative execution.
“Our main finding is that all common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths via a Spectre v1 attack (CVE-2017-5753), triggering speculative race conditions (SRC) in all critical race-free regions, which allows attackers to extract information from target software,” the researchers explained in their blog post.
How the GhostRace Attack Works
To carry out the attack and “win” the speculative race, the victim process must be interrupted at the right moment and held, allowing the attacker to perform what the researchers call a SCUAF attack (Speculative Concurrent Use-After-Free).
For this purpose, the researchers used a new attack technique called Inter-Process Interrupt (IPI) Storming, which involves overwhelming the CPU core of the target process. They demonstrated a SCUAF attack on the Linux kernel, resulting in kernel memory leaks at a rate of 12 kilobytes per second.
Although the research focused on x86 architectures and Linux, the experts stated that products from other vendors and software beyond Linux are also vulnerable.
“In general, any software—such as an operating system, hypervisor, etc.—that implements synchronization primitives via conditional branches without any serializing instruction and runs on any microarchitecture (e.g., x86, ARM, RISC-V, etc.) that allows speculative execution of conditional branches is vulnerable to SRC,” the researchers said.
Industry Response and Mitigations
Engineers from Intel, AMD, Arm, and IBM were notified about the GhostRace issue at the end of 2023, and they, in turn, informed OS and hypervisor vendors.
This week, AMD published a security bulletin informing customers that previous guidance for mitigating Spectre-class attacks should also help prevent GhostRace attacks.
The developers of the Xen hypervisor also issued a warning and developed a protective mechanism. Although they confirmed that technically all versions of Xen are affected by GhostRace, the project does not use gadgets vulnerable to GhostRace, and the Xen security team does not consider urgent action necessary, so the protective measures are disabled by default.
Linux developers have implemented a feature to limit IPI rates, which should protect against the related IPI Storming issue (Inter-Process Interrupt Storming, CVE-2024-26602), but have not taken further action due to potential performance concerns.
Tools and Resources
In addition to their blog post and technical paper, the researchers have already published a PoC exploit for GhostRace, scripts for scanning the Linux kernel for SCUAF gadgets, and a list of already identified problematic gadgets.