Retbleed hardware-level flaw brings overhead woe to Intel and AMD

Researchers at ETH Zurich have discovered a serious hardware vulnerability in Intel and AMD microprocessors, affecting all Linux operating systems that use the affected chips.

Doctoral student Johannes Wikner and assistant professor Kaveh Razavi discovered the vulnerability, and dubbed it ‘Retbleed’. This name stems from the vulnerability's methodology, exploiting the messy way that processors handle return instructions, which occur after a function has been executed. In a blog post

By hijacking speculative execution processes, Retbleed can leak kernel memory from Intel and AMD CPUs, as well as the root password hash for Linux systems using the affected CPUs. Any system using an Intel CPU from generations 6-8, or AMD Zen1, Zen1+ and Zen2 is likely affected.

To end, Retbleed represents a very widespread and severe threat to the security of hardware to the majority of business PCs, given the vast market share enjoyed by both Intel and AMD.

Speculative execution is used to access computational steps before it has been confirmed that they are necessary for the process; in effect, the processor ‘guesses’ what might be needed before finishing the chain of instructions to speed things up and improve its overall power. Unneeded speculative calculations are discarded, but leave a trace in the cache that hackers can use as a backdoor. This can be used to gain access to information in the memory, which could be highly sensitive.

In this way, Retbleed is similar to Spectre, which was discovered in 2018 and caused widespread alarm in the computing world. Although Intel and AMD have since mitigated Spectre, how they did this led to reliance on the exact construct that Retbleed now exploits.

To shield the indirect jumps utilised by many processors, a construct known as Retpoline is utilised, to favour the use of returns. When this was implemented, it was widely believed that returns were not a valid vector of attack, a belief that Retbleed has now disproven.

"Since the mitigation measures taken so far did not take the return instructions into account, most existing microprocessor computer systems are vulnerable to 'Retbleed'," Razavi stated.

Affected manufacturers were made aware of the vulnerability before the general public. They have already taken steps to identify the weaknesses within their processors and enact mitigation measures, with Intel having already released a technical advisory on the subject. Hardware vulnerabilities are not always easily remedied, and can prove next to impossible to patch altogether.

In a statement to IT Pro, Intel offered information on the steps they have taken to protect users:

"Intel worked with our industry mitigation partners, the Linux community and VMM vendors to make mitigations available to customers. Windows systems are not affected as they already have these mitigations by default."

Unfortunately, the researchers have said that mitigations are expensive to implement, with a 14-39% predicted overhead for AMD and Intel patches. As with the hardware-based flaws before it, Retbleed is already proving a costly and troublesome exploit. Additionally, current mitigations can lead to performance costs, with increased security on microprocessor decisions on return destinations decreasing overall efficiency. The researchers claim to have seen up to a 28% hit in performance as a result.

Its discoverers are due to present a paper on their findings at the 2022 USENIX Security Conference, on August 12.