Recon 2022

Enrico Barberis

Enrico is a Ph.D. candidate at VUSec. His current research focuses on microarchitectural attacks and all intrinsic threats introduced by hardware design flaws. In his recent works, he disclosed microarchitectural vulnerabilities such as Floating Point Value Injection and Branch History Injection.


Sessions

06-05
14:00
60min
A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data
Pietro Frigo, Enrico Barberis

Back in 2018 when Spectre was found, you could exploit its second and most dangerous variant (Spectre-v2) to easily leak arbitrary data across privilege levels. As a result, OS developers initially deployed various stopgap software mitigations—with non-negligible performance overhead. Luckily Intel and Arm released more efficient hardware defenses which now are the de-facto solutions on every modern system.

In this talk, we introduce “Branch History Injection” (BHI): a new attack primitive that bypasses Intel's eIBRS and Arm's CSV2 hardware mitigations against cross-privilege Spectre-v2 attacks. In particular, we will discuss our black-box reverse engineering approach of these complex mitigations, sharing both the successful and failed attempts towards understanding their inner-workings. We will then use BHI to build an end-to-end exploit leaking arbitrary kernel memory on the fully patched Intel 11th gen CPUs. Finally, we will conclude by describing the latest Spectre defense deployed after our BHI disclosure, showing how software and hardware can mitigate these new attacks.

Grand Salon