Skip to content Skip to footer

Researchers Discover GhostRace Attack Impacting CPU Architectures with Speculative Execution

A team of researchers has recently discovered a new type of data leakage attack that affects modern CPU architectures supporting speculative execution. This latest is called GhostRace (-2024-2193), and it is a type of transient execution CPU similar to Spectre v1 (-2017-5753). GhostRace combines speculative execution and race conditions to enable an unauthenticated attacker to extract arbitrary data from the processor.

The researchers found that all the standard synchronization primitives implemented using conditional branches can be bypassed on speculative paths using a branch misprediction attack. This turns all architecturally race-free critical regions into Speculative Race Conditions (SRCs), which allows attackers to leak information from the target. It is important to note that SRCs are similar to classic race conditions in their characteristics and exploitation strategy. However, they are different because the attacker said race condition on a transiently executed path originating from a mis-speculated branch, targeting a racy code snippet or gadget that ultimately discloses information to the attacker.

The researchers behind the Spectre attack noted in January 2018 that Spectre attacks refer to a class of side-channel attacks that branch prediction and speculative execution on modern CPUs to read privileged data in memory, bypassing isolation protections between applications. While speculative execution is a performance optimization technique most CPUs use, Spectre attacks take advantage of erroneous predictions, leaving traces of memory access or computations in the processor's caches.

Ghostface is notable because it enables an attacker to use race conditions to access the speculative executable code paths and extract arbitrary data from the processor. This is done by leveraging a Speculative Concurrent Use-After-Free (SCUAF) attack. A race condition is undesirable when two or more processes attempt to access the same shared resource without proper synchronization. This leads to inconsistent results and opens a window of opportunity for an attacker to perform malicious actions.

Therefore, it is crucial to note that any software, such as an operating system, hypervisor, etc., implementing synchronization primitives through conditional branches without serializing instruction on that path and running on any microarchitecture is vulnerable to GhostRace.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Look. This... is all a mistake. I'm just a compound interest program. I work at a savings and loan! I can't play these video games!Crom

Deitasoft © 2024. All Rights Reserved.