New SLAM Side Channel Attack Exposure: Intel, AMD, and Arm Processors Facing Security Threats

The core of SLAM attacks is to analyze the small time differences that occur when the processor stores and loads data. These time differences can reveal the location and content of data in memory, giving attackers the opportunity to steal sensitive information. This timing attack method mainly utilizes hardware features related to processor security to obtain the hash value of the administrator password from kernel storage.

Intel, AMD, and Arm processors are widely used in various devices and systems worldwide, including personal computers, servers, mobile devices, and IoT devices. These processors have certain time differences when storing and loading data, and SLAM attacks exploit these time differences to steal data. This means that any device or system using these processors may face security threats.

For users, this means that their devices and systems may have security vulnerabilities that attackers can exploit to steal sensitive information, including personal data, passwords, keys, etc. For manufacturers, they need to take measures to prevent such attacks, including improving processor design, updating firmware and software, etc.

In response to this new type of SLAM side channel attack, processor manufacturers need to take measures to enhance the security of their products. This includes optimizing processor design to reduce time differences when storing and loading data; Update firmware and software to detect and prevent SLAM attacks; And provide repair programs to help users protect their devices and systems.

Three chip manufacturers use different methods to implement hardware functions and use different terminology. Intel refers to it as Linear Address Mask (LAM), AMD refers to it as High Address Ignorance (UAI), and Arm refers to it as High Byte Ignorance (TBI).

The main function of LAM, UAI, and TBI is to accelerate the physical memory security and RAM management of the CPU.

SLAM utilizes the above features to store unconverted bits in kernel metadata at a 64 bit linear address. During the attack, a new temporary execution process is created that checks for a series of unmasked instructions in the program code, known as "gadgets.".

The attacker needs to use the target system code that communicates with these devices, and then apply a series of algorithms to extract sensitive information from kernel memory, such as administrator passwords and other encryption keys.

Researchers successfully executed SLAM attacks on systems with Intel Core i9-13900K processors and AMD Ryzen 7 2700X processors.

VUSec researchers claim that most current and future processors from these three global manufacturers are unable to withstand SLAM attacks:

Confirming the existence of the existing AMD processor with the CVE-2020-12965 vulnerability

Intel Sierra Forest, Grand Ridge, Arrow Lake, and Lunar Lake processors that support LAM in the future

AMD processors that support UAI and level 5 memory paging in the future;

Future Arm processors with TBI support and 5-level memory paging.

There is currently no effective patch for this vulnerability, and major Linux distributions can temporarily mitigate risks by disabling LAM.

Arm believes that there is no need to take further action against SLAM.

AMD claims that its previous mitigation measures against Spectre V2 vulnerabilities can also prevent SLAM attacks. Intel recommends that customers deploy this feature using Linear Address Space Sharing (LASS) extensions to prevent such kernel access.