The VUSec security researchers are at it again… The embargo is now lifted on another set of of security vulnerabilities affecting Intel processors as well as Arm core designs. This new vulnerability is dubbed Training Solo.
Security researchers discovered that domain isolation used for commonly mitigating Spectre Variant Two vulnerabilities have multiple shortcomings across different CPU architectures. Making matters worse, Training Solo exposes three separate variants with multiple mitigations needed.
The ITS variant of Training Solo requires an Intel CPU microcode update as well as software mitigations to the Linux kernel and KVM. There’s also a Training Solo variant affecting Intel Lion Cove cores requiring a separate mitigation approach. Lastly, the third variant also requires an Intel microcode update as well as Intel and Arm software patches to the Linux kernel.
The VUSec security paper going live today explains: “In this paper, we challenge this assumption and show that even perfect domain isolation is insufficient to deter practical attacks. To this end, we systematically analyze self-training Spectre-v2 attacks, where both training and speculative control-flow hijacking occur in the same (victim) domain. While self-training attacks are believed to be limited to the in-domain scenario—where attackers can run arbitrary code and inject their own disclosure gadgets in a (default-off) sandbox such as eBPF—our analysis shows cross-domain variants are possible in practice. Specifically, we describe three new classes of attacks against the Linux kernel and present two end-to-end exploits that leak kernel memory on recent Intel CPUs at up to 17 KB/sec. During our investigation, we also stumbled upon two Intel issues which completely break (user, guest, and hypervisor) isolation and re-enable classic Spectre-v2 attacks.”
I was only notified a short time in advance of today’s embargo lift on Training Solo, so I am still digging through the details myself. The Training Solo website for this vulnerability should be live now at VUSec.net. As Linux kernel patches and new Intel CPU microcode becomes available, I will be conducting some benchmarks on them to measure any new associated overhead to these additional security mitigations.
