New Speculative Execution Vulnerability Gives CISOs a New Reason to Lose Sleep

The vulnerability, dubbed SWAPGS, is an undetectable threat to data security, similar in some respects to Spectre and Meltdown.

Dark Reading logo in a gray background | Dark Reading

Bogdan Botezatu, director of threat research at BitDefender, leans across the table in a hotel lobby coffee shop to make his point. "When you're a CISO, there is no single of vulnerability you're aware of that doesn't keep you awake at night." The new vulnerability his team of researchers found — the vulnerability they will reveal in a press conference this evening — is one that he says should definitely contribute to CISO insomnia.

The new vulnerability, dubbed SWAPGS by the BitDefender research team, is a speculative execution vulnerability that Botezatu says is similar in some respects to Spectre and Meltdown. "What we have done is to manipulate this instruction called SWAPGS in order to sample information from the realm of the operating system memory into the user space," he explains.

SWAPGS is an instruction that swaps the contents of a particular register with the contents of a specific memory location. The instruction is defined as a privileged instruction that should be available only to system software, such as a hypervisor. One of the things that makes the instruction dangerous when exploited is that it can provide rapid access to certain data structures used by the operating system kernel.

When the instruction is manipulated, Botezatu says, "This can lead to all sorts of trouble like leaking out information about passwords, encryption, keys, tokens, authentication, cookies, and other sensitive information that goes through the processor."

Like many of the other speculative execution exploits that have been found, SWAPGS doesn't allow the attacker to manipulate the data being stored in the memory location — it only allows for the contents of that memory location to be monitored. "You just poke the memory, and run a time-based attack. If it's something interesting, it's fine. If not, you have just lost 20 seconds and you need to go back to square one," Botezatu explains.

As with most of the other speculative execution attacks, Botezatu sees SWAPGS as something that could be a tool for patient nation-state actors, not finance-focused criminals. Criminal actors, he says, can simply launch repeated phishing attacks to get the information that might become available through SWAPGS.

Still, he points out, a speculative execution attack like SWAPGS is dangerous because it bypasses hardware-based protection and is undetectable by normal security packages. Furthermore, while BitDefender followed responsible disclosure and Microsoft has issued a Window patch for the vulnerability, Botezatu says, "We know that in enterprises, patch adoption is not something that happens overnight. That can take anywhere from one to 180 days, if you're lucky."

Related content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights