Computer science researchers at the University of Virginia School of Engineering and University of California, San Diego, jointly published a paper (PDF) outlining new Spectre variants that they say affects “billions” of AMD and Intel PCs. The researchers also say they are immune to all existing hardware and software mitigations, and worse yet, potential fixes would have a major impact on system performance.
“In the case of the previous Spectre attacks, developers have come up with a relatively easy way to prevent any sort of attack without a major performance penalty. The difference with this attack is you take a much greater performance penalty than those previous attacks,” said Logan Moody, one of the researchers.
A series of CPU exploits dubbed Meltdown and Spectre caused quite a bit of ruckus three years ago, and had AMD, Intel, and Microsoft scrambling to issue patches through firmware and software updates.
Spectre gets its name from the exploit using a CPU’s speculative execution and branch prediction capabilities, which are optimization techniques that play an important role in performance. Using these techniques, modern processors predict instructions they might run to get a head start and speculatively executes them. If the prediction is correct, a program will have access to the code. And if not, the instructions get dumped.
A Spectre attack leverages a mis-prediction to trick a CPU into running code on the wrong path, thereby allowing an attacker to read secrets from a processor’s memory. That’s not good.
For the most part, fixes have been in place for quite some time now. However, researchers from the two universities say they have discovered a “new line of attack that breaks all Spectre defenses.” Specifically, by spying on data when a CPU taps into its micro-ops cache.
“Think about a hypothetical airport security scenario where TSA lets you in without checking your boarding pass because (1) it is fast and efficient, and (2) you will be checked for your boarding pass at the gate anyway,” said Ashish Venkat, an assistant professor or led the researcher. “A computer processor does something similar. It predicts that the check will pass and could let instructions into the pipeline.”
“Ultimately, if the prediction is incorrect, it will throw those instructions out of the pipeline, but this might be too late because those instructions could leave side-effects while waiting in the pipeline that an attacker could later exploit to infer secrets such as a password,” Venkat added.
Existing mitigations against Spectre focus on later stages of speculative execution, which is why these new variants are unaffected by them. And unfortunately, disabling the micro-op cache or doing away with speculative execution would have a major negative impact on performance.
For that reason, the researchers say it is “really unclear how to solve the problem” without severely degrading a CPU’s performance level. They also maintain it will be “much harder to fix” than previous exploits.
“Intel’s suggested defense against Spectre, which is called LFENCE, places sensitive code in a waiting area until the security checks are executed, and only then is the sensitive code allowed to execute,” Venkat said. “But it turns out the walls of this waiting area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a covert channel.”
The silver lining is that targeting low-level cache is not particularly easy. As our friends at Tom’s Hardware point out, this would entail bypassing other hardware and software security measures. A hacker would have to really motivated to go this route, as well as skilled, likely making this more of a concern for high level targets than the public at large.
AMD and Intel have been informed of the findings, but have not yet issued any patches or statements.