Spectre and Meltdown variant 4: Microsoft, Google and Intel reveal new Speculative Store Bypass chip vulnerability

CPU

Just when you thought you could forget about the Spectre and Meltdown chip vulnerabilities, yet another variant has been discovered. Known as Speculative Store Bypass, the vulnerability affects chips from AMD and Intel, as well as Power 8, Power 9 and System z processors.

The vulnerability has been assigned CVE-2018-3639, and successful exploitation would mean that an attacker could gain access to data. The attack can be carried out through a "language-based runtime environment" such as JavaScript. Some patches exist while others are in development, and they include the same performance hit associated with patches for the previous vulnerabilities.

See also:

In the US Computer Emergency Readiness Team entry for the vulnerability, Variant 4 is described as potentially "allow[ing] an attacker to obtain access to sensitive information on affected systems" or "to read older memory values in a CPU's stack or other memory locations". As was the case with Meltdown and Spectre, Intel is keen to downplay Variant 4, saying: "we have not seen any reports of this method being used in real-world exploits."

Intel also says that mitigations that have already been released for Variant 1 of the vulnerability should make Variant 4 much harder to exploit. The company also points out that it has issued patches to OEMs, but Speculative Store Bypass protection is disabled by default. With the setting enabled, there is a 2-8 percent performance hit.

Jann Horn from Google's Project Zero was the person who discovered the bug. He explains his findings:

I noticed that Intel's Optimization Manual says in section 2.4.4.5 ("Memory Disambiguation"):

"A load instruction micro-op may depend on a preceding store. Many microarchitectures block loads until all preceding store address are known.

The memory disambiguator predicts which loads will not depend on any previous stores. When the disambiguator predicts that a load does not have such a dependency, the load takes its data from the L1 data cache.

Eventually, the prediction is verified. If an actual conflict is detected, the load and all succeeding instructions are re-executed."

According to my experiments, this effect can be used to cause speculative execution to continue far enough to execute a Spectre-style gadget on a pointer read from a memory slot to which a store has been speculatively ignored.

In an announcement about the newly discovered vulnerability, Microsoft says:

An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.

At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.

As with the previous vulnerabilities, it will not be possible to fully eliminate the problems without at least some side-effects. The only real solution is a complete chip redesign, and that's not going to happen any time soon -- and it would do nothing to help the millions of older chips that remain affected.

Image credit: agsandrew / Shutterstock

© 1998-2018 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.