Spectre and Meltdown variant 4: Microsoft, Google and Intel reveal new Speculative Store Bypass chip vulnerability
Just when you thought you could forget about the Spectre and Meltdown chip vulnerabilities, yet another variant has been discovered. Known as Speculative Store Bypass, the vulnerability affects chips from AMD and Intel, as well as Power 8, Power 9 and System z processors.
- Google will require OEMs to provide regular Android security updates
- Google's Project Zero reveals security flaw in Windows 10 S after Microsoft fails to fix it
- Is your smartphone lying to you about having the latest Android security updates?
In the US Computer Emergency Readiness Team entry for the vulnerability, Variant 4 is described as potentially "allow[ing] an attacker to obtain access to sensitive information on affected systems" or "to read older memory values in a CPU's stack or other memory locations". As was the case with Meltdown and Spectre, Intel is keen to downplay Variant 4, saying: "we have not seen any reports of this method being used in real-world exploits."
Intel also says that mitigations that have already been released for Variant 1 of the vulnerability should make Variant 4 much harder to exploit. The company also points out that it has issued patches to OEMs, but Speculative Store Bypass protection is disabled by default. With the setting enabled, there is a 2-8 percent performance hit.
Jann Horn from Google's Project Zero was the person who discovered the bug. He explains his findings:
I noticed that Intel's Optimization Manual says in section 126.96.36.199 ("Memory Disambiguation"):
"A load instruction micro-op may depend on a preceding store. Many microarchitectures block loads until all preceding store address are known.
The memory disambiguator predicts which loads will not depend on any previous stores. When the disambiguator predicts that a load does not have such a dependency, the load takes its data from the L1 data cache.
Eventually, the prediction is verified. If an actual conflict is detected, the load and all succeeding instructions are re-executed."
According to my experiments, this effect can be used to cause speculative execution to continue far enough to execute a Spectre-style gadget on a pointer read from a memory slot to which a store has been speculatively ignored.
In an announcement about the newly discovered vulnerability, Microsoft says:
At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.
As with the previous vulnerabilities, it will not be possible to fully eliminate the problems without at least some side-effects. The only real solution is a complete chip redesign, and that's not going to happen any time soon -- and it would do nothing to help the millions of older chips that remain affected.