Security researchers discover seven more speculative execution attacks like Spectre and Meltdown
One of the biggest security stories of 2018 has been the discovery of the Meltdown and Spectre chip flaws. Known as speculative execution exploits, the flaws make it possible to steal potentially sensitive information and there has been an on-going battle to issue patches wherever possible.
Just as things were starting to die down a little, security researchers have revealed details of no fewer than seven more speculative execution attacks. While some of these attack vectors have already been mitigated against, this is not the case for all of them.
The fallout from the original Spectre and Meltdown discoveries has been massively impactful and terribly long-winded. Software-makers have struggled to issue patches to mitigate against the problems without affecting system performance too much, so the prospect of yet another batch of related vulnerabilities that need to be addressed is something that will fill many people with dread.
As detailed by Ars Technica, researchers have undertaken a systematic analysis of the techniques involved in the Spectre and Meltdown exploits, and this is how the new variants have been discovered.
One of the newly-discovered exploits uses Intel's Protection Keys for Userspace (PKU), and Peter Bright explains:
Protection keys introduced with Skylake allow an application to mark pieces of memory with a four-bit key. Applications set the processor to use a particular protection key, and, during that time, attempts to access memory that is labeled with a different key will generate an error. Yet again, a few nanoseconds of speculation can occur between making an invalid access (accessing memory with a mismatched protection key) and the processor reporting the error, enabling information that should be protected to leak.
This, and another exploit that takes advantage of Intel's Memory Protection eXtensions (MPX), are both Meltdown-based, but there are five more that are related to Spectre.
In total, five different misprediction scenarios were identified (four based on branch predictors, one based on stores to memory being overlooked momentarily). Of the four branch predictor attacks, each attack can be used either against the same address space or a different one, and it can be used against the same branch or one that's related. This creates 16 branch predictor-based variants as well as the store-based attack. Not every single combination has so far been tested, but in the paper, several new Spectre-style attacks are described. They use various combinations of the predictor being exploited, the address being attacked, and the address space being attacked.
In particular, one of the variants of the original Spectre attacks has been shown to have greater applicability against AMD's latest processors than previously known; likewise the attack has also been shown to be effective against ARM processors.
Intel, it seems, is not concerned, issuing a statement saying:
The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers. Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, & the College of William and Mary for their ongoing research.