This article is more than 1 year old
Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years
Countermeasures to protect apps from attack
Coming to a compiler near you, soon
Several software-based mitigation strategies for Spectre attacks have been proposed. These are countermeasures that need to be woven into applications and operating systems to resist snooping, and the rebuilt software then distributed to users. These involve limiting speculative execution through additional code. Intel recommends using the LFENCE instruction to serialize operations and prevent instruction speculation that can be abused.
But that could slow things down. "Note that the insertion of LFENCE must be done judiciously; if it is used too liberally, performance may be significantly compromised," Intel advised in a technical note about the issue. This would be on top of the Meltdown performance tax.
Project Zero researchers have also suggested use of the MFENCE instruction, and the application of static analysis techniques to minimize unnecessary security checks. They said that code in legacy application may need to be recompiled.
As well as this, Project Zero team has proposed a mitigation technique called "retpoline," a combination of "return" and "trampoline," that prevents exploitative speculative execution from occurring. They offer this metaphor to describe the operation: "Imagine speculative execution as an overly energetic 7-year old that we must now build a warehouse of trampolines around."
Retpoline works by pushing the current program counter onto the stack, then pushing the address you want to jump to onto the stack, and then using the return instruction – which pulls that address off the stack and jumps to it. Returning from that subroutine jumps the processor back to where it was. This chicanery when calling code is supposed to thwart attempts to exploit Spectre design flaws in processors.
Google's support document on retpoline suggested the performance hit is minimal: "Microbenchmarking on Intel x86 architectures shows that our converted sequences are within cycles of an native indirect branch (with branch prediction hardware explicitly disabled)."
But this is akin to saying a broken leg won't slow you down much compared to walking around on crutches. Branch prediction isn't typically disabled.
A performance hit
In a mailing list for the LLVM compiler project, Chandler Carruth, who heads Google's LLVM team, explained: "Well tuned servers using all of these techniques saw 5 per cent to 10 per cent overhead from the use of retpoline."
Recompiling applications to mitigate the risk posed by fundamentally insecure hardware thus has a cost.
Another mitigation technique involves reducing timer accuracy.
"Both Meltdown and Spectre currently use the cache side channel in order to exfiltrate the data obtained during the erroneous speculative execution," said Genkin. "As cache attacks often need an accurate timing source, decreasing timer accuracy is a generic way to make cache attacks harder to mount."
This doesn't work in all cases, as some side channel attacks don't require timers. Genkin said such attacks could be combined with erroneous speculative execution to create more Spectre and Meltdown variants. "Whether such attacks can be implemented from JavaScript is yet to be determined," he said.
On Wednesday, Luke Wagner, senior staff software engineer at Mozilla, said Firefox 57 will reduce the resolution of time sources like performance.now()
and disable SharedArrayBuffer
, which can be used to create high-resolution timers, in an effort to limit the impact of Spectre attacks. In other words, prevent malicious JavaScript running in a tab from potentially sniffing data – like login tokens – held elsewhere in the browser or system.
"The final step of the attack involves measuring the time it takes to perform a sequence of operations that depend on secret data," Wagner explained in an email to The Register. "This time difference is very small, so by keeping the resolution of the timers that are exposed to JavaScript high enough, we mitigate the ability of the attacker to perform this step."
Microsoft has taken similar measures. Through a just released software update, the tech giant said it has removed support for SharedArrayBuffer
from Microsoft Edge and reduced the resolution of performance.now()
from 5 microseconds to 20 microseconds, with a variable jitter of up to an extra 20 microseconds.
Google Chrome, meanwhile, plans to implement a defense called Site Isolation when Chrome 64 arrives on January 23, again to stop evil JS from snooping beyond its boundaries.
Apple on Thursday evening said it has already addressed Meltdown in December iOS, macOS, and tvOS updates, and plans to provide Spectre mitigation for Safari for iOS and macOS in the next few days. Essentially, the Arm-compatible and Intel CPUs it used in its gear suffer all the badness described above.
Wagner observed that software fixes aren't enough. "Ultimately, this is a problem with the processor and addressing it in the browser requires removing useful functionality and degrading performance," he said. "We hope the future microprocessor improvements would allow less drastic measures in the browser while still maintaining safety."
Asked how Meltdown and Spectre compare to other major cybersecurity incidents, Genkin said in the short term, he expects there will be exploits against unpatched systems. For the long term, he said, "This is something that will affect the way that we design CPUs and build operating systems. Once proper countermeasures and correct hardware designs are in place, this will be remembered as a major security incident." ®