Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

Countermeasures to protect apps from attack


Coming to a compiler near you, soon

Several software-based mitigation strategies for Spectre attacks have been proposed. These are countermeasures that need to be woven into applications and operating systems to resist snooping, and the rebuilt software then distributed to users. These involve limiting speculative execution through additional code. Intel recommends using the LFENCE instruction to serialize operations and prevent instruction speculation that can be abused.

But that could slow things down. "Note that the insertion of LFENCE must be done judiciously; if it is used too liberally, performance may be significantly compromised," Intel advised in a technical note about the issue. This would be on top of the Meltdown performance tax.

Project Zero researchers have also suggested use of the MFENCE instruction, and the application of static analysis techniques to minimize unnecessary security checks. They said that code in legacy application may need to be recompiled.

As well as this, Project Zero team has proposed a mitigation technique called "retpoline," a combination of "return" and "trampoline," that prevents exploitative speculative execution from occurring. They offer this metaphor to describe the operation: "Imagine speculative execution as an overly energetic 7-year old that we must now build a warehouse of trampolines around."

Retpoline works by pushing the current program counter onto the stack, then pushing the address you want to jump to onto the stack, and then using the return instruction – which pulls that address off the stack and jumps to it. Returning from that subroutine jumps the processor back to where it was. This chicanery when calling code is supposed to thwart attempts to exploit Spectre design flaws in processors.

Google's support document on retpoline suggested the performance hit is minimal: "Microbenchmarking on Intel x86 architectures shows that our converted sequences are within cycles of an native indirect branch (with branch prediction hardware explicitly disabled)."

But this is akin to saying a broken leg won't slow you down much compared to walking around on crutches. Branch prediction isn't typically disabled.

A performance hit

In a mailing list for the LLVM compiler project, Chandler Carruth, who heads Google's LLVM team, explained: "Well tuned servers using all of these techniques saw 5 per cent to 10 per cent overhead from the use of retpoline."

Recompiling applications to mitigate the risk posed by fundamentally insecure hardware thus has a cost.

Another mitigation technique involves reducing timer accuracy.

"Both Meltdown and Spectre currently use the cache side channel in order to exfiltrate the data obtained during the erroneous speculative execution," said Genkin. "As cache attacks often need an accurate timing source, decreasing timer accuracy is a generic way to make cache attacks harder to mount."

This doesn't work in all cases, as some side channel attacks don't require timers. Genkin said such attacks could be combined with erroneous speculative execution to create more Spectre and Meltdown variants. "Whether such attacks can be implemented from JavaScript is yet to be determined," he said.

On Wednesday, Luke Wagner, senior staff software engineer at Mozilla, said Firefox 57 will reduce the resolution of time sources like performance.now() and disable SharedArrayBuffer, which can be used to create high-resolution timers, in an effort to limit the impact of Spectre attacks. In other words, prevent malicious JavaScript running in a tab from potentially sniffing data – like login tokens – held elsewhere in the browser or system.

"The final step of the attack involves measuring the time it takes to perform a sequence of operations that depend on secret data," Wagner explained in an email to The Register. "This time difference is very small, so by keeping the resolution of the timers that are exposed to JavaScript high enough, we mitigate the ability of the attacker to perform this step."

Microsoft has taken similar measures. Through a just released software update, the tech giant said it has removed support for SharedArrayBuffer from Microsoft Edge and reduced the resolution of performance.now() from 5 microseconds to 20 microseconds, with a variable jitter of up to an extra 20 microseconds.

Google Chrome, meanwhile, plans to implement a defense called Site Isolation when Chrome 64 arrives on January 23, again to stop evil JS from snooping beyond its boundaries.

Apple on Thursday evening said it has already addressed Meltdown in December iOS, macOS, and tvOS updates, and plans to provide Spectre mitigation for Safari for iOS and macOS in the next few days. Essentially, the Arm-compatible and Intel CPUs it used in its gear suffer all the badness described above.

Wagner observed that software fixes aren't enough. "Ultimately, this is a problem with the processor and addressing it in the browser requires removing useful functionality and degrading performance," he said. "We hope the future microprocessor improvements would allow less drastic measures in the browser while still maintaining safety."

Asked how Meltdown and Spectre compare to other major cybersecurity incidents, Genkin said in the short term, he expects there will be exploits against unpatched systems. For the long term, he said, "This is something that will affect the way that we design CPUs and build operating systems. Once proper countermeasures and correct hardware designs are in place, this will be remembered as a major security incident." ®

Broader topics


Other stories you might like

  • AMD bests Intel in cloud CPU performance study
    Overall price-performance in Big 3 hyperscalers a dead heat, says CockroachDB

    AMD's processors have come out on top in terms of cloud CPU performance across AWS, Microsoft Azure, and Google Cloud Platform, according to a recently published study.

    The multi-core x86-64 microprocessors Milan and Rome and beat Intel Cascade Lake and Ice Lake instances in tests of performance in the three most popular cloud providers, research from database company CockroachDB found.

    Using the CoreMark version 1.0 benchmark – which can be limited to run on a single vCPU or execute workloads on multiple vCPUs – the researchers showed AMD's Milan processors outperformed those of Intel in many cases, and at worst statistically tied with Intel's latest-gen Ice Lake processors across both the OLTP and CPU benchmarks.

    Continue reading
  • Intel says Sapphire Rapids CPU delay will help AMD catch up
    Our window to have leading server chips again is narrowing, exec admits

    While Intel has bagged Nvidia as a marquee customer for its next-generation Xeon Scalable processor, the x86 giant has admitted that a broader rollout of the server chip has been delayed to later this year.

    Sandra Rivera, Intel's datacenter boss, confirmed the delay of the Xeon processor, code-named Sapphire Rapids, in a Tuesday panel discussion at the BofA Securities 2022 Global Technology Conference. Earlier that day at the same event, Nvidia's CEO disclosed that the GPU giant would use Sapphire Rapids, and not AMD's upcoming Genoa chip, for its flagship DGX H100 system, a reversal from its last-generation machine.

    Intel has been hyping up Sapphire Rapids as a next-generation Xeon CPU that will help the chipmaker become more competitive after falling behind AMD in technology over the past few years. In fact, Intel hopes it will beat AMD's next-generation Epyc chip, Genoa, to the market with industry-first support for new technologies such as DDR5, PCIe Gen 5 and Compute Express Link.

    Continue reading
  • Intel offers 'server on a card' reference design for network security
    OEMs thrown a NetSec Accelerator that plugs into server PCIe slots

    RSA Conference Intel has released a reference design for a plug-in security card aimed at delivering improved network and security processing without requiring the additional rackspace a discrete appliance would need.

    The NetSec Accelerator Reference Design [PDF] is effectively a fully functional x86 compute node delivered as a PCIe card that can be fitted into an existing server. It combines an Intel Atom processor, Intel Ethernet E810 network interface, and up to 32GB of memory to offload network security functions.

    According to Intel, the new reference design is intended to enable a secure access service edge (SASE) model, a combination of software-defined security and wide-area network (WAN) functions implemented as a cloud-native service.

    Continue reading

Biting the hand that feeds IT © 1998–2022