Hate to ruin your day, but... Boffins cook up fresh Meltdown, Spectre CPU design flaw exploits

And upcoming hardware changes may not be enough to kill off these security bugs


When details of the Meltdown and Spectre CPU security vulnerabilities emerged last month, the researchers involved hinted that further exploits may be developed beyond the early proof-of-concept examples.

It didn't take long. In a research paper – "MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols" – out this month, bit boffins from Princeton University and chip designer Nvidia describe variants of Meltdown and Spectre exploit code that can be used to conduct side-channel timing attacks.

In short, the team have discovered new ways for malware to extract sensitive information, such as passwords and other secrets, from a vulnerable computer's memory by exploiting the Meltdown and Spectre design blunders in modern processors. The software mitigations being developed and rolled out to thwart Meltdown and Spectre attacks, which may bring with them performance hits, will likely stop these new exploits.

Crucially, however, changes to the underlying hardware probably will not: that is to say, whatever Intel and its rivals are working on right now to rid their CPU blueprints of these vulnerabilities may not be enough. These fresh exploits attack flaws deeply embedded within modern chip architecture that will be difficult to engineer out.

Before you panic: don't. No exploit code has been released.

Patterns

How did we get here? Well, Princeton computer science professor Margaret Martonosi, doctoral candidate Caroline Trippel, and Nvidia senior research scientist Daniel Lustig developed an unnamed tool – to be discussed in a subsequent paper – that models computer chip microarchitectures to analyze specific execution patterns, such as Meltdown-Spectre-based timing attacks.

They used their tool to explore fresh methods to trigger the Meltdown and Spectre design faults, and in the process identified new ways to exploit the processor flaws. These latest exploit techniques are dubbed MeltdownPrime and SpectrePrime.

One way in which the offshoots differ from their predecessors is that they are two-core attacks – they use two CPU cores against each other – and leverage the way memory is accessed in multi-core systems.

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

READ MORE

The Meltdown and Spectre design flaws are a result of chip makers prioritizing speed over security.

Modern processors execute software instructions out of order in an effort to efficiently use all or most of their computing resources at any one given moment. This is faster than processing the instructions in a serial fashion, one after the other, which would leave sections of the chip idling. The CPU cores will also execute instructions speculatively, benefiting from a performance boost if they guess correctly which paths a program will take through its code.

Malicious software exploiting Meltdown and Spectre leverages these processor design characteristics to obtain privileged data, such as personal information, that it shouldn't be able to access.

Because accessing CPU memory is comparatively slow, chips include pools of faster memory called caches. The problem with having multiple memory units is you may end up with multiple copies of your data across a system.

Thus there are cache coherence protocols which ensure that multiple processor cores can share a consistent view of the state of the cached data and the system's memory. Through various operations, the state of a cache may be changed from, say, shared to invalid or from exclusive to modified.

Meltdown and Spectre are referred to as side-channel attacks because they exploit unanticipated side effects arising from these processor design characteristics.

Cache-based side-channel attacks involve attempts to discover privileged knowledge about a target application as it executes, in order to use that information against the host system.

Lock and load

The MeltdownPrime and SpectrePrime variants are based on cache invalidation protocols and utilize timing attack techniques known as Prime+Probe and Flush+Reload, which provide insight into how the victim is using cache memory.

"In the context of Spectre and Meltdown, leveraging coherence invalidations enables a Prime+Probe attack to achieve the same level of precision as a Flush+Reload attack and leak the same type of information," the paper explained. "By exploiting cache invalidations, MeltdownPrime and SpectrePrime – two variants of Meltdown and Spectre, respectively – can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel."

The variants are similar to the earlier attacks developed for Meltdown and Spectre, but they're not identical.

"Where Meltdown and Spectre arise by polluting the cache during speculation, MeltdownPrime and SpectrePrime are caused by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol," the paper explained.

The researchers found that the cache coherence protocol "may invalidate cache lines in shared cores as a result of a speculative write access request even if the operation is eventually squashed."

Considerations

The SpectrePrime proof-of-concept exploit was successfully run on an Apple Macbook with a 2.4GHz Intel Core i7 processor running macOS Sierra, aka version 10.12.6. (Apple's Spectre patch arrived in macOS High Sierra 10.13.2.) MeltdownPrime has not yet been tested on real-world hardware.

The researchers suggest that while software fixes for the original flaws will also neuter variant attacks, hardware changes may not be adequate.

"Given our observations with mfence and lfence successfully mitigating Spectre and SpectrePrime in our experiments, we believe that any software techniques that mitigate Meltdown and Spectre will also be sufficient to mitigate MeltdownPrime and SpectrePrime," the paper concluded. "On the other hand, we believe that microarchitectural mitigation of our Prime variants will require new considerations."

Intel, the chipmaker most affected by these flaws, incidentally just announced an extension of its bug bounty program – just through the end of 2018 – covering side-channel vulnerabilities, with awards of up to $250,000.

We asked Intel for comment on the aforementioned research. A spokesperson was not immediately available. ®

Updated to add

In a statement provided to The Register via email after this story was published, an Intel spokesperson suggested existing hardware mitigations would be adequate without specifically addressing the doubts raised by the researchers.

“We have received a copy of the research report,” the spokesperson said. “The side-channel analysis methods described in that report are similar to techniques disclosed by Google Project Zero and referred to as Spectre and Meltdown. Intel anticipates that the mitigations for Spectre and Meltdown will be similarly effective against the methods described in that report.”

Similar topics


Other stories you might like

  • Amazon warehouse staff granted second chance to vote for unionization

    US labor watchdog tosses previous failed result in the trash

    America's labor watchdog has given workers at Amazon’s warehouse in Bessemer, Alabama, another crack at voting for unionization after their first attempt failed earlier this year.

    “It is ordered that the election that commenced on February 8 is set aside, and a new election shall be conducted,” Lisa Henderson, regional director at the National Labor Relations Board, ruled [PDF] on Tuesday.

    “The National Labor Relations Board will conduct a second secret ballot election among the unit employees. Employees will vote whether they wish to be represented for purposes of collective bargaining by the Retail, Wholesale and Department Store Union.”

    Continue reading
  • It's the flu season – FluBot, that is: Surge of info-stealing Android malware detected

    And a bunch of bank-account-raiding trojans also identified

    FluBot, a family of Android malware, is circulating again via SMS messaging, according to authorities in Finland.

    The Nordic country's National Cyber Security Center (NCSC-FI) lately warned that scam messages written in Finnish are being sent in the hope that recipients will click the included link to a website that requests permission to install an application that's malicious.

    "The messages are written in Finnish," the NCSC-FI explained. "They are written without Scandinavian letters (å, ä and ö) and include, for example, the characters +, /, &, % and @ in illogical places in the text to make it more difficult for telecommunications operators to filter the messages. The theme of the text may be that the recipient has received a voicemail message or a message from their mobile operator."

    Continue reading
  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading

Biting the hand that feeds IT © 1998–2021