Hate to ruin your day, but... Boffins cook up fresh Meltdown, Spectre CPU design flaw exploits

And upcoming hardware changes may not be enough to kill off these security bugs

When details of the Meltdown and Spectre CPU security vulnerabilities emerged last month, the researchers involved hinted that further exploits may be developed beyond the early proof-of-concept examples.

It didn't take long. In a research paper – "MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols" – out this month, bit boffins from Princeton University and chip designer Nvidia describe variants of Meltdown and Spectre exploit code that can be used to conduct side-channel timing attacks.

In short, the team have discovered new ways for malware to extract sensitive information, such as passwords and other secrets, from a vulnerable computer's memory by exploiting the Meltdown and Spectre design blunders in modern processors. The software mitigations being developed and rolled out to thwart Meltdown and Spectre attacks, which may bring with them performance hits, will likely stop these new exploits.

Crucially, however, changes to the underlying hardware probably will not: that is to say, whatever Intel and its rivals are working on right now to rid their CPU blueprints of these vulnerabilities may not be enough. These fresh exploits attack flaws deeply embedded within modern chip architecture that will be difficult to engineer out.

Before you panic: don't. No exploit code has been released.


How did we get here? Well, Princeton computer science professor Margaret Martonosi, doctoral candidate Caroline Trippel, and Nvidia senior research scientist Daniel Lustig developed an unnamed tool – to be discussed in a subsequent paper – that models computer chip microarchitectures to analyze specific execution patterns, such as Meltdown-Spectre-based timing attacks.

They used their tool to explore fresh methods to trigger the Meltdown and Spectre design faults, and in the process identified new ways to exploit the processor flaws. These latest exploit techniques are dubbed MeltdownPrime and SpectrePrime.

One way in which the offshoots differ from their predecessors is that they are two-core attacks – they use two CPU cores against each other – and leverage the way memory is accessed in multi-core systems.

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years


The Meltdown and Spectre design flaws are a result of chip makers prioritizing speed over security.

Modern processors execute software instructions out of order in an effort to efficiently use all or most of their computing resources at any one given moment. This is faster than processing the instructions in a serial fashion, one after the other, which would leave sections of the chip idling. The CPU cores will also execute instructions speculatively, benefiting from a performance boost if they guess correctly which paths a program will take through its code.

Malicious software exploiting Meltdown and Spectre leverages these processor design characteristics to obtain privileged data, such as personal information, that it shouldn't be able to access.

Because accessing CPU memory is comparatively slow, chips include pools of faster memory called caches. The problem with having multiple memory units is you may end up with multiple copies of your data across a system.

Thus there are cache coherence protocols which ensure that multiple processor cores can share a consistent view of the state of the cached data and the system's memory. Through various operations, the state of a cache may be changed from, say, shared to invalid or from exclusive to modified.

Meltdown and Spectre are referred to as side-channel attacks because they exploit unanticipated side effects arising from these processor design characteristics.

Cache-based side-channel attacks involve attempts to discover privileged knowledge about a target application as it executes, in order to use that information against the host system.

Lock and load

The MeltdownPrime and SpectrePrime variants are based on cache invalidation protocols and utilize timing attack techniques known as Prime+Probe and Flush+Reload, which provide insight into how the victim is using cache memory.

"In the context of Spectre and Meltdown, leveraging coherence invalidations enables a Prime+Probe attack to achieve the same level of precision as a Flush+Reload attack and leak the same type of information," the paper explained. "By exploiting cache invalidations, MeltdownPrime and SpectrePrime – two variants of Meltdown and Spectre, respectively – can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel."

The variants are similar to the earlier attacks developed for Meltdown and Spectre, but they're not identical.

"Where Meltdown and Spectre arise by polluting the cache during speculation, MeltdownPrime and SpectrePrime are caused by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol," the paper explained.

The researchers found that the cache coherence protocol "may invalidate cache lines in shared cores as a result of a speculative write access request even if the operation is eventually squashed."


The SpectrePrime proof-of-concept exploit was successfully run on an Apple Macbook with a 2.4GHz Intel Core i7 processor running macOS Sierra, aka version 10.12.6. (Apple's Spectre patch arrived in macOS High Sierra 10.13.2.) MeltdownPrime has not yet been tested on real-world hardware.

The researchers suggest that while software fixes for the original flaws will also neuter variant attacks, hardware changes may not be adequate.

"Given our observations with mfence and lfence successfully mitigating Spectre and SpectrePrime in our experiments, we believe that any software techniques that mitigate Meltdown and Spectre will also be sufficient to mitigate MeltdownPrime and SpectrePrime," the paper concluded. "On the other hand, we believe that microarchitectural mitigation of our Prime variants will require new considerations."

Intel, the chipmaker most affected by these flaws, incidentally just announced an extension of its bug bounty program – just through the end of 2018 – covering side-channel vulnerabilities, with awards of up to $250,000.

We asked Intel for comment on the aforementioned research. A spokesperson was not immediately available. ®

Updated to add

In a statement provided to The Register via email after this story was published, an Intel spokesperson suggested existing hardware mitigations would be adequate without specifically addressing the doubts raised by the researchers.

“We have received a copy of the research report,” the spokesperson said. “The side-channel analysis methods described in that report are similar to techniques disclosed by Google Project Zero and referred to as Spectre and Meltdown. Intel anticipates that the mitigations for Spectre and Meltdown will be similarly effective against the methods described in that report.”

Similar topics

Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022