Hate to ruin your day, but... Boffins cook up fresh Meltdown, Spectre CPU design flaw exploits

And upcoming hardware changes may not be enough to kill off these security bugs

When details of the Meltdown and Spectre CPU security vulnerabilities emerged last month, the researchers involved hinted that further exploits may be developed beyond the early proof-of-concept examples.

It didn't take long. In a research paper – "MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols" – out this month, bit boffins from Princeton University and chip designer Nvidia describe variants of Meltdown and Spectre exploit code that can be used to conduct side-channel timing attacks.

In short, the team have discovered new ways for malware to extract sensitive information, such as passwords and other secrets, from a vulnerable computer's memory by exploiting the Meltdown and Spectre design blunders in modern processors. The software mitigations being developed and rolled out to thwart Meltdown and Spectre attacks, which may bring with them performance hits, will likely stop these new exploits.

Crucially, however, changes to the underlying hardware probably will not: that is to say, whatever Intel and its rivals are working on right now to rid their CPU blueprints of these vulnerabilities may not be enough. These fresh exploits attack flaws deeply embedded within modern chip architecture that will be difficult to engineer out.

Before you panic: don't. No exploit code has been released.


How did we get here? Well, Princeton computer science professor Margaret Martonosi, doctoral candidate Caroline Trippel, and Nvidia senior research scientist Daniel Lustig developed an unnamed tool – to be discussed in a subsequent paper – that models computer chip microarchitectures to analyze specific execution patterns, such as Meltdown-Spectre-based timing attacks.

They used their tool to explore fresh methods to trigger the Meltdown and Spectre design faults, and in the process identified new ways to exploit the processor flaws. These latest exploit techniques are dubbed MeltdownPrime and SpectrePrime.

One way in which the offshoots differ from their predecessors is that they are two-core attacks – they use two CPU cores against each other – and leverage the way memory is accessed in multi-core systems.

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years


The Meltdown and Spectre design flaws are a result of chip makers prioritizing speed over security.

Modern processors execute software instructions out of order in an effort to efficiently use all or most of their computing resources at any one given moment. This is faster than processing the instructions in a serial fashion, one after the other, which would leave sections of the chip idling. The CPU cores will also execute instructions speculatively, benefiting from a performance boost if they guess correctly which paths a program will take through its code.

Malicious software exploiting Meltdown and Spectre leverages these processor design characteristics to obtain privileged data, such as personal information, that it shouldn't be able to access.

Because accessing CPU memory is comparatively slow, chips include pools of faster memory called caches. The problem with having multiple memory units is you may end up with multiple copies of your data across a system.

Thus there are cache coherence protocols which ensure that multiple processor cores can share a consistent view of the state of the cached data and the system's memory. Through various operations, the state of a cache may be changed from, say, shared to invalid or from exclusive to modified.

Meltdown and Spectre are referred to as side-channel attacks because they exploit unanticipated side effects arising from these processor design characteristics.

Cache-based side-channel attacks involve attempts to discover privileged knowledge about a target application as it executes, in order to use that information against the host system.

Lock and load

The MeltdownPrime and SpectrePrime variants are based on cache invalidation protocols and utilize timing attack techniques known as Prime+Probe and Flush+Reload, which provide insight into how the victim is using cache memory.

"In the context of Spectre and Meltdown, leveraging coherence invalidations enables a Prime+Probe attack to achieve the same level of precision as a Flush+Reload attack and leak the same type of information," the paper explained. "By exploiting cache invalidations, MeltdownPrime and SpectrePrime – two variants of Meltdown and Spectre, respectively – can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel."

The variants are similar to the earlier attacks developed for Meltdown and Spectre, but they're not identical.

"Where Meltdown and Spectre arise by polluting the cache during speculation, MeltdownPrime and SpectrePrime are caused by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol," the paper explained.

The researchers found that the cache coherence protocol "may invalidate cache lines in shared cores as a result of a speculative write access request even if the operation is eventually squashed."


The SpectrePrime proof-of-concept exploit was successfully run on an Apple Macbook with a 2.4GHz Intel Core i7 processor running macOS Sierra, aka version 10.12.6. (Apple's Spectre patch arrived in macOS High Sierra 10.13.2.) MeltdownPrime has not yet been tested on real-world hardware.

The researchers suggest that while software fixes for the original flaws will also neuter variant attacks, hardware changes may not be adequate.

"Given our observations with mfence and lfence successfully mitigating Spectre and SpectrePrime in our experiments, we believe that any software techniques that mitigate Meltdown and Spectre will also be sufficient to mitigate MeltdownPrime and SpectrePrime," the paper concluded. "On the other hand, we believe that microarchitectural mitigation of our Prime variants will require new considerations."

Intel, the chipmaker most affected by these flaws, incidentally just announced an extension of its bug bounty program – just through the end of 2018 – covering side-channel vulnerabilities, with awards of up to $250,000.

We asked Intel for comment on the aforementioned research. A spokesperson was not immediately available. ®

Updated to add

In a statement provided to The Register via email after this story was published, an Intel spokesperson suggested existing hardware mitigations would be adequate without specifically addressing the doubts raised by the researchers.

“We have received a copy of the research report,” the spokesperson said. “The side-channel analysis methods described in that report are similar to techniques disclosed by Google Project Zero and referred to as Spectre and Meltdown. Intel anticipates that the mitigations for Spectre and Meltdown will be similarly effective against the methods described in that report.”

Similar topics

Other stories you might like

  • The ‘substantial contributions’ Intel has promised to boost RISC-V adoption
    With the benefit of maybe revitalizing the x86 giant’s foundry business

    Analysis Here's something that would have seemed outlandish only a few years ago: to help fuel Intel's future growth, the x86 giant has vowed to do what it can to make the open-source RISC-V ISA worthy of widespread adoption.

    In a presentation, an Intel representative shared some details of how the chipmaker plans to contribute to RISC-V as part of its bet that the instruction set architecture will fuel growth for its revitalized contract chip manufacturing business.

    While Intel invested in RISC-V chip designer SiFive in 2018, the semiconductor titan's intentions with RISC-V evolved last year when it revealed that the contract manufacturing business key to its comeback, Intel Foundry Services, would be willing to make chips compatible with x86, Arm, and RISC-V ISAs. The chipmaker then announced in February it joined RISC-V International, the ISA's governing body, and launched a $1 billion innovation fund that will support chip designers, including those making RISC-V components.

    Continue reading
  • FBI warns of North Korean cyberspies posing as foreign IT workers
    Looking for tech talent? Kim Jong-un's friendly freelancers, at your service

    Pay close attention to that resume before offering that work contract.

    The FBI, in a joint advisory with the US government Departments of State and Treasury, has warned that North Korea's cyberspies are posing as non-North-Korean IT workers to bag Western jobs to advance Kim Jong-un's nefarious pursuits.

    In guidance [PDF] issued this week, the Feds warned that these techies often use fake IDs and other documents to pose as non-North-Korean nationals to gain freelance employment in North America, Europe, and east Asia. Additionally, North Korean IT workers may accept foreign contracts and then outsource those projects to non-North-Korean folks.

    Continue reading
  • Elon Musk says Twitter buy 'cannot move forward' until spam stats spat settled
    A stunning surprise to no one in this Solar System

    Elon Musk said his bid to acquire and privatize Twitter "cannot move forward" until the social network proves its claim that fake bot accounts make up less than five per cent of all users.

    The world's richest meme lord formally launched efforts to take over Twitter last month after buying a 9.2 per cent stake in the biz. He declined an offer to join the board of directors, only to return asking if he could buy the social media platform outright at $54.20 per share. Twitter's board resisted Musk's plans at first, installing a "poison pill" to hamper a hostile takeover before accepting the deal, worth over $44 billion.

    But then it appears Musk spotted something in Twitter's latest filing to America's financial watchdog, the SEC. The paperwork asserted that "fewer than five percent" of Twitter's monetizable daily active users (mDAUs) in the first quarter of 2022 were fake or spammer accounts, which Musk objected to: he felt that figure should be a lot higher. He had earlier proclaimed that ridding Twitter of spam bots was a priority for him, post-takeover.

    Continue reading

Biting the hand that feeds IT © 1998–2022