Computer security researchers have uncovered yet another set of transient execution attacks on modern CPUs that allow a local attacker to gain access to privileged data, fulfilling predictions made when the Spectre and Meltdown flaws were reported at the beginning of the year.
In short, these processor security flaws can be exploited by malicious users and malware on a vulnerable machine potentially to lift passwords, encryption keys, and other secrets, out of memory that should be off-limits. To date, we're not aware of any software nasties exploiting these holes in the wild, but nonetheless they have been a wake-up call for the semiconductor industry, forcing redesigns of silicon and changes to toolchains.
The bit boffins responsible for uncovering these latest vulnerabilities – Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss, from Graz University of Technology, imec-DistriNet at KU Leuven, and the College of William and Mary – include some of the same computer scientists who discovered the original Spectre and Meltdown weaknesses.
They argue that the term "transient execution" is preferable to other terminology like "speculative execution" to describe the Spectre, Meltdown, and Foreshadow attacks.
"'Speculative execution' is often falsely used as an umbrella term for attacks based on speculation of the outcome of a particular event (i.e., conditional branches, return addresses, or memory disambiguation), out-of-order execution, and pipelining," they explain in a paper distributed through ArXiv on Tuesday.
"However, Spectre and Meltdown exploit fundamentally different properties of CPUs. A CPU can be vulnerable to Spectre but not Meltdown (e.g. AMD), and vice versa. The only common property of both attacks is that they exploit side effects within the transient execution domain, i.e., within never-committed execution."
The not-so-magnificent seven
The researchers describe seven new transient execution attacks, consisting of two new Meltdown variants (Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD) and five new Spectre branch predictor mistraining strategies for previously disclosed flaws known as Spectre-PHT (Bounds Check Bypass) and Spectre-BTB (Branch Target Injection). They say they've responsibly disclosed their findings to chip vendors.
Where Spectre exploits branch prediction to gain access to transient data, Meltdown bypasses the isolation between applications and the operating system by evaluating transient out-of-order instructions following a CPU exception to read kernel memory.
Previously, there were five publicly disclosed Meltdown variants: Meltdown-US (Meltdown), Meltdown-P (Foreshadow), Meltdown-GP (Variant 3a), Meltdown-NM (Lazy FP), and Meltdown-RW (Variant 1.2).
The researchers propose two more: Meltdown-PK and Meltdown-BR.
The Meltdown-PK attack can defeat a defense in Intel Skylake-SP server chips called memory-protection keys for user space (PKU), which lets processes alter the access permissions of a page of memory from user space, without a syscall/hypercall.
Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesignREAD MORE
"Meltdown-PK shows that PKU isolation can be bypassed if an attacker has code execution in the containing process, even if the attacker cannot execute the
wrpkru instruction (e.g., due to blacklisting)," the researchers explain. "Moreover, in contrast to cross-privilege level Meltdown attack variants, there is no software workaround. Intel can only fix Meltdown-PK in new hardware or possibly via a microcode update."
Meltdown-BR provides a way to bypass bound checks, which raise exceptions when an out-of-bound value is found. It exploits transient execution after such an exception to capture out-of-bounds secrets that wouldn't otherwise be accessible.
The researchers demonstrated their attack on an Intel Skylake i5-6200U CPU with MPX support, an AMD 2013 E2-2000 and an AMD 2017 Ryzen Threadripper 1920X. They note this is the first time a Meltdown-style transient execution attack has been shown to be able to take advantage of delayed exception handling on AMD hardware.
As for the novel approaches to mistraining the branch predictor in Spectre-PHT and Spectre-BTB attacks, the researchers tested their proof-of-concept exploits on Intel Skylake i5-6200U and Haswell i7-4790, on AMD Ryzen 1950X and a Ryzen Threadripper 1920X, and on an Arm-based NVIDIA Jetson TX1.
All vendors have processors that are vulnerable to these variants, they claim. The same, they say is true for Spectre-BTB, though they consider potential attack scenarios far more limited. Presently, no CVEs for these issues have been assigned.
La la la we can't hear you!
In a statement emailed to The Register, an Intel spokesperson brushed off the findings. "The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers," Intel's spokesperson said.
"Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, and the College of William and Mary for their ongoing research."
Arm's spokesperson said, "The recent Spectre and Meltdown vulnerabilities identified by academic researchers can be addressed by applying existing mitigations as described previously in Arm's white paper found here."
AMD did not immediately respond to a request for comment.
The chip vendors' insistence that they're not affected contradicts the researchers' published statements. "Even with all mitigations enabled, we were still able to execute Meltdown-BR, Meltdown-PK, and Meltdown-RW," they state in their paper, adding that "some transient execution attacks are not successfully mitigated by the rolled out patches and others are not mitigated because they have been overlooked."
Complicating the security picture, some people have taken to disabling established mitigations because they hinder performance too much. Daniel Gruss, assistant professor at Graz University of Technology one of the researchers, said via Twitter than one of the points of the paper is to push for better fixes to resolve the root cause of transient execution attacks.
PortSmash attack blasts hole in Intel's Hyper-Threading CPUs, leaves with secret crypto keysREAD MORE
As was suggested when Spectre and Meltdown were first disclosed, better fixes may mean redesigned hardware. In a statement emailed to The Register, Cody Brocious, a security researcher at HackerOne, said, "As long as speculative execution is performed in processors, this type of bug will continue to be discovered. It's impossible to perform operations without side-effects on a hardware level, and abstractions that pretend such operations are side-effect-free and always going to cause security issues."
While a remote Spectre attack called NetSpectre has been proposed by other researchers, these latest techniques appear to be local threats for the time being.
"Remote attacks are very difficult to mount for now," said Gruss in an email to The Register.
"The threat from transient-execution attacks did not change in any way with this publication. The main thing we tried to contribute to the community was a clear way to analyze and categorize new variants, a clear way to validate and analyze defense techniques. So, this is what changed: Now we can better assess what specific defense techniques offer." ®