The initial Spectre vulnerability was identified in 2018 and a fix developed. As with many security issues, that fix has its own vulnerability say the researchers at the University of Virginia School of Engineering. The team, led by Prof Ashish Venkat (above) found the problem in the micro-op cache and reported its discovery to international chip makers last month.
Because all current Spectre defences protect the processor in a later stage of speculative execution, they are useless in the face of Venkat’s team’s new attacks. Two variants of the attacks the team discovered can steal speculatively accessed information from Intel and AMD processors.
“Intel's suggested defense against Spectre, which is called LFENCE, places sensitive code in a waiting area until the security checks are executed, and only then is the sensitive code allowed to execute,” said Venkat. “But it turns out the walls of this waiting area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a covert channel.”
Venkat’s team includes three of his computer science graduate students, Ph.D. student Xida Ren, Ph.D. student Logan Moody and master’s degree recipient Matthew Jordan. The UVA team collaborated with Dean Tullsen, professor of the Department of Computer Science and Engineering at the University of California, San Diego, and his Ph.D. student Mohammadkazem Taram to reverse-engineer certain undocumented features in Intel and AMD processors.
“In the case of the previous Spectre attacks, developers have come up with a relatively easy way to prevent any sort of attack without a major performance penalty” for computing, said researcher Logan Moody. “The difference with this attack is you take a much greater performance penalty than those previous attacks.”
“Patches that disable the micro-op cache or halt speculative execution on legacy hardware would effectively roll back critical performance innovations in most modern Intel and AMD processors, and this just isn’t feasible,” said fellow researcher Xida Ren.
“It is really unclear how to solve this problem in a way that offers high performance to legacy hardware, but we have to make it work,” Venkat said. “Securing the micro-op cache is an interesting line of research and one that we are considering.”
Intel has said no additional mitigation would be required if software developers write code using a method called “constant-time programming” that is not vulnerable to the side-channel attacks.
“Certainly, we agree that software needs to be more secure, and we agree as a community that constant-time programming is an effective means to writing code that is invulnerable to side-channel attacks,” said Venkat. “However, the vulnerability we uncovered is in hardware, and it is important to also design processors that are secure and resilient against these attacks.
“In addition, constant-time programming is not only hard in terms of the actual programmer effort, but also entails high performance overhead and significant deployment challenges related to patching all sensitive software,” he said. “The percentage of code that is written using constant-time principles is in fact quite small. Relying on this would be dangerous. That is why we still need to secure the hardware.”
Related Spectre articles
- Intel benchmarks defence against vulnerabilties
- Attack prevention added to GrammaTech's Cyber Hardening
- Microsemi reveals results of security investigation
Other articles on eeNews Europe