Researchers at the University of Virginia and the University of California at San Diego in a collaborative study reported about a new variant of the well-known Specter vulnerability, which allows bypassing current security mechanisms and affects both major x86-compatible platforms – Intel and AMD.
The new vulnerability, like most other variants of Specter, is associated with the mechanisms of speculative instruction execution (a procedure when the processor calculates in advance various possible instruction scripts that the program will have to do in order to speed up the execution of certain tasks as much as possible), but affects the intermediate cache of micro-operations ( micro-op cache).
Modern x86-compatible processors at the front-end stage break complex instructions into smaller RISC-like blocks called micro-ops, which greatly simplifies the design of the backend component. Micro-ops are stored in the micro-ops cache. This cache has been an integral part of Intel and AMD processors since 2011.
The study involves three attack scenarios that allow creating covert data transmission channels and using vulnerable code to leak confidential data, both within a single process and between the kernel and processes in user space.
Demonstrating the Specter IO Cache attack, the researchers achieved 965.59 kbps at 0.22% error rate and 785.56 kbps when using error correction within the same address space and privilege level. In an attack that spans different privilege levels (between the kernel and user space), the performance was 85.2 kbps with error correction and 110.96 kbps with an error rate of 4%. When attacking AMD Zen processors, which creates a leak between different logical cores of the CPU, the performance was 250 kbps with an error rate of 5.59% and 168.58 kbps with error correction. Thus, in comparison with the classic version of Specter v1, the new attack turned out to be 2.6 times more effective.
Protecting against attacks on the micro-op cache will require appropriate microcode changes, and, according to the researchers, the performance from this can sink even more than adding protective mechanisms against Specter attacks. As an optimal compromise solution, blocking is proposed not by disabling caching, but by tracking anomalies and determining the specific states of the cache during such attacks.
It is important to stipulate that in any Specter-class attacks, for the organization of a leak from the kernel or other processes, a certain sequence of commands must be executed on the side of the victim processes, which starts the speculative execution of instructions. In other words, carrying out such an attack in practice requires a tremendous amount of effort.