New Spectre variants found
Two new bugs have earned researchers a $100,000 bug bounty from Intel. MIT's Vladimir Kiriansky and independent researcher Carl Waldspurger uncovered what is referred to as Variant 4 of Spectre by Intel and ARM. Like the original Spectre and Meltdown vulnerabilities, they can be exploited to uncover confidential information via microarchitectural side channels in Intel and ARM CPUs. Both take advantage of speculative stores. Spectre 1.1 ( CVE-2018-3693 ) can be used to create speculative buffer overflows. Spectre 1.2 allows hackers to overwrite read-only data and code pointers to breach sandboxes on CPUs that don't enforce read / write protections. In both cases, the result is the ability to get malicious code past hardcoded processor security measures opening the door for stealing data. They also could provide a path for further arbitrary code execution on both local and remote targets, according to the paper.
The researchers confirmed that Intel x86 CPUs are affected, and ARM said that its Cortex-A57, A72, A73 and A75 processors are affected too. The vulnerabilities are not yet patched, and notes that both of them can get around existing Spectre security patches that may be in place. These issues are likely to impact operating systems and virtualization platforms that execute untrusted code and may require software updates, microcode update or both. Like all Spectre variants, the new discoveries are based on speculative memory access, causing cache allocation. Timing analysis of memory accesses can then be used to reveal data that would otherwise be kept secret.
Variant 4 is a Spectre-type attack utilizing a CPU technology known as memory disambiguation, a technology used in high-end CPUs to enable greater out of order execution and higher performance. This is a race between a store and following load that target the same memory location where, under certain conditions, a speculative load can overtake a store, resulting in the load returning old data. That data can then be used to construct an address that drives cache allocation, which can be used to leak data to a hacker across a privilege like the original Spectre.
The discovery earned the researchers $100,000 from Intel's HackerOne bug-bounty program. Intel had rolled out an expansion of its bug bounty program in February as a result of the original discovery of the Spectre and Meltdown variants earlier this year. Intel stated in an updated Spectre paper that there are both software patches for the flaws as well as operating system steps that developers can take for Windows and Linux environments. Software can insert a speculation stopping barrier between a bounds check and a later operation that could cause a speculative side channel. The LFENCE instruction, or any serializing instruction, can act as a barrier. The LFENCE instruction and other serializing instructions make sure that no later instruction will execute, even speculatively, until all prior instructions have completed locally. This prevents the processor from speculatively accessing data that might be out of bounds for the user, because no speculative operations can run until this bounds check completes.
ARM stated that it recommends software mitigations described in its Cache Speculation Side-channels whitepaper. Hackers would need to first install malware on devices to execute an attack. Fortunately, the conditions for these issues remain similar, malicious hacks requires the attackers to first obtain the privileges required to install and execute malicious code against the targeted systems. Basic security hygiene is a good first line of defense. Users will reduce their risk by following good security practices by avoiding suspicious links and downloads, and immediately installing any software updates when available from device manufacturers.