New Security Exploit Found for Meltdown and Spectre Vulnerability
Researchers from Princeton University and NVIDIA have discovered a new security exploit for the Meltdown/Spectre CPU vulnerability.
February 17, 2018
A new security exploit has been found for the Meltdown and Spectre CPU design vulnerabilities. Most people probably figured this would eventually happen, just maybe not so quickly.
There's good news and bad news here -- if a new security exploit can ever be seen as good news.
The good news is that the software patches that have been developed -- you know, the ones that come with performance hits as a side effect -- will most likely work against these exploits.
The bad news? It might be back to the drawing board time for the chip makers. The hardware modifications being developed to make the future safe probably won't work against these new variants -- although Intel says it's done enough.
The exploit was discovered by Caroline Trippel and Margaret Martonosi of Princeton University and Daniel Lustig from Nvidia using a tool they developed to find new attack vectors for Meltdown and Spectre. They're differentiating the new exploit from the previously discovered one by using the suffix "prime" -- as in MeltdownPrime and SpectrePrime -- because it uses a Prime+Probe attack pattern while the previous attack was a Flush+Reload attack.
Both the already known vulnerability and the latest version are called "side-channel attacks" because they take advantage of an unintended consequence of modern processor design, which for the sake of efficiency don't process code from A to Z but out of order, taking advantage of memory caches, along with protocols for managing cached memory, to put things back in order. Specifically, Meltdown and Spectre are "cache-based side-channel attacks" and they work by reading the cached memory in real-time, as it executes.
According to their research paper, the same data is at risk, by essentially the same method, in both the Prime and non-Prime versions of the exploit.
"In the context of Spectre and Meltdown, leveraging coherence invalidations enables a Prime+Probe attack to achieve the same level of precision as a Flush+Reload attack and leak the same type of information. By exploiting cache invalidations, MeltdownPrime and SpectrePrime – two variants of Meltdown and Spectre, respectively – can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel."
While the information at risk is the same, the method for accessing it is different.
"Where Meltdown and Spectre arise by polluting the cache during speculation, MeltdownPrime and SpectrePrime are caused by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol."
So far proof-of-concept code has only been run on SpectrePrime and not MeltdownPrime, tested on an unpatched-for-Spectre Apple Macbook with a 2.4GHz Intel Core i7 processor running macOS Sierra.
"Given our observations with mfence and lfence successfully mitigating Spectre and SpectrePrime in our experiments, we believe that any software techniques that mitigate Meltdown and Spectre will also be sufficient to mitigate MeltdownPrime and SpectrePrime. On the other hand, we believe that microarchitectural mitigation of our Prime variants will require new considerations."
Intel disagrees with the last assessment and told The Register in an email, "We have received a copy of the research report. The side-channel analysis methods described in that report are similar to techniques disclosed by Google Project Zero and referred to as Spectre and Meltdown. Intel anticipates that the mitigation for Spectre and Meltdown will be similarly effective against the methods described in that report."
One thing is certain: Yogi Berra was right when he said "it ain't over til it's over." As far as this CPU vulnerability mess is concerned, it ain't over yet.
About the Author
You May Also Like