Google and Microsoft Reveal New Spectre Attack

Security researchers from Google and Microsoft have found two new variants of the Spectre attack that affects processors made by AMD, ARM, IBM, and Intel.

Rumors about this new flaw leaked online at the start of the month in a German magazine, but actual details were published today.

AMD, ARM, IBM, Intel, Microsoft, Red Hat and Ubuntu have published security advisories at the time of writing, containing explanations of how the bugs work, along with mitigation advice.

Bug known as SpectreNG

The bugs —referred to in the past weeks as SpectreNG— are related to the previous Meltdown and Spectre bugs discovered last year and announced at the start of 2018.

Both Google and Microsoft researchers discovered the bug independently. The bugs work similarly to the Meltdown and Spectre bugs, a reason why they were classified as “variant 3a” and “variant 4” instead of separate vulnerabilities altogether.

Variant 1: bounds check bypass (CVE-2017-5753) aka Spectre v1
Variant 2: branch target injection (CVE-2017-5715) aka Spectre v2
Variant 3: rogue data cache load (CVE-2017-5754) aka Meltdown
Variant 3a: rogue system register read (CVE-2018-3640)
Variant 4: speculative store bypass (CVE-2018-3639) aka SpectreNG

Variant 3a is a variation of the Meltdown flaw, while Variant 4 is a new Spectre-like attack. The most important of these two is Variant 4. Both bugs occur for the same reason —speculative execution— a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.

The difference is that Variant 4 affects a different part of the speculative execution process —the data inside the “store buffer” inside a CPU’s cache. Red Hat has published a YouTube video explaining how the bug affects modern CPUs.

As Red Hat breaks it down in a more technical explanation, the vulnerability…

…relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.

“An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries,” Microsoft said in a similar advisory, confirming a Red Hat assessment that the flaw could be used to break out of sandboxed environments. Microsoft also published a more in-depth blog on the Variant 4 bug.

Google and Microsoft Reveal New Spectre Attack 1
Google and Microsoft Reveal New Spectre Attack 2
Google and Microsoft Reveal New Spectre Attack 3
Google and Microsoft Reveal New Spectre Attack 4
Google and Microsoft Reveal New Spectre Attack 5