All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix

Researchers say Intel won't be able to use a software mitigation to fully address the problem Spoiler exploits.
Written by Liam Tung, Contributing Writer

Researchers have discovered a new flaw affecting all Intel chips due to the way they carry out speculative execution for CPU performance gains.   

Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets. 

However, it targets a different area of the processor called the Memory Order Buffer, which is used to manage memory operations and is tightly coupled with the cache. 

Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lübeck in north Germany detail the attack in a new paper, 'Spoiler: Speculative load hazards boost Rowhammer and cache attacks'. The paper was released this month and spotted by The Register

The researchers explain that Spoiler is not a Spectre attack, so it is not affected by Intel's mitigations for it, which otherwise can prevent other Spectre-like attacks such as SplitSpectre

"The root cause for Spoiler is a weakness in the address speculation of Intel's proprietary implementation of the memory subsystem, which directly leaks timing behavior due to physical address conflicts. Existing Spectre mitigations would therefore not interfere with Spoiler," they write. 

They also looked for the same weakness in Arm and AMD processor cores but didn't find the same behavior that is present in Intel chips. 

Spoiler depends on "a novel microarchitectural leakage, which reveals critical information about physical page mappings to user space processes".

"The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS, and also works from within virtual machines and sandboxed environments."

The researchers say that Spoiler improves Rowhammer attacks and cache attacks that reverse-engineer virtual-to-physical address mapping. Using Spoiler, they show the leakage can be used to speed up reverse-engineering by a factor of 256. It also can speed up JavaScript attacks in the browser. 

SEE: 10 tips for new cybersecurity pros (free PDF)

The researchers say that Intel has confirmed receipt of their findings on December 1, 2018. However, they note Intel won't be able to use a software mitigation to fully address the problem Spoiler exploits. Meanwhile hardware mitigations could address the issue but would almost certainly mean a hit on CPU performance.   

They note that for JavaScript-based Spoiler attacks via a website, browsers could mitigate Spoiler by removing accurate timers, but removing all timers could be impractical. 

Daniel (Ahmad) Moghimi, one of the paper's authors, told The Register he doubts Intel will be able to patch the issue in the memory subsystem within the next five years. 

"My personal opinion is that when it comes to the memory subsystem, it's very hard to make any changes and it's not something you can patch easily with a microcode without losing tremendous performance," he said.

"So I don't think we will see a patch for this type of attack in the next five years and that could be a reason why they haven't issued a CVE."

An Intel spokesperson said in a statement that software can be protected from Spoiler attacks while DRAM modules with Rowhammer mitigations still should remain shielded.  

"Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research."

Previous and related coverage

Microsoft rolls out Google's Retpoline Spectre mitigation to Windows 10 users

KB4482887, released today, enables Google's Retpoline mitigation in the Windows 10 kernel (only for v1809 users).

Linux kernel gets another option to disable Spectre mitigations

People want more control over the Spectre mitigations for the sake of performance.

Researchers discover SplitSpectre, a new Spectre-like CPU attack

Spectre-like variations continue to be discovered, just as academics predicted at the start of 2018.

Researchers discover seven new Meltdown and Spectre attacks

Experiments showed that processors from AMD, ARM, and Intel are affected.

Linus Torvalds: After big Linux performance hit, Spectre v2 patch needs curbs

Patch is causing as much as a 50 percent drop in performance in some Linux workloads.

Windows 10 will banish Spectre slowdowns with Google's Retpoline patch

Google's Retpoline fix for the Spectre Variant 2 flaw helps minimize performance hit on Windows 10 machines

Intel ditches Linux patch benchmark 'gag', offers 'innocuous' new license

Intel's license for its microcode security fixes no longer prevents developers from publishing benchmark results.

Intel 'gags' Linux distros from revealing performance hit from Spectre patches

You can test performance after using our patches, but don't publish the results, say Intel's new license terms.

New Spectre variant 4: Our patches cause up to 8% performance hit, warns Intel

Intel's Spectre variant 4 patch will be off by default, but users who turn it on are likely to see slower performance.

Linux performance before and after Meltdown and Spectre fixes

The patches, as expected, brought Linux's performance down, but their impact has not been as bad as feared.

Oracle's latest Linux fixes: New Spectre, Lazy FPU patches beef up defenses

Oracle has new fixes available for Spectre flaws affecting Linux systems on Intel and AMD chips.

Spectre chip security vulnerability strikes again; patches incoming

A Google developer discovered a new way that a 'Spectre'-style check can be used to attack any computer running any operating system.

Are 8 new 'Spectre-class' flaws in Intel CPUs about to be exposed?

Reports are emerging of eight new 'Spectre-class' security CPU vulnerabilities.

Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets

A new variant of Spectre can expose the contents of memory that normally can't be accessed by the OS kernel.

Microsoft to Windows users: Here are new critical Intel security updates for Spectre v2

Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.

Windows 10 on AMD? This new update plus Microsoft's patch block Spectre attacks

AMD has released microcode updates for Spectre variant 2 that require Microsoft's latest Windows 10 patch.

Intel: We now won't ever patch Spectre variant 2 flaw in these chips

A handful of CPU families that Intel was due to patch will now forever remain vulnerable.

Windows 7 Meltdown patch opens worse vulnerability: Install March updates now

Microsoft's Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.

Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode

Intel makes progress on reissuing stable microcode updates against the Spectre attack.

Critical flaws revealed to affect most Intel chips since 1995

Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are "going to haunt us for years."

Got an old PC? Find out whether you will get Intel's latest Spectre patch TechRepublic

Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.

Class-action suits over Intel Spectre, Meltdown flaws surge CNET

Since the beginning of 2018, the number of cases has risen from three to 32.

Editorial standards