Meltdown-Spectre flaws: We've found new attack variants, say researchers

Intel and AMD may need to revisit their microcode fixes for Meltdown and Spectre.
Written by Liam Tung, Contributing Writer

Video: Fake Meltdown-Spectre patch emails hiding Smoke Loader malware

Researchers have developed a tool to uncover new ways of attacking the Meltdown and Spectre CPU side-channel flaws, which may force chipmakers like Intel to re-examine already difficult hardware mitigations.

The tool allowed the researchers to synthesize a software-attack based on a description of a CPU's microarchitecture and an execution pattern that could be attacked.

Though the software attack is specific to a microarchitecture and represent exploits "in their most abstracted form", they can be used to develop fully fledged attacks.

The approach is described in a new paper from Caroline Trippel and Daniel Lustig of Princeton University and Margaret Martonosi from Nvidia called: MeltdownPrime and SpectrePrime: Automatically synthesized attacks exploiting invalidation-based coherence protocols.

The researchers were able to create new variants of Meltdown and Spectre with a separate class of cache timing side-channel attack known as Prime+Probe, described in 2015 by several of the researchers who found Meltdown and Spectre independently of Google's Project Zero.

The result is MeltdownPrime and SpectrePrime, which can leak the same type of information with the same level of precision as Meltdown and Spectre. The Prime variants rely on "invalid-based coherence protocols".

Meltdown attacks allow malware to access a system's memory and its secrets, while Spectre can leak secrets by breaking memory isolation between applications.

As The Register reports, a key difference between Meltdown and Spectre and their Prime variants are that the Primes attack the host by using two-cores against each other and a CPU's memory caches to discover privileged information about an application as it executes.

The other type of cache timing side-channel attack the paper explores is Flush+Reload, a technique the researchers who found Spectre used as a side channel in combination with speculative execution.

"In the context of Spectre and Meltdown, leveraging coherence invalidations enables a Prime+Probe attack to achieve the same level of precision as a Flush+Reload attack and leak the same type of information.

"By exploiting cache invalidations, MeltdownPrime and SpectrePrime -- two variants of Meltdown and Spectre, respectively -- can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel."

The researchers developed proof-of-concept malware for SpectrePrime and ran it on a MacBook with an Intel Core i7 Processor running a version of macOS Sierra that hadn't received Apple's Meltdown and Spectre patches.

"Averaged over 100 runs, we observed SpectrePrime to achieve the same average accuracy as Spectre on the same hardware -- 97.9 percent for Spectre and 99.95 percent for SpectrePrime," they write.

The mitigations for Meltdown and Spectre have involved a combination of software fixes, such as Microsoft and Linux versions of 'kernel page table isolation', and hardware fixes such as Intel's microcode updates. Both can cause performance overheads.

But while existing software mitigations will probably suffice for these new variants of Meltdown and Spectre, chipmakers like Intel and AMD are likely to need to develop different hardware mitigations, according to the researchers.

Previous and related coverage

Linux Meltdown patch: 'Up to 800 percent CPU overhead', Netflix tests show

The performance impact of Meltdown patches makes it essential to move systems to Linux 4.14.

Spectre reboot problems: Now Intel replaces its buggy fix for Skylake PCs

And offers patching tips from US CERT, which it failed to brief on the bugs.

Meltdown-Spectre: Malware is already being tested by attackers

Malware makers are experimenting with malware that exploits the Spectre and Meltdown CPU bugs.

Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix

The out-of-band update disabled Intel's mitigation for the Spectre Variant 2 attack, which Microsoft says can cause data loss on top of unexpected reboots.

Meltdown-Spectre: Why were flaws kept secret from industry, demand lawmakers

Great work on patching your own products, but why were smaller tech companies kept in the dark?

Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming

Dell and HP have pulled Intel's firmware patches for the Spectre attack.

Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs

AMD PCs can now install Microsoft's Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems.

Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch

Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs.

26% of organizations haven't yet received Windows Meltdown and Spectre patchesTech Republic

Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.

Bad news: A Spectre-like flaw will probably happen againCNET

Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.

Editorial standards