X
Tech

Researchers discover seven new Meltdown and Spectre attacks

Experiments showed that processors from AMD, ARM, and Intel are affected.
Written by Catalin Cimpanu, Contributor

A team of nine academics has revealed today seven new CPU attacks. The seven impact AMD, ARM, and Intel CPUs to various degrees.

Two of the seven new attacks are variations of the Meltdown attack, while the other five are variations on the original Spectre attack -- two well-known attacks that have been revealed at the start of the year and found to impact CPUs models going back to 1995.

Also: MIT invention builds memory walls to protect against Meltdown, Spectre attacks

Researchers say they've discovered the seven new CPU attacks while performing "a sound and extensible systematization of transient execution attacks" -- a catch-all term the research team used to describe attacks on the various internal mechanisms that a CPU uses to process data, such as the speculative execution process, the CPU's internal caches, and other internal execution stages.

The research team says they've successfully demonstrated all seven attacks with proof-of-concept code. Experiments to confirm six other Meltdown-attacks did not succeed, according to a graph published by researchers.

new-meltdown-spectre-attacks.png
Image: Canella et al.

The seven new CPU attacks are detailed below, with the relevant information published by researchers in a paper they've released earlier today.

New Meltdown attacks

The original Meltdown attack was described as follows:

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Several variations of the original Meltdown attack routine have been discovered since January this year when the original Meltdown and Spectre vulnerabilities came to light.

Attacks with Meltdown-like exploitation and effects that break the isolation between apps and the OS include past attacks known as Foreshadow (or L1TF), Variant 1.2, Variant 3a (CVE-2018-3640), and LazyFP.

Researchers have renamed all the previous attacks based on what part of the CPU's internal architecture they target and looked into the components that have not been explored by previous research to determine if they are too vulnerable.

new-meltdown-attacks.png
Image: Canella et al.

The new Meltdown attacks that the research team discovered are:

  • Meltdown-BR - exploits an x86 bound instruction on Intel and AMD
  • Meltdown-PK - bypasses memory protection keys on Intel CPUs

They also tried and failed to exploit other Meltdown attacks that targeted the following internal CPU operations:

  • Meltdown-AC - tried to exploit memory alignment check exceptions
  • Meltdown-DE - tried to exploit division (by zero) errors
  • Meltdown-SM - tried to exploit the supervisor mode access prevention (SMAP) mechanism
  • Meltdown-SS - tried to exploit out-of-limit segment accesses
  • Meltdown-UD - tried to exploit invalid opcode exception
  • Meltdown-XD - tried to exploit non-executable memory

New Spectre attacks

The original Spectre vulnerability was described as follows:

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Even more than with Meltdown, new variations of Spectre attacks have popped up online on a regular basis. Past attacks that have grabbed headlines in tech news outlets include SpectreNG, SpectreRSB, or NetSpectre, just to name a few.

In an attempt to understand how this plethora of Spectre-like attacks worked and what parts of the CPU's internal architecture has been investigated until now, researchers re-classified and renamed the Spectre attacks based on the internal CPU operation they target, and then based on the mistraining mechanism they bypass.

The result is the first graph embedded in this article, and the table below:

new-spectre-attacks.png
Image: Canella et al.

In the chart/table above, the terms stand as follow:

  • Spectre-PHT - attack exploits the CPU Pattern History Table
  • Spectre-BTB - attack exploits the CPU Branch Target Buffer
  • Spectre-RSB - attack exploits the CPU Return Stack Buffer
  • Spectre-BHB - attack exploits the CPU Branch History Buffer

Based on the chart and table above, researchers found three new Spectre attacks that exploit the Pattern History Table mechanism and two new Spectre attacks against the Branch Target Buffer.

  • PHT-CA-OP
  • PHT-CA-IP
  • PHT-SA-OP
  • BTB-SA-IP
  • BTB-SA-OP

CPUs from AMD, ARM, and Intel are all affected by the five new Spectre attacks.

Vendors have been notified

The research team says they reported all their findings to the three CPU vendors whose processors they've analyzed, but that only ARM and Intel acknowledged their findings.

In addition, the research team also discovered that some vendor mitigations that have been already deployed have also failed to stop the seven new attacks, even if they should have, at least in theory. They provide the following table with the results of their tests of existing mitigations.

spectre-bypassed-mitigations.png
Image: Canella et al.

Responding to the research team's claims, Intel provided the following statement, suggesting the mitigations researchers tested might have not been applied correctly.

The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers. Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, & the College of William and Mary for their ongoing research

In their research paper, entitled "A Systematic Evaluation of Transient Execution Attacks and Defenses," the research team proposes their own set of defenses, that they argue could stop the attacks they've detailed.

The research paper published today is the result of months of research. Among its authors are the academics who discovered the original Meltdown and Spectre attacks, and some of their variations.

Today's findings aren't particularly new, at least for the security community. The research team has previously stated many times on Twitter that countless of Meltdown and Spectre variation attacks are waiting to be discovered.

Related coverage:

Best Black Friday 2018 deals:

Editorial standards