A team of nine academics has revealed today seven new CPU attacks. The seven impact AMD, ARM, and Intel CPUs to various degrees.
Two of the seven new attacks are variations of the Meltdown attack, while the other five are variations on the original Spectre attack -- two well-known attacks that have been revealed at the start of the year and found to impact CPUs models going back to 1995.
Researchers say they've discovered the seven new CPU attacks while performing "a sound and extensible systematization of transient execution attacks" -- a catch-all term the research team used to describe attacks on the various internal mechanisms that a CPU uses to process data, such as the speculative execution process, the CPU's internal caches, and other internal execution stages.
The research team says they've successfully demonstrated all seven attacks with proof-of-concept code. Experiments to confirm six other Meltdown-attacks did not succeed, according to a graph published by researchers.
The seven new CPU attacks are detailed below, with the relevant information published by researchers in a paper they've released earlier today.
New Meltdown attacks
The original Meltdown attack was described as follows:
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Several variations of the original Meltdown attack routine have been discovered since January this year when the original Meltdown and Spectre vulnerabilities came to light.
Researchers have renamed all the previous attacks based on what part of the CPU's internal architecture they target and looked into the components that have not been explored by previous research to determine if they are too vulnerable.
The new Meltdown attacks that the research team discovered are:
Meltdown-BR - exploits an x86 bound instruction on Intel and AMD
Meltdown-PK - bypasses memory protection keys on Intel CPUs
They also tried and failed to exploit other Meltdown attacks that targeted the following internal CPU operations:
Meltdown-AC - tried to exploit memory alignment check exceptions
Meltdown-DE - tried to exploit division (by zero) errors
Meltdown-SM - tried to exploit the supervisor mode access prevention (SMAP) mechanism
Meltdown-SS - tried to exploit out-of-limit segment accesses
Meltdown-UD - tried to exploit invalid opcode exception
Meltdown-XD - tried to exploit non-executable memory
New Spectre attacks
The original Spectre vulnerability was described as follows:
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Even more than with Meltdown, new variations of Spectre attacks have popped up online on a regular basis. Past attacks that have grabbed headlines in tech news outlets include SpectreNG, SpectreRSB, or NetSpectre, just to name a few.
In an attempt to understand how this plethora of Spectre-like attacks worked and what parts of the CPU's internal architecture has been investigated until now, researchers re-classified and renamed the Spectre attacks based on the internal CPU operation they target, and then based on the mistraining mechanism they bypass.
The result is the first graph embedded in this article, and the table below:
In the chart/table above, the terms stand as follow:
Spectre-PHT - attack exploits the CPU Pattern History Table
Spectre-BTB - attack exploits the CPU Branch Target Buffer
Spectre-RSB - attack exploits the CPU Return Stack Buffer
Spectre-BHB - attack exploits the CPU Branch History Buffer
Based on the chart and table above, researchers found three new Spectre attacks that exploit the Pattern History Table mechanism and two new Spectre attacks against the Branch Target Buffer.
CPUs from AMD, ARM, and Intel are all affected by the five new Spectre attacks.
Vendors have been notified
The research team says they reported all their findings to the three CPU vendors whose processors they've analyzed, but that only ARM and Intel acknowledged their findings.
In addition, the research team also discovered that some vendor mitigations that have been already deployed have also failed to stop the seven new attacks, even if they should have, at least in theory. They provide the following table with the results of their tests of existing mitigations.
Responding to the research team's claims, Intel provided the following statement, suggesting the mitigations researchers tested might have not been applied correctly.
The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers. Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, & the College of William and Mary for their ongoing research
The research paper published today is the result of months of research. Among its authors are the academics who discovered the original Meltdown and Spectre attacks, and some of their variations.
Today's findings aren't particularly new, at least for the security community. The research team has previously stated many times on Twitter that countless of Meltdown and Spectre variation attacks are waiting to be discovered.