Researchers discover SplitSpectre, a new Spectre-like CPU attack

Spectre-like variations continue to be discovered, just as academics predicted at the start of 2018.
Written by Catalin Cimpanu, Contributor

Three academics from Northeastern University and three researchers from IBM Research have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code.

The research team says this new CPU vulnerability is, too, a design flaw in the microarchitecture of modern processors that can be exploited by attacking the process of "speculative execution," an optimization technique used to improve CPU performance.

The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original Spectre v1 vulnerability discovered last year and which became public in January 2018.

The difference in SplitSpectre is not in what parts of a CPU's microarchitecture the flaw targets, but how the attack is carried out.

According to the research team, a SplitSpectre attack is far easier to execute than an original Spectre attack. Researchers explain:

Although Spectre v1 is powerful and does not rely on SMT (Simultaneous Multithreading), it requires [...] a gadget to be present in the victim's attack surface. Google Project Zero writes in their original blog post on Spectre v1 [46] that they could not identify such a vulnerable code pattern in the kernel, and instead relied on eBPF (extended Berkeley Packet Filter) to place one there themselves.
In this point lies the strength of our new Spectre v1 variant, SplitSpectre. As its name implies, it splits the Spectre v1gadget into two parts.

Researchers say the second half of this improved exploitation scenario can be run within the attacker's own malicious code, instead of the target's kernel, simplifying the exploitation procedure.

This figure shows how the original Spectre attack works (above), and how the slimmed-down SplitSpectre works (below):

Image: Mambretti et al.

Researchers say that this attack technically extends the length of the speculative execution window, which "is an instrumental part in extending the capabilities of [an][...] attacker."

For their academic paper, the research team says it successfully carried out a SplitSpectre attack against Intel Haswell and Skylake CPUs, and AMD Ryzen processors, via SpiderMonkey 52.7.4, Firefox's JavaScript engine.

Nonetheless, researchers said that existing Spectre mitigations would thwart the SplitSpectre attacks. This includes CPU microcode updates that CPU vendors have released over the past year, updates to popular code compilers to harden apps against Spectre-like attacks, and the browser-level modifications that browser vendors have shipped with post-January 2018 browser releases to make it infeasible to carry out web-based Spectre attacks.

However, if users have failed to install these updates, a SplitSpectre attack is theoretically possible.

"All things considered, our analyses lead us to conclude that the attack is viable, and that the ability to trigger it in practice depends on the identified microarchitectural properties of individual CPU families," researchers said.

Identifying these "microarchitectural properties of individual CPU families" is possible. In fact, the research into this new Spectre variation was aided by a new tool that the research team developed, named Speculator.

This new tool can allow targeted and precise measurement of microarchitectural characteristics, details that can be incorporated in designing more efficient SplitSpectre attacks. The research team plans to release this tool as open source in the future.

More on SplitSpectre can be found in an academic paper entitled "Let's Not Speculate: Discovering and Analyzing Speculative Execution Attacks."

It's no surprise that a new Spectre variation has come to light. The research team who found the initial Meltdown and Spectre attacks predicted this was going to happen. Members of that original research team published seven Meltdown and Spectre variations last month.

Related security coverage:

Editorial standards