Researchers discover seven new Meltdown and Spectre attacks
Security
A team of nine academics has revealed today seven new CPU attacks. The seven impact AMD, ARM, and Intel CPUs to various degrees.
Two of the seven new attacks are variations of the Meltdown attack, while the other five are variations on the original Spectre attack -- two well-known attacks that have been revealed at the start of the year and found to impact CPUs models going back to 1995.
Also: MIT invention builds memory walls to protect against Meltdown, Spectre attacks
Researchers say they've discovered the seven new CPU attacks while performing "a sound and extensible systematization of transient execution attacks" -- a catch-all term the research team used to describe attacks on the various internal mechanisms that a CPU uses to process data, such as the speculative execution process, the CPU's internal caches, and other internal execution stages.
The research team says they've successfully demonstrated all seven attacks with proof-of-concept code. Experiments to confirm six other Meltdown-attacks did not succeed, according to a graph published by researchers.
The seven new CPU attacks are detailed below, with the relevant information published by researchers in a paper they've released earlier today.
New Meltdown attacks
The original Meltdown attack was described as follows:
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Several variations of the original Meltdown attack routine have been discovered since January this year when the original Meltdown and Spectre vulnerabilities came to light.
Attacks with Meltdown-like exploitation and effects that break the isolation between apps and the OS include past attacks known as Foreshadow (or L1TF), Variant 1.2, Variant 3a (CVE-2018-3640), and LazyFP.
Researchers have renamed all the previous attacks based on what part of the CPU's internal architecture they target and looked into the components that have not been explored by previous research to determine if they are too vulnerable.
The new Meltdown attacks that the research team discovered are:
- Meltdown-BR - exploits an x86 bound instruction on Intel and AMD
- Meltdown-PK - bypasses memory protection keys on Intel CPUs
They also tried and failed to exploit other Meltdown attacks that targeted the following internal CPU operations:
- Meltdown-AC - tried to exploit memory alignment check exceptions
- Meltdown-DE - tried to exploit division (by zero) errors
- Meltdown-SM - tried to exploit the supervisor mode access prevention (SMAP) mechanism
- Meltdown-SS - tried to exploit out-of-limit segment accesses
- Meltdown-UD - tried to exploit invalid opcode exception
- Meltdown-XD - tried to exploit non-executable memory
New Spectre attacks
The original Spectre vulnerability was described as follows:
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Even more than with Meltdown, new variations of Spectre attacks have popped up online on a regular basis. Past attacks that have grabbed headlines in tech news outlets include SpectreNG, SpectreRSB, or NetSpectre, just to name a few.
In an attempt to understand how this plethora of Spectre-like attacks worked and what parts of the CPU's internal architecture has been investigated until now, researchers re-classified and renamed the Spectre attacks based on the internal CPU operation they target, and then based on the mistraining mechanism they bypass.
The result is the first graph embedded in this article, and the table below:
In the chart/table above, the terms stand as follow:
- Spectre-PHT - attack exploits the CPU Pattern History Table
- Spectre-BTB - attack exploits the CPU Branch Target Buffer
- Spectre-RSB - attack exploits the CPU Return Stack Buffer
- Spectre-BHB - attack exploits the CPU Branch History Buffer
Based on the chart and table above, researchers found three new Spectre attacks that exploit the Pattern History Table mechanism and two new Spectre attacks against the Branch Target Buffer.
- PHT-CA-OP
- PHT-CA-IP
- PHT-SA-OP
- BTB-SA-IP
- BTB-SA-OP
CPUs from AMD, ARM, and Intel are all affected by the five new Spectre attacks.
Vendors have been notified
The research team says they reported all their findings to the three CPU vendors whose processors they've analyzed, but that only ARM and Intel acknowledged their findings.
In addition, the research team also discovered that some vendor mitigations that have been already deployed have also failed to stop the seven new attacks, even if they should have, at least in theory. They provide the following table with the results of their tests of existing mitigations.
Responding to the research team's claims, Intel provided the following statement, suggesting the mitigations researchers tested might have not been applied correctly.
The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers. Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, & the College of William and Mary for their ongoing research
In their research paper, entitled "A Systematic Evaluation of Transient Execution Attacks and Defenses," the research team proposes their own set of defenses, that they argue could stop the attacks they've detailed.
The research paper published today is the result of months of research. Among its authors are the academics who discovered the original Meltdown and Spectre attacks, and some of their variations.
Today's findings aren't particularly new, at least for the security community. The research team has previously stated many times on Twitter that countless of Meltdown and Spectre variation attacks are waiting to be discovered.
Related coverage:
- Microsoft patches Windows zero-day used by multiple cyber-espionage groups
- Deserialization issues also affect Ruby, not just Java, PHP, and .NET
- Steam bug could have given you access to all the CD keys of any game
- Intel CPUs impacted by new PortSmash side-channel vulnerability
- Intel hits representation goal in its US workforce CNET
- Intel Foreshadow exploits: How to protect yourself TechRepublic
Best Black Friday 2018 deals:
- Amazon Seven Days of Black Friday Deals: All-time lows on office devices
- Amazon Black Friday 2018 deals: See early sales on Echo, Fire HD
- Best Buy Black Friday 2018 deals: Deep discounts on Apple Mac, Microsoft Surface
- Target Black Friday 2018 deals: $250 iPad mini 4, $120 Chromebook
- Walmart Black Friday 2018 deals: $99 Chromebook, $89 Windows 2-in-1
- Dell Black Friday 2018 deals: $120 Inspiron laptop, $500 gaming desktop
- Newegg Black Friday 2018 deals: $50 off Moto G6, $70 off Nest thermostat
- Office Depot Black Friday 2018 deals: $300 off Lenovo Flex, $129 HP Chromebook
- eBay Black Friday 2018 deals: See early sales on Galaxy Watch, Chromecast
- Lenovo Black Friday 2018 deals: ThinkPad laptops and more
- Microsoft Store Black Friday 2018 deals: Ad showcases Surface, laptop deals
- Windows laptops Black Friday deals: Dell, HP, Lenovo
- Chromebook Black Friday 2018 deals: Dell, Google, HP
- Best tablet Black Friday deals: Apple iPad, Amazon Fire
- Black Friday 2018 iPhone deals: $400 iPhone X gift card, BOGO iPhone XR
- Black Friday 2018 smartphone deals: OnePlus 6T, LG G7