Since 2018, a nearly endless series of attacks, commonly known as Spectre, has made Intel and AMD struggle to develop defenses to mitigate vulnerabilities that allow malware to extract passwords and other sensitive information directly from silicon. Now researchers say they’ve come up with a new attack that breaks most, if not all, on-chip defenses.
Specter gets its name from its misuse of speculative execution, a feature in virtually all modern CPUs that predicts the future instructions the CPUs might receive and then follows a path the instructions are likely to follow. By using code that forces a CPU to execute instructions along the wrong path, Specter can extract confidential data that would have been accessible if the CPU had continued on that wrong path. These exploits are known as temporary executions.
Since Specter was first described in 2018, new variants have popped up almost every month. In many cases, the new variants have required chipmakers to develop new or improved defenses to reduce attacks.
For example, an important Intel security known as LFENCE prevents more recent instructions from being sent to execution before earlier instructions. Other hardware and software-based solutions commonly known as “fencing” build digital fences around secret data to protect against transient execution attacks that would allow unauthorized access.
Researchers at the University of Virginia said last week they found a new temporary implementation variant that breaks virtually all of the on-chip defenses Intel and AMD have implemented to date. The new technique works by targeting an on-chip buffer that caches “micro-ops,” which are simplified commands derived from complex instructions. By allowing the CPU to fetch the commands quickly and early in the speculative execution process, micro-op caches improve processor speed.
The researchers are the first to use the micro-ops cache as a side channel or medium to comment on the confidential data stored in a vulnerable computer system. By measuring the timing, power consumption, or other physical properties of a targeted system, an attacker can use a side channel to infer data that would otherwise be off limits.
“The micro-op cache as a side channel has several dangerous implications,” the researchers wrote in an academic paper. “First, it bypasses any techniques that reduce caches as side channels. Second, these attacks are not detected by any existing attack or malware profile. Third, because the micro-op cache sits at the front of the pipeline, well before execution , certain defenses that mitigate Specter and other transient execution attacks by limiting speculative cache updates still remain vulnerable to micro-on-cache attacks.”
The magazine continues:
Most existing invisible speculation and screen-based solutions aim to hide the unintended vulnerable side effects of speculative execution that occur at the back end of the processor pipeline, rather than inhibit the source of speculation at the front. That leaves them vulnerable to the attack we’re describing, which reveals speculatively accessible secrets through a front-end side channel, before a transient instruction has a chance to be sent for execution. This eludes a whole host of existing defenses. In addition, due to the relatively small size of the micro-op cache, our attack is significantly faster than existing Specter variants that rely on priming and examining different sets of caches to transmit secret information, and significantly more stealthy, because it uses the microop cache as the only primitive disclosure, introducing, let alone missing, access to data/instruction cache.
There has been some resistance since the researchers published their paper. Intel disagreed that the new technique breaks the protections already in place to protect against temporary execution. In a statement, company officials wrote:
Intel reviewed the report and informed the researchers that existing solutions were not circumvented and that this scenario is addressed in our secure encryption guidelines. Software that follows our guidelines already has incidental channel protection, including the uop cache incidental channel. No new measures or guidelines are needed.
Temporary execution uses malicious code to exploit speculative execution. The exploits, in turn, bypass border controls, authorization checks, and other security measures built into applications. Software that follows Intel’s secure encryption guidelines can withstand such attacks, including the variant introduced last week.
The key to Intel’s guidance is the use of constant-time programming, an approach where code is written to be secret-independent. The technique the researchers introduced last week uses code that embeds secrets in the CPU branch’s predictors, and as such it doesn’t follow Intel’s recommendations, a company spokeswoman said in the background.
AMD did not respond in time to be included in this post.
Another rejection came in a blog post written by Jon Masters, an independent researcher into computer architecture. He said the article, particularly the cross-domain attack it describes, is “interesting reading” and a “potential problem,” but that there are ways to fix the vulnerabilities, possibly by invalidating the micro-ops cache. when the privilege barrier is crossed.
“The industry had a huge problem with Specter, and as a direct result a lot of effort was put into separating privileges, isolating workloads and using different contexts,” Masters wrote. “Some cleanup may be needed in light of this latest article, but solutions are available, albeit always at a certain performance price.”
Not so easy
Ashish Venkat, a professor in the computer science department at the University of Virginia and co-author of last week’s paper, agreed that constant-time programming is an effective means of writing apps that are invulnerable to side-channel attacks, including the one described by last week’s newspaper. But he said the vulnerability being exploited resides in the CPU and should therefore get a microcode patch.
He also said that much of the current software remains vulnerable because it doesn’t use constant-time programming, and there’s no indication when that will change. He also echoed Masters’ comment that the code approach slows down applications.
Constant-time programming, he told me, “is not only extremely difficult in terms of the programmer’s actual effort, but also poses significant implementation challenges associated with patching every sensitive software ever written. It is also typically used only for small, specialized security routines due to the performance overhead.”
Venkat said the new technique is effective against all Intel chips designed since 2011. He told me that AMD CPUs are not only vulnerable to the same cross-domain exploit, but also prone to a separate attack. It takes advantage of the concurrent multithreading design because the micro-on-cache in AMD processors is competitively shared. As a result, attackers can create a cross-thread stealth channel that can transmit secrets with a bandwidth of 250 Kbps and an error rate of 5.6 percent.
Temporary execution carries serious risks, but at the moment they are mostly theoretical as they are rarely, if ever, actively exploited. Software engineers, on the other hand, have much more cause for concern, and this new technique should only increase their concerns.