Tech Industry Tackles New CPU Attacks that Mimic Spectre and Meltdown
Two new speculative execution side-channel attacks disclosed this week share similarities to the "Meltdown" and "Spectre" attacks that were first reported in January.
The two attacks potentially affect the security of most processors in computers of all types. One of them, "Speculative Store Bypass," is also known as "Variant 4" of the Meltdown/Spectre class of attack methods that tap the normal speculative execution functions of processors to disclose kernel memory information.
Speculative Store Bypass was "independently discovered by Ken Johnson of the Microsoft Security Response Center (MSRC) and Jann Horn (@tehjh) of Google Project Zero (GPZ)," according to this Microsoft TechNet security research blog post, which offers a technical discussion. This attack method affects AMD, ARM and Intel chips "to varying degrees," according to the post. Microsoft considers the risk of Speculative Store Bypass to be "low."
For a nontechnical explanation of Speculative Store Bypass, see this description by Jon Masters, chief ARM architect at Red Hat.
In addition, Intel and Microsoft disclosed another attack method called "Rogue System Register Read," also known as "Variant 3a." This vulnerability could permit an attacker to bypass kernel Address Space Randomization protections, according to Microsoft's description, although the attacker would have to log on to a system and run software to exploit it. The fix will arrive as future microcode or firmware updates to processors released by chip makers. Unlike the other speculative execution variants, no operating system updates will be required to patch Variant 3a.
A general alert regarding the Variant 3a and Variant 4 speculative execution attack methods was posted on May 21 by the United States Computer Readiness Team (US-CERT), in this announcement, which includes helpful vendor and reference-material links.
Meltdown and Spectre
The new variants can be understood as being part of the Meltdown and Spectre attack methods disclosed by researchers and the computer industry on Jan. 3. The industry has been collaborating to address the security implications of Meltdown and Spectre, which potentially affect most processors, even though exploits hadn't been detected back then. In response, AMD, ARM Holdings and Intel have released microcode updates to chips, while Microsoft and Linux operating system makers have released OS updates.
With the new variants added, here's the roster of speculative execution vulnerabilities publicly disclosed so far:
Intel lists the processors affected by Variant 3a and Variant 4 in this document, which appears to be the bulk of their chips. Intel's "Overview" document on Variant 3a and Variant 4, with useful links to original equipment manufacturer (OEM) announcements and a FAQ, can be found here.
The industry partly addressed Variant 4 when it released updates in January for Variant 1. However, chip makers are still working on patches to enable "full mitigation," according to an explanation by Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel Corp., in an announcement. Intel has already released beta versions of the microcode updates to original equipment manufacturers and software vendors. Those releases include both Variant 3a and Variant 4 fixes. Publicly released updates are expected to arrive in "coming weeks," she indicated.
Culbertson also explained that the Variant 4 mitigation will be turned off by default, "providing customers the choice of whether to enable it." Intel expects that its OEM partners also will follow that practice. If the mitigation for Variant 4 is turned on, it'll have a performance effect.
"If enabled, we've observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client and server test systems," Culbertson indicated.
AMD indicated in an announcement that the Speculative Store Bypass vulnerability will be addressed by updates from OS vendors (Windows and Linux), which will support its "Family 15 processors ('Bulldozer' products)." Variant 3a may not affect AMD processors.
"We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date," AMD's announcement stated.
ARM Holdings Details
ARM Holdings indicated in an announcement that most of its processors "are not impacted by any variation of this side-channel speculation mechanism." The announcement includes a table showing the processors that are affected.
ARM Holdings is still working on releasing a Variant 2 fix to some Cortex processors, which is expected to arrive in July. Variant 3a will require installing a software mitigation. Variant 4 can be addressed by disabling a hardware feature called "memory disambiguation," which will be available in "trusted firmware," according to ARM's announcement.
Future Cortex processors will be resilient to these types of attacks, ARM Holdings promised.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.