A new Spectre vulnerability is costly to patch but nearly impossible to exploit

mongeese

Posts: 483   +109
Staff member
TL;DR: Researchers from the University of Virginia and the University of California, San Diego discovered three Spectre vulnerabilities in AMD and Intel processors during their study of the micro-op cache. The vulnerabilities bypass existing Spectre mitigations, and the researchers predict that their proposed low-level fixes would incur an expensive performance penalty. However, they acknowledge that exploiting these might prove too difficult to justify harsh mitigations.

The three newly discovered vulnerabilities are in the design of the micro-op cache, a feature of modern CPUs present in AMD processors from 2017 onwards and Intel CPUs from 2011 onwards. The micro-op cache improves a processor’s performance by storing low-level instructions that are spawned as the processor breaks complex instructions down into computable arithmetic. It hasn’t been the subject of much investigative research, until now, because AMD and Intel document their micro-op cache designs poorly to conceal their proprietary designs.

The groundwork of the researchers’ attack is laid by two types of code structures, which they’ve called tigers and zebras. Both sit inside the micro-op cache. Tigers can evict a given code region by mimicking its structure and occupying all the same places. Zebras go unnoticed by hiding in all the unoccupied places. Together, they can assume control of a micro-op cache by exploiting its timing effects.

Like a zebra leading a hungry tiger to a tent full of people, the researchers’ malicious code leverages the structure of the micro-op cache to expose the private data that passes through it. The first vulnerability can be leveraged to leak information across domains on the same thread, the second can be used to leak information across two threads running on the same physical core, and the third enables two types of attacks that reveal information transited in mis-speculated paths.

"Due to the relatively small size of the micro-op cache, [the new] attack is significantly faster than existing Spectre variants that rely on priming and probing several cache sets to transmit secret information," the researchers say. It’s also "considerably more stealthy, as it uses the micro-op cache as its sole disclosure primitive, introducing fewer data/instruction cache accesses, let alone misses."

Mitigating the new vulnerabilities with any of the methods suggested by the researchers could incur a "much greater performance penalty" than current Spectre mitigation does. Their least penalizing approach is a strategy of exploitation detection, but they foresee it having a considerable error rate. Their other two strategies, partitioning and flushing, result in "heavy underutilization" of the micro-op cache and are broadly equivalent to disabling the cache outright (which in itself isn't viable).

Fortunately, the exploitation of micro-op cache vulnerabilities is believed to require a high level of access to the target system, which standard security systems can prevent. While the researchers note that additional work is required to fully assess the risk posed by the new vulnerabilities, they don't merit as much concern as some previous Spectre vulnerabilities. Both AMD and Intel were notified about them before their publication, and haven’t announced that they’re developing patches.

Update (5/2): The University of Virginia reached out to us to emphasize that the vulnerabilities are exploitable and should be mitigated against, even if the risk posed isn’t imminent. The researchers intend to collaborate with AMD and Intel and the wider cybersecurity community to overcome the "significant challenges" relating to the performance penalties of the mitigations.

Image credit: Niek Doup

Permalink to story.

 

Hardware Geek

Posts: 339   +355
I'd be interested in finding out how much of a performance penalty the fixes actually are and whether AMD or Intel is most impacted. There will be mission critical systems that will have to be patched despite the performance penalty.
 
Last edited:

Theinsanegamer

Posts: 2,400   +3,484
I'd be interested in finding put how much of a performance penalty the fixes actually are and whether AMD or Intel is most impacted. There will be mission critical systems that will have to be patched despite the performance penalty.
The researchers themselves stated this new spectre requires high level access, which traditional security already protects against. This is one of those "if they get this far you're already boned" level vulnerabilities.
 

envirovore

Posts: 151   +349
TechSpot Elite
The researchers themselves stated this new spectre requires high level access, which traditional security already protects against. This is one of those "if they get this far you're already boned" level vulnerabilities.

I, like Hardware Geek, am also interested in the impact a fix would have.
Not because I'm worried about this having any impact in my system (I totally agree with you, if someone has this level access to a system, then this vulnerability should really be the last of your concerns), but if only for knowing.

It's really the same reason I appreciate sites like this, ArsTechnica, and wccftech reporting on any vulnerability, even if it's not something thats going to realistically impact you or I (in the 'at home typical user' sense), if only to show that for as much progress we make there will always be an issue hidden somewhere.

The ever shrinking game of cat and mouse.
 

arrowflash

Posts: 327   +342
I'd say the performance cost has already heavily outweighed the risks in past Spectre vulnerabilities.

Let's see if sanity and reason prevail this time around. Just release standalone patches that must be installed manually for those that want it. Patches that heavily impact system performance shouldn't be part of the autoupdate stream in any OS.

If I had my tinfoil hat on, I'd say these researchers are in cahoots with chip manufacturers, who'd love anything that would accelerate their chips' obsolence in an era that left Moore's Law behind.
 

Theinsanegamer

Posts: 2,400   +3,484
I'd say the performance cost has already heavily outweighed the risks in past Spectre vulnerabilities.

Let's see if sanity and reason prevail this time around. Just release standalone patches that must be installed manually for those that want it. Patches that heavily impact system performance shouldn't be part of the autoupdate stream in any OS.

If I had my tinfoil hat on, I'd say these researchers are in cahoots with chip manufacturers, who'd love anything that would accelerate their chips' obsolence in an era that left Moore's Law behind.
You would need that to foil hat, considering the jaw dropping level of performance gain AMD has managed the last 4 years.
 

Bobbydpue

Posts: 75   +52
The researchers themselves stated this new spectre requires high level access, which traditional security already protects against. This is one of those "if they get this far you're already boned" level vulnerabilities.
That didn't stop people from mocking Intel, but as soon as AMD had the same problem then people start taking a closer look at it.

Does everyone know neither company cares about them? Buy the best product you can afford no matter who makes it and ignore benchmarks for applications you don't use since that doesn't matter.

Finally these vulnerabilities allow someone in a very specific situation and with very specific access to get small bits of un-encrypted data. If your data isn't encrypted no one would need to exploit this specific vulnerability since having elevated privileges would give a person all the access they needed.

 

BadThad

Posts: 449   +421
My worries over these variants = ZERO

I'm not willing to sacrifice performance for a 1 in a trillion chance I would get one of these! Haxors can have my data if they want it so bad, it will be worthless to them anyway. As far as screwing up my machine, I could also care less, it would do little more than tee me off for a short bit as I reinstall or reimage my system which takes less than an hour.
 

Avro Arrow

Posts: 1,140   +1,269
TechSpot Elite
After all the negative press that the Spectre exploit generated, how is this still a thing? Why hasn't Intel fixed it already? It's not like they haven't had enough time.
 

Bobbydpue

Posts: 75   +52
After all the negative press that the Spectre exploit generated, how is this still a thing? Why hasn't Intel fixed it already? It's not like they haven't had enough time.
"The three newly discovered vulnerabilities " These are new and affect both intel and AMD, though they really don't. Clearly you have no idea how this works or you wouldn't be typing these comments. This exploit takes a specific person, with a specific set of skills, who's able to gain full access to the system and has to attack a specific computer for a very very long time to get enough data to be useful. This isn't the type of attack that affects normal users it affects corporations worth billions and those companies would have systems in place to reduce the chances someone can get root access which is the access a person needs to attempt to exploit any of these vulnerabilities. If you don't encrypt your data this vulnerability doesn't affect you since a person would only need read access to access your data.
 

Avro Arrow

Posts: 1,140   +1,269
TechSpot Elite
"The three newly discovered vulnerabilities " These are new and affect both intel and AMD, though they really don't. Clearly you have no idea how this works or you wouldn't be typing these comments. This exploit takes a specific person, with a specific set of skills, who's able to gain full access to the system and has to attack a specific computer for a very very long time to get enough data to be useful. This isn't the type of attack that affects normal users it affects corporations worth billions and those companies would have systems in place to reduce the chances someone can get root access which is the access a person needs to attempt to exploit any of these vulnerabilities. If you don't encrypt your data this vulnerability doesn't affect you since a person would only need read access to access your data.
You're right. I don't know how this works. I don't have that specific set of skills because I'm not a hacker. However, I do expect that people who DO have this specific set of skills were hired by the chipmakers after these exploits were originally discovered to investigate whether or not more exist. That's what I would have done if I were them and it would seem like common sense that if an exploit was discovered that we didn't know about, it might not be the only one. I would want to be certain that no more existed. I don't think that this is an unreasonable idea.