Monday, May 3rd 2021
New Spectre Vulnerability Version Beats All Mitigations, Performance to Badly Degrade After the Fix
Researches from the University of Virginia and University of California San Diego have published their latest case study. The two universities have worked hard to discover a new Spectre vulnerability variant that can pass all of the existing Spectre mitigations and exploit all of the existing processors coming from Intel and AMD. The vulnerability exploits all of the existing x86 processors, and as it is new, there are not implementations of hardware mitigation. The whitepaper called "I see dead μops" takes the implementation of exploiting micro-op caches that could lead to a potential data leak in the processor, which is leading to a Spectre-type exploit.
Modern x86 processors break down complex instructions into smaller RISC-like units called micro-ops, in the frontend, where it makes the design of the backend part much simpler. The micro-ops are stored in the micro-ops cache. The paper is describing micro-op cache-based timing channel exploits in three primary settings: "a) across code regions within the same thread, but operating at different privilege levels, (b) across different co-located threads running simultaneously on different SMT contexts (logical cores) within the same physical core, and (c) two transient execution attack variants that leverage the micro-op cache to leak transiently accessed secrets, bypassing several existing hardware and software-based mitigations, including Intel's recommended LFENCE."
For more details about the ways of exploiting the data, it is recommended to read the paper in full. However, if you are wondering about the possible mitigations of this exploit, there could be some bad news regarding performance. Both Intel and AMD have been informed about the attack, and the solution is coming our way. However, since the exploit targets a low-level caching structure, a possible solution would take a severe degradation of performance, as believed by researchers. Maybe Intel and AMD find a solution that is not as severe, but rather a modest one. We must wait to find out.
Sources:
I See Dead μops Paper, via forum member P4-630 (Thanks for the tip!)
Modern x86 processors break down complex instructions into smaller RISC-like units called micro-ops, in the frontend, where it makes the design of the backend part much simpler. The micro-ops are stored in the micro-ops cache. The paper is describing micro-op cache-based timing channel exploits in three primary settings: "a) across code regions within the same thread, but operating at different privilege levels, (b) across different co-located threads running simultaneously on different SMT contexts (logical cores) within the same physical core, and (c) two transient execution attack variants that leverage the micro-op cache to leak transiently accessed secrets, bypassing several existing hardware and software-based mitigations, including Intel's recommended LFENCE."
77 Comments on New Spectre Vulnerability Version Beats All Mitigations, Performance to Badly Degrade After the Fix
Nothing we haven't seen before... Superscalar out of order with the levels of speculative execution and caching that are enabled by modern processes will always be vulnerable to this kind of attack. Go make a new paradigm if you want to build something that's secure from the ground up, but trust me, you'll lose a lot of performance along the way.
Return to monke
Although IMO most of this stuff has been wildly overblown, the majority of CPU attacks require a pre pwned system with remote administrator/BIOS access. I can see emergency patches for the remote execution ones, but the rest should be optional IMO.
@R-T-B
Perhaps someone cleverer than me can tell me why adding its signature/behaviour to antivirus/antimalware wouldn't solve the issue?
Hardware security was flawed from the get go, do not trust the machine you run on as a programmer if your data is sensitive. If it is, treat it as such. Otherwise, this'll be an endless uphill battle.Because once the behavior has happened, it's usually too late? The targeted data was already taken.I hate this gameshow.
a few are and a few arent, hence we all got reduced performance cause it wasn't overblown.
But all spectre like attacks are not critical
I have been waiting for TPU to pick this up, so I can finally correct the bad reporting, and the terrible assumptions users who cant read make.
Neat take aways from this white paper:
- They only specify "Skylake" but fail to say which rendition of the arch, and its important to note, after initial skylake protection has been built in on an arc level
- They mention "Zen" testing, but not which one. Zen is old and been around awhile, they make a uOP mention with "Zen2" but its just an example.
- They mention ARM in the title and the text, but never actually show testing done with the ARM arc.
People are already questioning the methods used in this work as the flaws mentioned above are a pretty bid deal.
Remember kids, 100% of people that drink water die.
Until this happens, we should expect a stream of new Spectre class exploits.Local access is required, as usual. These vulnerabilites are not a real problem for consumers or non-cloud servers, so software mitigations should really be opt-in. There is no reason for all of us to suffer.Well, this is exactly why we do security in layers. Sooner or later you should expect a vulnerability in one layer.
The real elephant in the room is the perpetual stupidity of (public) cloud computing, where a vulnerability on any layer can potentially bypass nearly all security measures. Nothing sensitive should ever run in the public cloud, unfortunately it does.Yes. Consumers should not worry about the exploits, only about the mitigations. I wish patches were opt-in.Because antimalware don't have the ability to stop any attack, just identify known bad software.
This is why there are endless streams of new virus variants for Windows, until the specific underlying vulnerabilities (/design faults) are resolved.
If you find a vulnerability, you can just make a script that makes thousands of small variants of the program performing the exploit, resulting in different binary signatures, and the cat and mouse game is on. Antimalware doesn't work the way people think, they can never fix an exploit, and it's even debatable whether they do much "good" at all. Having priveleged software like this may even open up new attack vectors, and there are even some antimalware software that can be regarded as malware/spyware itself.