A team of researchers from the Universities of Virginia and California has developed a new attack on hardware that bypasses Specter protection. The attack allows stealing data when the processor fetches instructions from its micro-op cache.
The new vulnerability affects billions of computers and other devices around the world, and the researchers say it will be much more difficult to fix than previous speculative execution vulnerabilities.
In their study, “I see dead µops: leaking secrets via Intel/AMD micro-op caches“, the scientists presented three attacks that bypass the Specter vulnerability.
To improve performance of the introduced in 2011 Intel and AMD x86 processor architectures, complex instructions are broken into small instructions and stored in the micro-op cache, so they can be retrieved during speculative execution (the process of executing an instruction in whole or in part before it becomes clear whether this is the execution).
Specter attacks disrupt speculative execution and allow attackers to gain access to sensitive data while executing instructions in the wrong path.
Since speculative execution is a hardware function, it is extremely difficult to fix a vulnerability without disabling the function entirely.
According to Venkat, Intel’s LFENCE Specter mitigation mechanism puts sensitive code in a waiting area while it passes security checks. Only when all checks have passed, the code can be executed. However, LFENCE is useless against attacks on early micro-op caches, since it occurs already in the late stages of speculative execution.
Intel and AMD have been notified of the issue, but it will be extremely difficult to fix it.
Patches that disable the micro-op cache or stop speculative execution on legacy hardware roll back critical performance innovations in most modern Intel and AMD processors, and this is unacceptable.
Let me remind you that I also talked about the fact that Google experts published PoC exploit for Specter that is targeting browsers, and also that New vulnerabilities help to bypass protection from Specter on Linux systems.