13-05-2021 | By Robin Mitchell
Recently, researchers demonstrated a new range of Spectre attacks that leave most modern computers vulnerable, but Intel and AMD have refuted the claims by the researchers. So what is a spectre attack, what did the researchers demonstrate, and are Intel and AMD wrong?
Before we go into the specifics of a Spectre attack, let us first bow our heads and appreciate that the only reason why security systems need to be integrated into modern hardware is that a small minority of people like to ruin technology for everyone else.
A Spectre is a vulnerability that affects the branch prediction mechanism in modern microprocessors. If you know what branch prediction is, you can probably guess how attackers can use this to their advantage.
Older CPUs would read instructions one at a time and only process instructions that were actually being executed. However, during the execution of an instruction, large portions of the CPU may be left unused, which is an inefficient use of hardware. This can be solved with pipe-lining whereby instructions are separated into their specific steps (fetch, decode, execute, store), and each stage can operate on one part of an instruction. Typically, pipe-lining can get a four-stage instruction processor to operate on one clock cycle (but requires four clock cycles to initiate the process).
However, when a jump on condition instruction is met, the pipeline must be cleared as the instructions in waiting may not be the instructions that need to be executed next. To reduce the need for flushing the pipeline, branch prediction can be deployed which looks at instructions with conditions and tries to predict which instructions will follow next.
A Spectre attack takes advantage of the use of speculative execution in branch prediction and works like this:
A data array holds four elements, and a number is defined to have a value of 1000. If the input value is less than the size of the data array, then store the contents of that array (pointed by input) into another location. While the if statement would never execute, speculative execution assumes it to be true, and then executes the next instruction. This allows the viewing of potentially private areas of memory.
Recently, researchers from the University of Virginia and the University of California at San Diego announced in a paper of new spectre attacks that affect all modern processors. The new attacks target the micro-op cache in processors which stores instructions and data for execution during speculative execution. The micro-op cache helps to dramatically increase the performance of processors and reduce power consumption as the CPU can spend less time fetching data from RAM and less time and energy decoding instructions.
The vulnerabilities outlines by the researchers allow for a range of attacks including the use of a thread-cross domain, attacks on processes on the same core, and gaining data on speculated paths. According to the researchers, the discovery of the micro-op attack is more stealthy than typical spectre attacks and potentially more dangerous as it solely relies on the use of the micro-op, which is hard to protect. One solution against the attack is to flush the micro-op cache frequently, but this would significantly affect performance.
Despite the research paper, Intel made a statement regarding the new attacks saying that such attacks are already covered in their Secure Coding Guidance. Furthermore, they also refuted the paper's claims and noted that existing mitigations were not being bypassed. However, the research paper released by the researchers clearly demonstrates successful attacks on modern processors. Still, it should be noted that the paper does not mention if the latest architectures are being used.
According to the Secure Coding Guidance by Intel, secure data should never be placed in a cache or area of code that uses branching. Furthermore, the guidance also notes that application runtime should be independent of secrete values, that code access patterns are independent of secrete values, and that data access patterns are independent of secrete values. Simply put, a commonly executed routine should not require the use of a password, key, or UID.