A researcher with Indian ancestry has warned that a vulnerability known as ‘Spectre’ that was first discovered in 2018 but is now available to hackers again has exposed billions of computers and other devices around the world.
Since the discovery of ‘Spectre,’ the world’s best computer scientists from industry and academia have focused on software fixes and hardware defences, confident that they’ve been able to secure the most vulnerable points in the speculative execution phase without significantly slowing down processing speeds.
Researchers at the University of Virginia’s School of Engineering and Applied Science, UVA Engineering, led by Ashish Venkat, discovered that computer processors are once again vulnerable to hackers.
They discovered a brand-new way for hackers to take advantage of something known as a “micro-op cache,” which accelerates computation by storing basic commands and allowing the processor to retrieve them quickly and early in the speculative execution phase.
Since 2011, micro-op caches have been used in Intel computers.
When a processor fetches commands from the micro-op cache, Venkat’s team discovered that hackers might steal data.
“Imagine a hypothetical airport security scenario in which TSA allows you to enter without checking your boarding pass because (1) it is fast and effective, and (2) you will be checked for your boarding pass at the gate anyway,” Venkat explained.
A computer processor performs a similar function. It anticipates that the check will pass, allowing instructions to enter the pipeline.
“If the prediction is wrong, it would eventually throw those instructions out of the pipeline,” he said. “However, this could be too late because those instructions could leave side-effects while waiting in the pipeline that an attacker could later manipulate to infer secrets such as a password.”
All existing ‘Spectre’ protections are ineffective against Venkat’s team’s latest attacks because they shield the processor at a later stage of speculative execution.
The team discovered two variants of the attacks that can steal speculatively accessible data from Intel and AMD processors.
“Intel’s proposed Spectre protection, known as LFENCE,” Venkat explained, “places sensitive code in a waiting area before the security checks are completed, and only then is the sensitive code authorised to execute.”
“However, it turns out that the waiting area’s walls have ears, which our assault takes advantage of. We demonstrate how an intruder can use the micro-op cache as a hidden channel to smuggle secrets into it.” It would be even more difficult to patch this newly discovered flaw.
In the case of previous ‘Spectre’ attacks, developers devised a reasonably simple method of preventing any kind of attack without sacrificing significant computing performance.
“The difference with this assault is that you take a much higher performance penalty than you did with the previous attacks,” PhD student Logan Moody explained.
Venkat’s team has informed Intel and AMD’s product security teams about the flaw.
The highly competitive International Symposium on Computer Architecture, or ISCA, has accepted the team’s paper.