Since 2018, the nearly endless attack known as Specter has led Intel and AMD to develop defenses to mitigate vulnerabilities that allow malware to extract passwords and other sensitive information from silicon. directly Now, researchers say they have devised a novel attack that destroys most, if not all, on-chip defenses.
Specter gets its name from its use of guesswork, a feature in almost all modern CPUs that predicts future hints that the CPU might receive, and then follows the path the instructions are likely to follow. By using code that forces the CPU to execute an instruction along an invalid path, Specter can retrieve confidential information that will be accessed if the CPU continues along the wrong path. These exploits are called temporary executions.
Since Specter was first described in 2018, new patterns have appeared almost every month.In many cases, new variants require chipmakers to develop new or complementary defenses to mitigate attacks.
For example, Intel’s critical protection, called LFENCE, stops the last command from being sent to execution before the previous command. Other hardware and software-based solutions known as “fencing” create digital fences around confidential information to prevent attacks from performing temporary operations that will allow unauthorized access.
Researchers at the University of Virginia said last week they found a new transient model of action that destroys nearly all of the on-chip defenses Intel and AMD have adopted to date. The new technique works by targeting an on-chip buffer that caches “micro-ops”, simple instructions derived from complex instructions. By allowing the CPU to quickly and quickly retrieve instructions in predictive execution steps, the micro-op cache improves the speed of the processor.
Researchers are the first to exploit the micro-op cache as a side channel or medium to observe confidential information stored in vulnerable computer systems. By measuring the duration, power consumption, or other physical properties of the target system, an attacker can use a lateral channel to infer information that would otherwise not fall within the limit.
“Cache micro-optics are side-channel, with a number of detrimental effects,” the researchers wrote in an academic paper. Secondly, these attacks are not detected by existing attack or malware profiles. Third, since the micro-op cache is located at the front of the pipeline before performing some precautions that mitigate Specter attacks and other temporary operations by limiting speculative cache updates, it is also possible. May be vulnerable to micro-op cache attacks “
The paper continues:
Most of the existing speculative and fencing solutions are focused on hiding the unintentional vulnerable side effects of the speculative execution taking place at the backend of the processor pipeline. Instead of suppressing the source of speculation on the front end. That makes them vulnerable to the attacks we describe that reveal a secret that is specifically accessible through the frontal lane before a temporary order has a chance to be sent for execution. This avoids all existing protective clothing. Additionally, because the micro-op cache is relatively small, our attacks are noticeably faster than the existing Specter variants, which rely on basic preparation and validation of multiple caching sets to transmit confidential and available data. More confidentiality, since micro-op cache is used as traditional disclosures. This solely suggests access to the cache less data / commands, let alone anything with missed.
There have been some mistakes since the researchers published their paper.Intel disagrees that the new technique destroys already established defenses to prevent temporary operations. In a statement, a company official wrote:
Intel reviewed the report and informed researchers that the available relief efforts had not been skipped, and that the situation was addressed in our secure encryption approach. Our guided software already has protection against unintentional tunnels as well as unintended channels of uop cache, no mitigations or new recommendations are required.
Temporary operations use malicious code to take advantage of speculative operations. The exploit, on the other hand, avoids scoping checks, authorizations, and other security measures built into the application. Software that complies with Intel’s secure encryption guidelines is resistant to such attacks, including those released last week.
The key to Intel’s advice is to use static programming, a method that writes code independent of secrecy. The technique the researchers introduced last week uses code that embeds secrets in the CPU’s branch predictor, so it doesn’t follow Intel’s recommendations, a company spokeswoman said in the background.
AMD did not provide a response in time to include it in this post.
Another controversy emerged in a blog post written by Jon Masters, a freelance researcher in computer architecture. He said the paper, especially the cross-domain attacks described, are “compelling reads” and “potential concerns,” but that there are ways to remedy the vulnerabilities, possibly by enabling the micro-op cache. Wrong when crossing rights barriers
“The industry has a big problem in Specter’s hands, and the direct result is a huge effort to separate privileges, separate workloads, and use different contexts,” Masters wrote. “This latest paper may need some cleanup. But there are always mitigations available, even though there is always a cost of operation. ”
Not so easy
Ashish Venkat, a professor in the computer science department at the University of Virginia and co-author of the paper last week, agrees that always-on programming is an effective way to write apps that are not affected by attacks. On the side as well as what is described According to last week’s paper But he said the exploit resides in the CPU and therefore deserves a microcode patch.
He also said that most software today is still vulnerable because programming is not used all the time and there is no indication when it will change. He also reflects the observations by experts that code guidelines slow down applications.
He tells me that programming all the time “is not only very difficult in terms of real programmers’ efforts. But it also presents significant deployment challenges involving modifying all sensitive software ever written. They are typically used only for small security routines, especially due to the cost of performance. ”
Venkat says the new technique works on all Intel chips designed since 2011.He tells me that in addition to risking the same cross-domain exploitation, AMD CPUs are vulnerable to separate attacks. Take advantage of the simultaneous multithreaded design as the micro-op cache in AMD processors is shared among the competition. As a result, attackers were able to create a cross-thread covert channel capable of transmitting secret data with 250 Kbps bandwidth and a 5.6 percent error rate.
The temporary operation poses serious risks. But for the time being, this is mostly theoretical, because it rarely happens if ever taken seriously. Software engineers, on the other hand, have more reasons for concern, and the new technique should only add more concern.