Microsoft has expanded its bug bounty programs to include monetary rewards for vulnerabilities that stem from speculative execution, a feature in modern processors that sits at the core of the Meltdown and Spectre vulnerabilities disclosed this year.
Speculative execution is a performance mechanism based on various algorithms that allow CPUs to guess in advance the path programs will take when they reach conditional branches in their programming. The CPUs will execute instructions down the paths they view as likely to be chosen before the programs actually make a decision. If their guesswork proves incorrect, data resulting from the speculative execution gets discarded and execution continues down the correct path.
The Meltdown and Spectre attacks rely on so-called side-channel techniques to extract data produced by speculative execution before it’s discarded. The researchers who discovered the flaws used CPU cache access times as the side-channel but warned in their paper that other techniques are likely possible.
It seems that Microsoft is taking that warning very seriously. Even though the company doesn’t make CPUs, so it’s not directly responsible for any vulnerabilities in their firmware, such flaws can have a severe impact on its own security protections built into Windows or its Azure cloud computing platform.
The company has decided to offer significant monetary rewards for new flaws that are based on speculative execution or which can be used to bypass the mitigations put in place for Meltdown and Spectre.
The new bounties are split into four tiers: Tier 1 offers rewards of up to $250,000 for new categories of speculative execution attacks, Tier 2 pays up to $200,000 for attacks that bypass the existing speculative execution mitigation on Azure, Tier 3 is the same as Tier 2 but for Windows and Tier 4 offers up to $25,000 for new instances of flaws like Spectre variant 1 (CVE-2017-5753) in Windows 10 or Microsoft Edge, but only if they enable sensitive information disclosure across trust boundaries.
“Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods,” Phillip Misner, principal Security Group manager at Microsoft’s Security Response Center, said in a blog post. “This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues.”
Microsoft recently started distributing Intel’s microcode patches for speculative execution exploits through the Microsoft Update Catalog. An initial batch for Skylake (6th generation) Intel CPUs was released a few weeks ago and was extended with microcode updates for Kaby Lake and Coffee Lake (7th and 8th generation) CPUs this week.
“Microsoft does not produce CPUs however, they are offering to pay bounties for bugs found in CPUs,” said Laurie Mercer, solutions engineer at HackerOne, via email. “This is an example of an organisation contributing to the safety of the computing ecosystem. Whilst Microsoft themselves will clearly benefit from CPUs being secure, so will their competition, so this could be seen as an act of philanthropy.”
Meltdown, Spectre and the Intel ME flaws found last year could indicate a new trend where more and more security researchers are looking for flaws in low-level firmware. And if that’s the case, flaws related to speculative execution will probably be just a small part of what’s coming.
Just this week an Israeli security firm claimed to have found 13 critical vulnerabilities in the latest family of AMD processors that allow attackers to bypass hardware-based security features and inject powerful malware in firmware, where security programs don’t have visibility. AMD is still analyzing the report and has not yet confirmed the vulnerabilities, but several independent security researchers who received the full technical details have verified that the flaws are real and exploitable.
“Looking for vulnerabilities on computer chips is new,” renowned cryptographer and security expert Bruce Schneier said in an essay published in The Atlantic after Meltdown and Spectre came out. “Now that researchers know this is a fruitful area to explore, security researchers, foreign intelligence agencies, and criminals will be on the hunt,” he warned.