CPU Speculative Execution Hits Again with 2 New Spectre Variants

At the beginning of this year, the Spectre and Meltdown vulnerabilities shined a spotlight on the security risks associated with the speculative execution feature of modern CPUs. Since then, researchers have kept digging and found new issues, the latest additions being two new variants of the Spectre flaw dubbed Spectre 1.1 and 1.2.

The new vulnerabilities, discovered by researchers Vladimir Kiriansky and Carl Waldspurger, were disclosed this week in a research paper. They potentially allow attackers to defeat existing mitigations for the original Spectre 1.0 variant (CVE-2017-5753).

“We consider Spectre1.1 a minor variant in the variant 1 family, since it uses the same opening in the speculative execution window—conditional branch speculation,” the researchers said.

However, while Spectre 1.0 performs a bounds check bypass on speculative Loads to leak sensitive information through a side channel, Spectre 1.1 (CVE-2018-3693) involves a bounds check bypass on speculative Stores.

“This provides an attacker with the full power of an arbitrary write,” the researchers explained. “While this is only a speculative write, which leaves no architecturally-visible effects, it can still lead to information disclosure via side channels.”

Even worse, attackers can exploit the flaw in a way that bypasses fence instructions and other software mitigations added to prevent the previous speculative-execution attacks.

The second vulnerability found by the researchers, dubbed Spectre 1.2, depends on the CPU’s lazy PTE enforcement similar to Spectre version 3. This means it works on CPUs that do not enforce read/write protections.

Successful exploitation of Spectre 1.2 can allow attackers to bypass software sandboxing that depends on hardware enforcement of read-only memory.

In their paper, the researchers propose new software mitigations and hardware defenses to protect against these new vulnerabilities. However, the performance impact of these mitigations has not yet been evaluated.

Intel has confirmed the two new flaws and paid $100,000 to the researchers for their discovery through its bug bounty program. The company has also updated its developer guidance for mitigating speculative execution vulnerabilities to account for the new variants.

Since the original Spectre flaw didn’t affect just Intel CPUs, the new variants might also impact CPUs from ARM, AMD and other vendors, but this has yet to be confirmed. Microsoft, Red Hat and Oracle are investigating the effects of the new variants on their products and have published advisories.

The number of speculative execution flaws has now reached eight. They are: Spectre variant 1.0 (bounds check bypass), 1.1 (bounds check bypass on stores), 1.2 (read-only protection bypass), 2 (branch target injection), 3 (rogue data cache load aka Meltdown), 3a (rogue system register read), 4 (speculative store bypass aka SpectreNG) and LazyFP.

Chrome Turned On Site Isolation for Desktop Users

Google silently enabled a feature called Site Isolation in Chrome for desktop operating systems to mitigate speculative execution side-channel attacks such as Spectre.

Site Isolation was first introduced in December in Chrome 63 as an experimental feature that could be enabled manually. Its goal was to strengthen the browser’s existing sandbox by forcing each website to have its own rendering process, therefore limiting the actions of malicious code to the website it was loaded from.

After it was revealed in January that the Spectre vulnerability could be exploited via malicious JavaScript code in browsers, the Chrome developers accelerated their work on Site Isolation, resolving various issues and getting it ready for prime time.

In a blog post Wednesday, Google revealed that it turned on Site Isolation by default for desktop users in Chrome version 67, which was released at the end of May.

“In Chrome 67, Site Isolation has been enabled for 99% (sic) of users on Windows, Mac, Linux, and Chrome OS. (Given the large scope of this change, we are keeping a 1% [sic] holdback for now to monitor and improve performance.),” Google said. “This means that even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker. This significantly reduces the threat posed by Spectre.”

The company is now working on enabling Site Isolation for Chrome on Android as well and to rollback previous mitigations for Spectre that consisted of disabling important features such as precise timers in JavaScript and SharedArrayBuffer.

The bad news is that Site Isolation leads to a memory usage increase of 10 percent to 13 percent because the browser spawns considerably more processes that before, but this is seen as an acceptable tradeoff for the security benefits.

Featured eBook
Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Digital transformation requires new approaches to security, demanding the protection of machine identities that enable authentication and encryption required for secure machine-to-machine communication. Solving machine identity protection challenges within DevOps environments, requires a fundamentally new approach. Information Security teams must deliver a frictionless, automated solution that allows DevOps engineers to seamlessly provision and manage certificates ... Read More

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin