At the beginning of this year, the Spectre and Meltdown vulnerabilities shined a spotlight on the security risks associated with the speculative execution feature of modern CPUs. Since then, researchers have kept digging and found new issues, the latest additions being two new variants of the Spectre flaw dubbed Spectre 1.1 and 1.2.
The new vulnerabilities, discovered by researchers Vladimir Kiriansky and Carl Waldspurger, were disclosed this week in a research paper. They potentially allow attackers to defeat existing mitigations for the original Spectre 1.0 variant (CVE-2017-5753).
“We consider Spectre1.1 a minor variant in the variant 1 family, since it uses the same opening in the speculative execution window—conditional branch speculation,” the researchers said.
However, while Spectre 1.0 performs a bounds check bypass on speculative Loads to leak sensitive information through a side channel, Spectre 1.1 (CVE-2018-3693) involves a bounds check bypass on speculative Stores.
“This provides an attacker with the full power of an arbitrary write,” the researchers explained. “While this is only a speculative write, which leaves no architecturally-visible effects, it can still lead to information disclosure via side channels.”
Even worse, attackers can exploit the flaw in a way that bypasses fence instructions and other software mitigations added to prevent the previous speculative-execution attacks.
The second vulnerability found by the researchers, dubbed Spectre 1.2, depends on the CPU’s lazy PTE enforcement similar to Spectre version 3. This means it works on CPUs that do not enforce read/write protections.
Successful exploitation of Spectre 1.2 can allow attackers to bypass software sandboxing that depends on hardware enforcement of read-only memory.
In their paper, the researchers propose new software mitigations and hardware defenses to protect against these new vulnerabilities. However, the performance impact of these mitigations has not yet been evaluated.
Intel has confirmed the two new flaws and paid $100,000 to the researchers for their discovery through its bug bounty program. The company has also updated its developer guidance for mitigating speculative execution vulnerabilities to account for the new variants.
Since the original Spectre flaw didn’t affect just Intel CPUs, the new variants might also impact CPUs from ARM, AMD and other vendors, but this has yet to be confirmed. Microsoft, Red Hat and Oracle are investigating the effects of the new variants on their products and have published advisories.
The number of speculative execution flaws has now reached eight. They are: Spectre variant 1.0 (bounds check bypass), 1.1 (bounds check bypass on stores), 1.2 (read-only protection bypass), 2 (branch target injection), 3 (rogue data cache load aka Meltdown), 3a (rogue system register read), 4 (speculative store bypass aka SpectreNG) and LazyFP.
Chrome Turned On Site Isolation for Desktop Users
Google silently enabled a feature called Site Isolation in Chrome for desktop operating systems to mitigate speculative execution side-channel attacks such as Spectre.
Site Isolation was first introduced in December in Chrome 63 as an experimental feature that could be enabled manually. Its goal was to strengthen the browser’s existing sandbox by forcing each website to have its own rendering process, therefore limiting the actions of malicious code to the website it was loaded from.
In a blog post Wednesday, Google revealed that it turned on Site Isolation by default for desktop users in Chrome version 67, which was released at the end of May.
“In Chrome 67, Site Isolation has been enabled for 99% (sic) of users on Windows, Mac, Linux, and Chrome OS. (Given the large scope of this change, we are keeping a 1% [sic] holdback for now to monitor and improve performance.),” Google said. “This means that even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker. This significantly reduces the threat posed by Spectre.”
The bad news is that Site Isolation leads to a memory usage increase of 10 percent to 13 percent because the browser spawns considerably more processes that before, but this is seen as an acceptable tradeoff for the security benefits.