Boffins discovered seven new Meltdown and Spectre attacks
15.11.2018 securityaffairs
Attack

Researchers who devised the original Meltdown and Spectre attacks disclosed seven new variants that leverage on a technique known as transient execution.
In January, white hackers from Google Project Zero disclosed the vulnerabilities that potentially impact all major CPUs, including the ones manufactured by AMD, ARM, and Intel.

The expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to sensitive data processed by the CPU.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

In the following months, experts discovered many other attacks leveraging the speculative execution technique, such as Spectre-NG, NetSpectre, SpectreRSB, Spectre 1.1, Spectre1.2, Lazy FP, and Foreshadow.

Now, researchers from Graz University of Technology, imec-DistriNet, KU Leuven, and
College of William and Mary along with some of the experts who devised the original Meltdown and Spectre attacks have disclosed seven new variants that leverage on a technique known as transient execution.

“Modern processor optimizations such as branch prediction and out-of-order execution are crucial for performance. Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU’s microarchitectural state.” reads the research paper titled “A Systematic Evaluation of Transient Execution Attacks and Defenses.”

“This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches).”

The new transient execution attacks affect Intel, AMD, ARM processors, the good news is that some of them are mitigated by mitigations implemented for Spectre and Meltdown.

“Transient execution attacks leak otherwise inaccessible information via the CPU’s microarchitectural state from instructions which are never committed,” continues the paper.

“We also systematically evaluated all defenses, discovering that some transient execution attacks are not successfully mitigated by the rolled out patches and others are not mitigated because they have been overlooked.”

Below a list of short descriptions of the newly discovered attacks, two are Meltdown variants, remaining are Spectre attacks.

Meltdown-PK (Protection Key Bypass)— Meltdown-PK attack allows to bypass both read and write isolation guarantees enforced through memory-protection keys. PKU isolation can be bypassed if an attacker has code execution in the containing process, even if the attacker cannot execute the wrpkru instruction (e.g., due to blacklisting).

Meltdown-BR (Bounds Check Bypass)—x86 processors come with dedicated hardware instructions that raise a bound range exceeded exception (#BR) when encountering out-of-bound array indices. The Meltdown-BR attack which exploits transient execution following a #BR exception
to encode out-of-bounds secrets that are never architecturally visible.

Spectre-PHT (Pattern History Table)
Spectre-PHT-CA-OP (Cross-Address-space Out of Place)—Performing previously disclosed Spectre-PHT attacks within an attacker-controlled address space at a congruent address to the victim branch.

Spectre-PHT-SA-IP (Same Address-space In Place)—Performing Spectre-PHT attacks within the same address space and the same branch location that is later on exploited.

Spectre-PHT-SA-OP (Same Address-space Out of Place)—Performing Spectre-PHT attacks within the same address space with a different branch.


Spectre-BTB (Branch Target Buffer)

Spectre-BTB-SA-IP (Same Address-space In Place)—Performing Spectre-BTB attacks within the same address space and the same branch location that is later on exploited.

Spectre-BTB-SA-OP (Same Address-space Out of Place)—Performing Spectre-BTB attacks within the same address space with a different branch.

Researchers detailed proof-of-concept attacks against processors from Intel, ARM, and AMD, they responsibly disclosed their findings to the chip makers. Intel and ARM already acknowledged the report and are working to address the issues, for this reason, they opted to hold their proof-of-concept exploits waiting for a fix from the vendors.

ARM explained that the Spectre and Meltdown vulnerabilities can be addressed by applying existing mitigations described in a previously released white paper.