Here is an overview of Spectre and Meltdown vulnerabilities that got a lot of publicity in January 2018. Meltdown and Spectre the two original transient execution CPU vulnerabilities. The Meltdown and Spectre vulnerabilities were considered “catastrophic” by security analysts. The vulnerabilities are so severe that security researchers initially believed the reports to be false.
In January 3, 2018 I saw first news on the new processor vulnerabilities. I kept researching on the topics, and write one of the early news article on those to Uusiteknologia.fi magazine Suorittimissa tietoturvaongelmia – myös ARM-suorittimissa that was published in early morning January 4, 2018 (to my knowledge the first news on those in Finnish language ). My research on the topic included international news and reading newest changes made to Linux Kernel source code.
Soon a web site https://meltdownattack.com/ was made to tell about those vulnerabilities (it was planned to be published later when all the fixes were out, but was publishes earlier than planned because information had leaked out). The two vulnerabilities were made public jointly, on 3 January 2018, several days ahead of the coordinated release date of 9 January 2018 as news sites started reporting about commits to the Linux kernel and mails to its mailing list.
Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754, also known as Rogue Data Cache Load (RDCL), in January 2018. The same research teams that discovered Meltdown also discovered Spectre. On 1 February 2017, the CVE numbers 2017-5715, 2017-5753 and 2017-5754 were assigned to Intel. Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 (bounds check bypass, Spectre-V1, Spectre 1.0) and CVE-2017-5715 (branch target injection, Spectre-V2), have been issued.
Meltdown relies on a CPU race condition that can arise between instruction execution and privilege checking. Meltdown affects a wide range of systems. At the time of disclosure (2018), this included all devices running any but the most recent and patched versions of iOS, Linux, macOS, or Windows. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM-based processors
The issued were much older. There had been already some some technical talks material “under the radar” information and that would indicate that Intel processors could have a serious vulnerability that waits to be fixed. On 27 December 2016, at 33C3, Clémentine Maurice and Moritz Lipp of TU Graz presented their talk “What could possibly go wrong with
The affected hardware and software vendors had been made aware of the issue on 28 July 2017. The fixes were made and information was kept quite well secret until the beginning of 2018.
Links to sources and more material:
Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors.
https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
https://www.cloudflare.com/learning/security/threats/meltdown-spectre/
https://www.epanorama.net/newepa/2018/01/03/kernel-memory-leaking-intel-processor-design-flaw/
https://www.uusiteknologia.fi/2018/01/04/suorittimissa-tietoturvaongelmia-myos-arm-suorittimissa/
9 Comments
monkey mart says:
This post is one that I find myself referring to very frequently, and it is only right that I acknowledge how much I value it. It is my firm belief that you will continue to provide products that are exceptional in comparison to the overall standard here.
Tomi Engdahl says:
GhostRace CPU vulnerability threatens all major architectures — IBM and VU Amsterdam researchers detail new cross-platform speculative execution attack
News
By Christopher Harper published March 17, 2024
Speculative execution exploits are used against modern CPUs to access passwords and other confidential data
https://www.tomshardware.com/tech-industry/cyber-security/ghostrace-cpu-vulnerability-threatens-all-major-architectures-ibm-and-vu-amsterdam-researchers-detail-new-cross-platform-speculative-execution-attack
On March 12, researchers from VUSec and IBM made a new form of speculative execution attack publicly known on Twitter, linking to a corresponding GhostRace disclosure paper hosted by VUSec. We’ll be discussing the full GhostRace disclosure document and its attached documentation in more detail below, but first, let’s take some time to clarify what a “speculative execution attack” even is.
If you remember the scourge of Meltdown and Spectre, back in 2016, this is very much in the same category of major CPU security exploits. Spectre V1 was explicitly a speculative execution attack, even. Speculative execution in and of itself isn’t a bad thing— it’s actually a core function of modern CPUs, which allows CPU threads to more effectively share resources.
The issue is, that speculative execution can also result in “race conditions”, where separate threads attempting to access shared resources create major security vulnerabilities by doing so in a poorly-synchronized matter. This exploit is focused on taking advantage of those scenarios, so it’s appropriately named GhostRace.
Before making GhostRace public, the researchers informed major hardware vendors and the Linux kernel of the issue (in late 2023), since GhostRace applies to all major OSes and CPUs, even Arm. The notice given should hopefully have given vendors the time they needed to develop their fixes and workarounds, however, the researchers also included some tips for mitigating the issue in the public document. An early fix attempt by the Linux kernel seemed promising, but experiments done by the researchers proved the fix didn’t completely cover the vulnerability.
For now, it seems Linux kernel devs are primarily concerned with performance, and don’t want to risk majorly crippling it with a rushed fix. We read that the proposed mitigation for Linux provided in the original documentation is tested as only having a roughly ~5% performance overhead in LMBench. No patching performance penalty is ever welcome, but perhaps a patiently developed fix can do better.
No mitigations are provided in the document for other platforms. However, AMD points out that existing Spectre v1 mitigations should still apply to potential GhostRace exploits— and since vendors have already had to tackle that, it should only be a matter of time. AMD has acknowledged the issue, according to the public disclosure paper.
Tomi Engdahl says:
https://thehackernews.com/2024/03/ghostrace-new-data-leak-vulnerability.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-spectre-v2-attack-impacts-linux-systems-on-intel-cpus/
Tomi Engdahl says:
https://www.neowin.net/news/microsoft-shares-official-windows-registry-tweak-as-the-spectre-still-haunts-intel-in-2024/
Tomi Engdahl says:
New Spectre-Style ‘Pathfinder’ Attack Targets Intel CPU, Leak Encryption Keys and Data
https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html
Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm.
The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google.
“Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.
“Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.
Tomi Engdahl says:
https://travisdowns.github.io/blog/2021/06/17/rip-zero-opt.html
https://travisdowns.github.io/blog/2020/05/13/intel-zero-opt.html
Tomi Engdahl says:
Arm security defense shattered by speculative execution 95% of the time
‘TikTag’ security folks find anti-exploit mechanism rather fragile
https://www.theregister.com/2024/06/18/arm_memory_tag_extensions_leak/?td=keepreading
In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped.
Implemented and supported last year in Google’s Pixel 8 and Pixel 8 Pro phones and previously in Linux, MTE aims to help detect memory safety violations, as well as hardening devices against attacks that attempt to exploit memory safety flaws.
Memory safety bugs are said to be responsible for the majority of security vulnerabilities in large codebases. And for the past few years, there’s been a concerted effort in the public and private sector to reduce such flaws by promoting memory safe programming languages, software-based code hardening techniques, and hardware-specific options like SPARC ADI and Arm MTE.
MTE works by tagging blocks of physical memory with metadata. This metadata serves as a key that permits access. When a pointer references data within a tagged block of memory, the hardware checks to make sure the pointer contains a key matching that of the memory block to gain access to the data. A mismatch throws out an error.
Tomi Engdahl says:
Intel Says No New Mitigations Required for Indirector CPU Attack
Researchers disclosed a new high-precision Branch Target Injection attack method named Indirector, but Intel says no new mitigations are needed.
https://www.securityweek.com/intel-says-no-new-mitigations-required-for-indirector-cpu-attack/
A team of researchers from the University of California San Diego has published a paper detailing a novel attack method targeting Intel CPUs, but the chip giant says no new mitigations are required to address it.
The new attack, named Indirector, is similar to the well-known Spectre v2 or Spectre Branch Target Injection (BTI) attack.
These methods typically allow an attacker who has access to the targeted system to obtain information, including sensitive data such as passwords or encryption keys, from memory.
The researchers described Indirector as a high-precision BTI attack that exploits the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs such as Raptor Lake and Alder Lake.
According to the researchers, previous BTI attacks overlooked IBP, which they describe as a “critical component of the branch prediction unit that predicts the target address of indirect branches”.
https://indirector.cpusec.org/
This paper introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake).