Spectre Watch: More Spectre-class CPU Vulnerabilities to be Announced Soon?by Ryan Smith on May 3, 2018 1:45 PM EST
This morning has seen an interesting turn of events in the world of processor security. c't magazine has published an exclusive report stating that they got wind of a new series of Spectre-class vulnerabilities that are currently being investigated by the greater security community, and that these vulnerabilities are going to be announced in the coming days. Meanwhile, seemingly in response to the c't article, Intel has just published their own statement on the matter, which they’re calling “Addressing Questions Regarding Additional Security Issues.”
Diving right into Intel’s announcement:
Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.
For more information on how we approach product security at Intel, please see my recent blog, “Bringing the Security-First Pledge to Life with New Intel Product Assurance and Security Group.”
— Leslie Culbertson
As things are currently unfolding, this is a very similar trajectory to the original announcement of the Meltdown and Spectre vulnerabilities, in which information about those vulnerabilities was leaked and pieced together ahead of the official coordinated announcement. Philosophies on disclosure policies notwithstanding, what we eventually saw was an accelerated release of information on those vulnerabilities, and a good bit of chaos as vendors suddenly had publish materials they were still preparing for a few days later. Intel’s early response here seems to be an effort to avoid chaos that by getting on top of things early, acknowledging the public's concerns and responding by outlining their coordinated release plans so that they can move ahead with things as-planned.
Which is to say that while Intel’s announcement confirms that something is up, it doesn’t offer any concrete details about what’s going on. For that – and assuming things don’t fall apart like the Meltdown/Spectre coordination – we’re presumably going to be waiting until next week on proper details.
As for the c't report, sources point to 8 individual CVE-assigned Spectre-class attacks, which for the moment they’re calling Spectre-NG. According to the site, Intel is working on two waves of patches, with the first wave currently set to be released in May, and c't is further speculating that information on the first wave will be released just ahead of May’s Patch Tuesday. Meanwhile information on a second flaw could be released “any day now.” And while the bulk of the report focuses on Intel – as this would seem to be the information c't had at hand – the site notes that ARM looks to be impacted as well, and AMD is likely but to-be-determined.
Of particular interest, the one exploit which c't is providing any details about is another VM-host attack, making it similar in risk to cloud server hosts as the original Meltdown. As these customers are Intel's bread & butter from a profitability standpoint, Intel will want to move very quickly to fix the issue before it can be exploited on customers’ servers, and to soothe their customers' concerns in the process.
Overall, while the nature of the report means we can’t confirm anything about their claims, on the whole it appears sound, and these claims are consistent with prior concerns raised by security researchers. Researchers have warned as far back as the original Spectre whitepaper that Spectre is a whole class of attacks – that it would be the ghost that wouldn't go away – as new ways are found to exploit the same fundamental weakness. Similar to other pivotal vulnerability discoveries, the nature of these side-channel attacks means that they are very powerful and still new enough that they’re not very well understood. So there has been and continues to be an ongoing concern that researchers and criminals alike will continue to find ways to use side-channel attacks against speculative execution, as seems to be the case now.
Ultimately, all of this is going to put increasing pressure on all CPU vendors to definitively answer a critical question: is speculative execution fundamentally unsafe, or can it be retained while it’s made safe? As one of the cornerstones of modern high-performance processors, the answer to that could shape the face of CPUs for years to come…
Post Your CommentPlease log in or sign up to comment.
View All Comments
eva02langley - Thursday, May 3, 2018 - linkIt is kind of disturbing, is this something totally new or is it something that happened because performance was more important than security?
Ryan Smith - Thursday, May 3, 2018 - linkA little of both. Side channel attacks as a concept are not new, but the ability to reliably weaponize them in this fashion is. This is stuff that previously was not thought possible. (And yet despite this, you likely don't want a CPU that can't do speculative execution)
bji - Thursday, May 3, 2018 - linkMeltdown is a real issue. The seriousness of Spectre, on the other hand, is completely overblown. All you can do with Spectre is slowly, really slowly, read memory from other non-kernel processes, *if* you are able to run some very high CPU usage code for a long time without the owner/user of the computer being attacked realizes it. The value of such an attack is so low as to make it basically irrelevant -- who is going to bother burning CPU cycles to run a Spectre attack when they could use those CPU cycles to attempt numerous other much more significant and valuable attacks?
I should clarify: Spectre *is* an important issue for users who run programs that store highly valuable information in memory. But the vast majority of users do not, and the cost of running a Spectra attack and also the extremely low chance of it acquiring anything of useful value, means that for end-users who don't run banks on their computers, it's a non-issue.
It's kind of like saying that for the average person, snake poison is not a danger, so we don't all keep vials of snake bite antidote with us at all times. But that doesn't mean that snake bites are not dangerous, and there are definitely people who *should* keep antivenom with them at all times -- like people who regularly travel through jungles known to be populated by venomous snakes. But would you believe someone who told you that you should keep antivenom with you at all times because a criminal may decide to attack you with a snake? Of course you wouldn't. That would be silly, because even though snakes are dangerous and theoretically a criminal could use them to attack you, why would they bother, when guns/knives/etc are so much easier to come by and use?
PeachNCream - Thursday, May 3, 2018 - link"That would be silly, because even though snakes are dangerous and theoretically a criminal could use them to attack you, why would they bother, when guns/knives/etc are so much easier to come by and use?"
I'm sure that there are people out there that think attacking someone with a danger noodle is a lot cooler than the aforementioned gun or knife even if it is more troublesome. Haven't you seen Indiana Jones or James Bond movies? The bad guy always dangles the hero over a danger noodle pit.
wanderer66 - Friday, May 4, 2018 - linkI too have many deep and important questions, abstract enough to conceal my surface-level understanding of modern CPU architecture. Frankly, I'm only here for the danger noodle.
Lord of the Bored - Saturday, May 5, 2018 - link"I'm only here for the danger noodle."
That's what SHE said!
HStewart - Thursday, May 3, 2018 - linkOne thing that I am frustrated with this Meltdown/spectre stuff - in my past knowledge of OS development - if non ring 0 stuff attempts to access ring 0 data - it should cause an exception by the processor. If it is from ring 0, then this should be device driver on OS and should not be certified for deployment.
Are we talking about realistic issue here? or actual OS issue?
Nutty667 - Friday, May 4, 2018 - linkAccessing memory you don't have access to, DOES cause an exception, but in Intel CPU's it only does this in the retiring phase. Speculative execution that turns out to not be required doesn't get retired, so no exception is thrown.
AMD's architecture is different, whereby the privilege check is also done at the start of the memory request even when performed speculatively.
You can't access this memory directly, even though it's been brought into the cache. But you can speculatively use it to cause a performance side effect in memory you can later access and by timing this access, work out what the original value brought into the cache was.
Reflex - Thursday, May 3, 2018 - link1) Meltdown is a solved problem. It is not a 'class' of attacks where you'll see a new exploit every few months. It was found, functionality that enabled it was disabled/bypassed, and it is now gone as an issue aside from the hit on performance in certain scenarios. Continuing to bring it up outside of the contexts where it hurts performance (databases, virtual machines, etc) is a meaningless distraction.
2) The idea that because Spectre is 'slow' it is not a major threat is silly. Of course if an easier exploit exists an attacker will utilize it. But that is a non sequitur, you could say that about literally any exploit. The point is that there will be times when Spectre class vulnerabilities ARE the easiest path to stealing data, especially in virtualized server environments. And the idea that its 'slow' is a relative statement, these CPU's are handling millions of operations per second, 'slow' can still mean it gets everything it needs in a few seconds. Furthermore, since Spectre is a class of issues rather than a specific exploit, it is rich for zero days and unknown exploits from well funded state and criminal actors, where you could see exploits outed years after they were exploited with no one the wiser.
Spectre is a huge problem and its scope is as yet not well understood.
bji - Friday, May 4, 2018 - linkUnless you know who you are attacking and why, spectre is useless. It's not the kind of attack that can be exploited to quickly and easily get some kind of administrative/root access on a machine, so you can't do anything useful with it except extract data. Yes, if you attack someone with known valuable data, then spectre is worthwhile.
Another real world analogy for you: spectre is like being able to look at the top left corner of a person's coffee table. You have no idea what you're going to find there or if it's even useful. How many attackers are going to spend time randomly looking at the top left corner of people's coffee table hoping to find information that they can use to their benefit? Sure if the target is rich and you know they tend to leave their bank account details lying around, then it's worth doing. But this implies that you know something about your target. In the vast, vast majority of security exploits out in the wild, the attacker knows nothing about the attacked. They just attack known insecure services hoping to get something of known value -- the ability to use CPU/network cycles on the target machine, and possibly a way to take control of the machine entirely. The attack is an automated process that tries to deliver one or both of those things. A random spectre attack will net the attacker what? Some random memory from a user level process. What is the chance that they will be able to use that in any way? How much CPU power would it take to even analyze the data to sift through it to find useful things? Who would bother?
I would personally patch Meltdown because that's a much more significant attack that can reveal kernel level secrets that could very easily lead to a more substantial attack vector on the machine. Spectre on the other hand, I personally wouldn't even bother for my home systems. Just like I wouldn't bother carrying antivenom around, or ensuring that nothing is in the top left corner of my coffee table just in case someone peeks in the window.