At the beginning of May, the global information industry sounded a series of first-level alarms. On May 4, Dell disclosed a 12-year-old vulnerability (fixed) in the firmware upgrade drivers of its hundreds of millions of computers. On May 6, a new high-risk vulnerability was found again in the processor chips of processor giants such as Intel and AMD.

In 2018, when Meltdown and Spectre, ubiquitous in modern processors, were disclosed, the researchers who discovered them said: “Spectre bugs are going to haunt us for quite some time because they’re hard to fix. “

Indeed, more than three years have passed, and the ghost loophole is still haunted.

A team of researchers from the University of Virginia and the University of California, San Diego has discovered a new attack route that bypasses all current Spectre protections built into chips, potentially causing nearly all desktops, laptops, cloud servers and smartphones to again In jeopardy like three years ago.

The disclosure of Meltdown and Spectre vulnerabilities is like opening a Pandora’s box. In the years that followed, as endless variants of the attack were exposed, even chip giants like Intel, ARM, and AMD have been scrambling to deploy defenses to mitigate the malicious attacks that led to the exploitation of the vulnerability, preventing attackers from getting the computer’s Code that reads passwords, encryption keys, and other valuable information in memory.

The core of the Spectre vulnerability is a timing side-channel attack, which breaks the isolation between different applications and exploits an optimization method called speculative execution in CPU hardware implementations to trick programs into accessing arbitrary locations in memory, thereby leaking its secret.

“Ghost attacks trick the processor into executing instructions along the wrong path,” the researchers said. “Even if the processor recovers and completes its task correctly, a hacker can access confidential data while the processor is going the wrong way.”

The new attack method developed by the University of Virginia research team exploits what is known as a micro-op (aka micro-op or micro-op) cache, an on-chip component that breaks machine instructions into simpler commands and speeds up computation, is leaked Secondary Channels for Confidential Information. Micro-op caches have been built into Intel-based computers since 2011.

“Intel’s proposed defense against Spectre, called LFENCE, places sensitive code in a waiting area until a security check is performed, before allowing sensitive code to execute,” said Ashish Venkat, an assistant professor at the University of Virginia, a co-author of the study. . “But it turns out that this waiting area has ears on the walls that our attack exploits. We show how an attacker can smuggle secrets through a micro-op cache by using it as a covert channel.”

The researchers detail that on the AMD Zen Zen microarchitecture, micro-ops exposed primitives can be leveraged to implement a covert data transfer channel with 250 Kbps bandwidth, 5.59% error rate or 168.58 Kbps with error correction.

Intel recommends following constant-time programming principles in its guidance on timing attacks on cryptographic implementations, which is easier said than done, and software changes alone will not adequately mitigate the threat posed by speculative execution.

The silver lining here is that the Spectre vulnerability is very difficult to exploit. To protect against new attacks, the researchers propose flushing the micro-op cache, a technique that offsets the performance benefits gained by using the cache in the first place, leveraging performance counters to detect anomalies in the micro-op cache and partition the operation area. The cache is based on the privilege level assigned to the code and prevents unauthorized code from gaining higher privileges.

“Using the micro-op cache as a secondary channel is risky,” the researchers said. “First, it bypasses all cache security techniques, and second, these attacks cannot be detected by any existing attack or malware profile. Third, Because the micro-op cache is at the front end of the pipeline, defenses that mitigate Spectre and other transient execution attacks by limiting speculative cache updates before execution remain vulnerable to micro-op cache attacks.”

The Links:   AA084XA02 LM64C032