TL; DR: Researchers from the University of Virginia and the University of California, San Diego discovered three Specter vulnerabilities in AMD and Intel processors during their study of the micro-op cache. The vulnerabilities bypass existing Specter mitigations, and the researchers predict that their proposed low-level fixes would incur a costly performance penalty. However, they recognize that exploiting them may be too difficult to justify severe mitigations.
Three Recently discovered The vulnerabilities are in the design of the micro-op cache, a feature of modern CPUs present in AMD processors from 2017 onwards and Intel CPUs from 2011 onwards. The micro-operations cache improves the performance of a processor by storing low-level instructions that are generated as the processor breaks down complex instructions into computable arithmetic. It hasn’t been the subject of much research, until now, because AMD and Intel poorly document their micro-op cache designs to hide their proprietary designs.
The basis of the researchers’ attack is established by two types of code structures, which they have called tigers and zebras. Both are inside the microoperation cache. Tigers can dislodge a certain code region by mimicking its structure and occupying the same places. Zebras go unnoticed by hiding in all unoccupied places. Together, they can take control of a cache of micro-operations by exploiting its synchronization effects.
Like a zebra leading a hungry tiger into a crowded tent, malicious code from researchers takes advantage of the micro-operation cache structure to expose the private data that passes through it. The first vulnerability can be exploited to filter information through domains on the same thread, the second can be used to filter information through two threads running on the same physical core, and the third enables two types of attacks that reveal information trafficked in erroneous speculations. routes.
“Due to the relatively small size of the microoperation cache, [the new] The attack is significantly faster than existing Specter variants that rely on priming and probing various cache sets to transmit secret information, “say the researchers. It is also” considerably more stealthy, using the micro-op cache as its unique disclosure primitive, introducing fewer data / instruction cache accesses, and far fewer glitches. “
Mitigate new vulnerabilities with any of the methods suggested by the researchers could incur a “much higher performance penalty” than the current Specter mitigation. Their least penalizing approach is a exploit detection strategy, but they anticipate that it will have a considerable error rate. Its other two strategies, partitioning and flushing, result in a “heavy underutilization” of the microoperation cache and are, broadly speaking, equivalent to disabling the cache entirely (which in itself is not feasible).
Fortunately, it is believed that the exploitation of microoperation cache vulnerabilities requires a high level of access to the target system, which standard security systems can prevent. While the researchers note that additional work is required to fully assess the risk posed by new vulnerabilities, they are not worth as much concern as some previous Specter vulnerabilities. Both AMD and Intel were notified about them prior to publication and have not announced that they are developing patches.
Image Credit: Niek Doup