Fresh Spectre Variants Come to Light

Two new speculative execution bugs have earned researchers a $100,000 bug bounty from Intel.

MIT’s Vladimir Kiriansky and independent researcher Carl Waldspurger uncovered what they call Spectre1.1 and a subset, Spectre1.2, collectively referred to as Variant 4 of Spectre by Intel and ARM. Like the original Spectre and Meltdown vulnerabilities, they can be exploited to uncover confidential information via microarchitectural side channels in Intel and ARM CPUs.

Both leverage speculative stores, the researchers said in two papers posted on Tuesday: Spectre1.1 (CVE-2018-3693) can be used to create speculative buffer overflows, while Spectre1.2 allows attackers to overwrite read-only data and code pointers to breach sandboxes on CPUs that don’t enforce read/write protections.

In both cases, the end result is the ability to get malicious code past hardcoded processor security measures – opening the door for data exfiltration. They also could provide a mechanism for further arbitrary code execution on both local and remote targets, according to the paper.

The researchers validated that Intel x86 CPUs are impacted, and ARM said that its Cortex-A57, A72, A73 and A75 processors are affected as well. The vulnerabilities are not yet patched, and the two noted that both of them can get around existing Spectre mitigations/patches that may be in place.

“These issues are likely to primarily impact operating systems and virtualization platforms [that execute untrusted code], and may require software update, microcode update or both,” said Oracle director of security assurance, Eric Maurice, in a note Tuesday.

Like all Spectre variants, the new discoveries are based on speculative memory access, causing cache allocation. Timing analysis of memory accesses can then be used to reveal data that would otherwise be kept secret.

“Variant 4 is a Spectre-type attack utilizing a CPU technology known as memory disambiguation, a technology used in high-end CPUs to enable greater out-of-order execution and higher performance,” ARM explained in an update Tuesday. “Simply put, this is a race between a store and following load that target the same memory location whereby under specific conditions, a speculative load can overtake a store, resulting in the load returning stale data.”

That data can then be used to construct an address that drives cache allocation, which in turn can be used to leak data to an attacker across a privilege boundary—like the original Spectre.

The discovery earned the researchers a cool $100,000 from Intel’s HackerOne bug-bounty program. Intel had rolled out a significant expansion of its bug bounty program in February on the heels of the original discovery of the Spectre and Meltdown variants earlier this year.

Intel said in an updated Spectre paper that there are both software mitigations for the flaws as well as operating system steps that developers can take for Windows and Linux environments.

On the software front:

_“Software can insert a speculation stopping barrier between a bounds check and a later operation that could cause a speculative side channel. The LFENCE instruction, or any serializing instruction, can serve as such a barrier. _

“The LFENCE instruction and other serializing instructions ensure that no later instruction will execute, even speculatively, until all prior instructions have completed locally. This prevents the processor from speculatively accessing data that might be out-of-bounds for the user, because no speculative operations can run until this bounds check completes.”

ARM meanwhile said that it recommends software mitigations described in its Cache Speculation Side-channels whitepaper [PDF].

Also, malicious actors would need to first install malware on devices to execute an attack: “Fortunately, the conditions of exploitation for these issues remain similar: malicious exploitation requires the attackers to first obtain the privileges required to install and execute malicious code against the targeted systems,” said Maurice.

Thus, basic security hygiene is a good first line of defense.

“Users will greatly reduce their risk by following good security practices by avoiding suspicious links and downloads, and immediately installing any software updates when available from device-makers,” ARM noted.