Security News > 2021 > May > New Spectre Flaws in Intel and AMD CPUs Affect Billions of Computers
A team of academics from the University of Virginia and University of California, San Diego, have discovered a new line of attack that bypasses all current Spectre protections built into the chips, potentially putting almost every system - desktops, laptops, cloud servers, and smartphones - once again at risk just as they were three years ago.
The disclosure of Spectre and Meltdown opened a floodgates of sorts, what with endless variants of the attacks coming to light in the intervening years, even as chipmakers like Intel, ARM, and AMD have continually scrambled to incorporate defenses to alleviate the vulnerabilities that permit malicious code to read passwords, encryption keys, and other valuable information directly from a computer's kernel memory.
A timing side-channel attack at its core, Spectre breaks the isolation between different applications and takes advantage of an optimization method called speculative execution in CPU hardware implementations to trick programs into accessing arbitrary locations in memory and thus leak their secrets.
The new attack method exploits what's called a micro-operations cache, an on-chip component that decomposes machine instructions into simpler commands and speeds up computing, as a side-channel to divulge secret information.
To safeguard from the new attack, the researchers propose flushing the micro-ops cache, a technique that offsets the performance benefits gained by using the cache in the first place, leverage performance counters to detect anomalies in the micro-op cache, and partition it based on the level of privilege assigned to the code and prevent unauthorized code from gaining higher privileges.
"First, it bypasses all techniques that mitigate caches as side channels. Second, these attacks are not detected by any existing attack or malware profile. Third, because the micro-op cache sits at the front of the pipeline, well before execution, certain defenses that mitigate Spectre and other transient execution attacks by restricting speculative cache updates still remain vulnerable to micro-op cache attacks."