Researchers keep finding Spectre-style bugs in processors

In January 2018, researchers made a blockbuster announcement of seemingly unpatchable security bugs lurking in Intel processors; after a round of initial reassurances about the mitigations for these bugs, it became apparent that the reassurances were overblown, and active exploits were found in the field — and then still-more bugs exploiting "speculative execution," started to pour out of the security research community.

This week, the original Spectre/Meltdown team revealed seven more of these speculative execution attacks, discovered through a systematic exploration of the potential uses of data obtained by trickery from different parts of the CPU that can be attacked in this way. Some of these attacks cannot be mitigated by any of the known mitigation techniques.

Processors rely on "speculative execution" for performance gains that compensate for a slowdown in gains from clockspeed, microlithography and other historic sources of processor improvement. Speculative execution uses statistical techniques to predict what instruction is likely to follow on from one received from the program, effectively guessing that if you run instruction X, the computer should start executing Y straightaway because that is likely to follow on. That guessing system is exploitable by attackers, who can use it to force processors into executing malicious code.

In the new research, these Meltdown variants are joined by a new one using Intel's "Protection Keys for Userspace" (PKU). Protection keys introduced with Skylake allow an application to mark pieces of memory with a four-bit key. Applications set the processor to use a particular protection key, and, during that time, attempts to access memory that is labeled with a different key will generate an error. Yet again, a few nanoseconds of speculation can occur between making an invalid access (accessing memory with a mismatched protection key) and the processor reporting the error, enabling information that should be protected to leak.

Similarly, another Intel extension is the Memory Protection eXtensions (MPX). MPX is designed to allow the processor to detect and trap certain attempts to access out-of-bounds memory. The story here is the same as the other Meltdown problems: after attempting to perform an out-of-bounds access, a few nanoseconds of speculation are performed before the "out-of-bounds" error is generated, once more allowing information to leak. MPX is only available for 64-bit x64 programs. Thirty-two-bit x86 has a simpler form of bounds protection that's both on Intel and AMD chips; this simpler bounds protection is also susceptible to Meltdown-style information leakage, and, unusually, AMD processors are susceptible to this attack.

In every case, the processor generates a kind of error (classified by Intel as a "fault"). This error creates a small window of speculation between the action that generates the fault and the fault actually being reported.

Spectre, Meltdown researchers unveil 7 more speculative execution attacks [Peter Bright/Ars Technica]