Who can forget Spectre and Meltdown, the CPU vulnerability uncovered a year ago that affects nearly every computer chip manufactured in the last 20 years? You know, the flaws that hackers can exploit to root out information previously thought completely protected?
Now it has a microarchitectural sidekick of sorts (although the new issue is separate from the Spectre vulnerabilities), a research paper said, an exploit that’s visible on Intel microprocessors dating back to the first generation Intel Core, irrespective of the operating system. Hackers can exploit the flaw through malicious JavaScript within a browser or system malware for a foothold to gain passwords, keys, and other secrets from CPU memory. The U.K.'s Register first saw the research work following its release earlier this month.
What Is the Spoiler Vulnerability?
Computer scientists at the Worcester Polytechnic Institute in Massachusetts and the University of Lubeck in Germany reportedly discovered a new way to abuse what’s called “speculative execution” in Intel-based CPUs, in a manner similar to how Spectre and Meltdown operate. Speculative execution enables chips to perform future work that may or may not be needed while they wait for other computations to be completed. Think of it as getting a head start on what’s next. Or a chipset might use idle time to compute a function even if it hasn’t been asked to do so, just in case. It’s what paved the way for Spectre.
Researchers Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth and Berk Sunar detailed in their report a “weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem" that exposes memory layout information, as the Register reported.
"We have discovered a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes," the researchers wrote. "The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments."
Spoiler Vulnerability: What Chips Are Impacted?
For now, the issue is confined to Intel chips. The researchers found no similar processes in AMD or ARM processors.
The research paper is entitled "SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks." Apparently, SPOILER isn’t an acronym for anything, the researchers said. They wanted a name that starts with “Sp,” Moghimi told the Register, because the issue is “due to speculative execution” and contradicts “security assumptions on modern CPUs.”
(A quick note about Rowhammer): It involves strategically executing a program repeatedly on a "row" of transistors in a computer's memory chip until it leaks some electricity into the next row. The idea is to alter the data stored in memory by getting a bit in the target row to "flip" from one position to another, enabling the hacker to gain more system access. (via Wired) The Spoiler bug, the researchers said, makes Rowhammer and cache attacks easier and quicker.
According to the Register, Intel was informed of the research paper’s findings on December 1, 2018. The report was released 90 days later as is common with discovered security flaws.
Spoiler Vulnerability: Is There A Software Patch or Fix?
Right now, no mitigation exists. Because it's not a Spectre attack, none of Intel's mitigations work on it. And, there may not be a software fix, Moghimi told the Register. "My personal opinion is that when it comes to the memory subsystem, it's very hard to make any changes and it's not something you can patch easily with a microcode without losing tremendous performance," he said. "So I don't think we will see a patch for this type of attack in the next five years and that could be a reason why they haven't issued a .”
Intel’s response:
“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”