New Versions of the Spectre CPU Hardware Vulnerabilities Have Been Discovered
 
One of the largest news in the security world last year was the outbreak of the Wannacry ransomware. Wannacry is perhaps the most destructive virus to date as it infected over 200,000 computers on over 150 countries. As damaging as most computer viruses are, large number of them are limited to the software exploitations, which allows for easier mitigation. The Spectre Vulnerability is of a different breed, as the vulnerability lies in the hardware side. Earlier this month, researchers a have revealed a new variations of the exploit revealing further potency of Spectre.
 
Spectre gets it’s name from the hardware exploitation in speculative execution. Speculative execution is where your processor attempts to make predictions on what a program will do based on the usage history of the program in order to run faster. When the program is executing this, it is vulnerable to being tricked to access arbitrary memory locations in the program. This can leave the contents of the accessed memory open to be read, thus leaving sensitive information exposed to attackers.
 
Speculative execution is a feature part of a processor or the physical cpu’s architecture. The difficulty that this causes that hardware exploits have been few and far between and there have been no established method to approach such a weakness. It also does not rely on any sort of software bug to be executed.
 
Researchers at Dartmouth have found new variants to Spectre, which they have dubbed Spectre 1.1 and Spectre 1.2. The 1.1 attacks takes advantage of speculative execution to cause an overflow of a CPU’s internal cache buffers in order to run malicious code to retrieve whatever data that was previously in the CPU’s cache. Spectre 1.2 on the other hand, can write on CPU memory that are supposed to be protected by read-only flags which makes sandboxing ineffective.
 
Although chip manufactures, such as Intel and AMD, have been contacted and made known about these vulnerabilities, no patches have yet to be issued. The severity of the problem has led Intel to pay the research team a $100,000 bounty for discovering the original Spectre bug.
 
In addition to this finding, another research team from University of California – Riverside has discovered another variation called SpectreRSB. This one exploits the return stack buffer (RSB), the system in CPUs that make predictions on return addresses rather than branch predictor units. This Spectre achieves the same goal as other Spectres, gaining access to sensitive information such as passwords and keys, that it shouldn’t be able to have access to.
 
The SpectreRSB forces the CPU to make a mistake in the speculative execution. This causes the call instruction x86 to push values to RSB to that the return address for the call instruction on longer match the RSB. The researchers provided sample code of how this is done:
 
 
 
AMD has weighed in on the discovery and have confirmed that using side-channel mitigations can seduce SpectreRSB. While Spectre RSB is a variation of Spectre, there does seem to be effective ways to mitigate it. This is good to know as it is discovered before any malware out in the wild had any chance to use it (to our knowledge at least. )