A group of researchers recently disclosed seven additional attacks in the Spectre and Meltdown families. These seven attacks are said to impact the AMD, ARM, and the Intel CPUs to a certain extent. The researchers have presented an execution of these attacks in detail, in their research paper titled, ‘A Systematic Evaluation of Transient Execution Attacks and Defenses’.
2 Meltdown and 5 Spectre variants found
The 7 newly found attacks include 2 new Meltdown variants namely, Meltdown-PK, and Meltdown-BR. It also includes 5 new Spectre mistraining strategies for Spectre-PHT and SpectreBTB attacks. The researchers said that these 7 new attacks have been overlooked and not been investigated so far.
The researchers successfully demonstrated all seven attacks with proof-of-concept code. However, experiments to confirm six other Meltdown-attacks did not succeed.
The two new Meltdown attacks include:
Meltdown-PK – bypasses memory protection keys on Intel CPUs
Meltdown-BR – exploits an x86 bound instruction on Intel and AMD
The other Meltdown attacks which the researchers tried and failed to exploit targeted the following internal CPU operations:
Meltdown-AC – tried to exploit memory alignment check exceptions
Meltdown-DE – tried to exploit division (by zero) errors
Meltdown-SM – tried to exploit the supervisor mode access prevention (SMAP) mechanism
Meltdown-SS – tried to exploit out-of-limit segment accesses
Meltdown-UD – tried to exploit invalid opcode exception
Meltdown-XD – tried to exploit non-executable memory
Source: A Systematic Evaluation of Transient Execution Attacks and Defenses
In order to understand the Spectre-type attacks, the researchers proposed a categorization based on, first, the prediction mechanism exploited, and second, the mistraining mechanism.
Here researchers propose to combine all attacks that exploit the same microarchitectural element:
- Spectre-PHT: Exploits the Pattern History Table (PHT)
- Spectre-BTB: Exploits the Branch Target Buffer (BTB)
- Spectre-STL: Exploits the CPUs memory disambiguation prediction, specifically store-to-load forwarding (STLF)
- Spectre-RSB: Exploits the Return Stack Buffer (RSB)
According to ZDNet, “Based on the experiments, the researchers found three new Spectre attacks that exploit the Pattern History Table (PHT) mechanism and two new Spectre attacks against the Branch Target Buffer (BTB).”
- PHT-CA-OP
- PHT-CA-IP
- PHT-SA-OP
- BTB-SA-IP
- BTB-SA-OP
Defenses for these new Spectre and Meltdown attacks
For each of the Spectre and Meltdown attack types, the researchers have categorized the defenses into three and two categories respectively.
For Spectre-type attacks, the defense categories are:
- Mitigating or reducing the accuracy of covert channels used to extract the secret data.
- Mitigating or aborting speculation if data is potentially accessible during transient execution.
- Ensuring that secret data cannot be reached.
For Meltdown-type attacks, the defense categories are:
- Ensuring that architecturally inaccessible data remains inaccessible on the microarchitectural level.
- Preventing the occurrence of faults.
The researchers in the paper said, “We have systematically evaluated all defenses, discovering that some transient execution attacks are not successfully mitigated by the rolled out patches and others are not mitigated because they have been overlooked. Hence, we need to think about future defenses carefully and plan to mitigate attacks and variants that are yet unknown”.
To know more about these newly found attacks in detail and the related experiments, head over to the research paper written by Claudio Canella et al.
Read Next
NetSpectre attack exploits data from CPU memory
SpectreRSB targets CPU return stack buffer, found on Intel, AMD, and ARM chipsets