3 min read

A group of researchers recently disclosed seven additional attacks in the Spectre and Meltdown families. These seven attacks are said to impact the AMD, ARM, and the Intel CPUs to a certain extent. The researchers have presented an execution of these attacks in detail, in their research paper titled, ‘A Systematic Evaluation of Transient Execution Attacks and Defenses’.

2 Meltdown and 5 Spectre variants found

The 7 newly found attacks include 2 new Meltdown variants namely, Meltdown-PK, and Meltdown-BR. It also includes 5 new Spectre mistraining strategies for Spectre-PHT and SpectreBTB attacks. The researchers said that these 7 new attacks have been overlooked and not been investigated so far.

The researchers successfully demonstrated all seven attacks with proof-of-concept code. However, experiments to confirm six other Meltdown-attacks did not succeed.

The two new Meltdown attacks include:

Meltdown-PK – bypasses memory protection keys on Intel CPUs

Meltdown-BR – exploits an x86 bound instruction on Intel and AMD

The other Meltdown attacks  which the researchers tried and failed to exploit targeted the following internal CPU operations:

Meltdown-AC – tried to exploit memory alignment check exceptions

Meltdown-DE – tried to exploit division (by zero) errors

Meltdown-SM – tried to exploit the supervisor mode access prevention (SMAP) mechanism

Meltdown-SS – tried to exploit out-of-limit segment accesses

Meltdown-UD – tried to exploit invalid opcode exception

Meltdown-XD – tried to exploit non-executable memory

Source: A Systematic Evaluation of Transient Execution Attacks and Defenses

In order to understand the Spectre-type attacks, the researchers proposed a categorization based on, first, the prediction mechanism exploited, and second, the mistraining mechanism.

Here researchers propose to combine all attacks that exploit the same microarchitectural element:

  • Spectre-PHT: Exploits the Pattern History Table (PHT)
  • Spectre-BTB: Exploits the Branch Target Buffer (BTB)
  • Spectre-STL: Exploits the CPUs memory disambiguation prediction, specifically store-to-load forwarding (STLF)
  • Spectre-RSB: Exploits the Return Stack Buffer (RSB)

According to ZDNet, “Based on the experiments, the researchers found three new Spectre attacks that exploit the Pattern History Table (PHT) mechanism and two new Spectre attacks against the Branch Target Buffer (BTB).


Defenses for these new Spectre and Meltdown attacks

For each of the Spectre and Meltdown attack types, the researchers have categorized the defenses into three and two categories respectively.

For Spectre-type attacks, the defense categories are:

  • Mitigating or reducing the accuracy of covert channels used to extract the secret data.
  • Mitigating or aborting speculation if data is potentially accessible during transient execution.
  • Ensuring that secret data cannot be reached.

For Meltdown-type attacks, the defense categories are:

  • Ensuring that architecturally inaccessible data remains inaccessible on the microarchitectural level.
  • Preventing the occurrence of faults.

The researchers in the paper said, “We have systematically evaluated all defenses, discovering that some transient execution attacks are not successfully mitigated by the rolled out patches and others are not mitigated because they have been overlooked. Hence, we need to think about future defenses carefully and plan to mitigate attacks and variants that are yet unknown”.

To know more about these newly found attacks in detail and the related experiments, head over to the research paper written by Claudio Canella et al.

Read Next

Intel announces 9th Gen Core CPUs with Spectre and Meltdown Hardware Protection amongst other upgrades

NetSpectre attack exploits data from CPU memory

SpectreRSB targets CPU return stack buffer, found on Intel, AMD, and ARM chipsets

A Data science fanatic. Loves to be updated with the tech happenings around the globe. Loves singing and composing songs. Believes in putting the art in smart.