Intel’s Latest Spoiler: A Spectre-Style Hardware Exploit That Leaks Private Data
Just when we thought that the worst was over with respect to speculative execution hardware exploits like Spectre, we get hit with another whopper. Such is the case with a new Intel processor vulnerability dubbed Spoiler. Spoiler is similar in concept to Spectre, and was discovered by researchers at the Worcester Polytechnic Institute.
But while Spoiler relies on speculative execution (i.e., a processor performing tasks that it “predicts” may be requested by the user in the future, and storing that data in memory), existing Spectre mitigation solutions are not applicable. This is not only bad news for Intel, but also customers that rely on Intel processor platforms that could be vulnerable to attack.
The research paper [PDF] clearly points out, “Spoiler is not a Spectre attack. The root cause for Spoiler is a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem which directly leaks timing behavior due to physical address conflicts. Existing Spectre mitigations would therefore not interfere with Spoiler.”
As with Spectre, this new speculative execution attack would allow nefarious parties to pilfer passwords, secure keys and other critical data from memory. However, we should note that an attacker would need physical access to a system – which may be simply impossible in many cases – or somehow inject a piece of malware onto the system by other means to gain access.
Interestingly, the researchers say that they have probed both ARM and AMD processor architectures and have not found them susceptible to Spoiler, noting that, “Intel uses a proprietary memory disambiguation and dependency resolution logic in the processors to predict and resolve false dependencies that are related to the speculative load.”
Diving even further, it appears that nearly all modern Intel processors are affected, regardless of what operating system is running on a PC. “The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments,” the researchers write.
Given that Spoiler was just revealed to the public, there are no current software mitigation solutions available. And there’s of course no timeline as to when a potential fix can be implemented in hardware or what kind of performance impact it would have. For its part, Intel provided the following statement to TechRadar:
Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest.
We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.
We’ll keep you updated as we learn more about Spoiler and if Intel plans to work with its hardware partners to deploy microcode updates in the future to address the exploit.
‘).insertAfter(jQuery(‘#initdisqus’)); } loadDisqus(jQuery(‘#initdisqus’), disqus_identifier, url); } else { setTimeout(function () { disqusDefer(); }, 50); } } disqusDefer(); function loadDisqus(source, identifier, url) { if (jQuery(“#disqus_thread”).length) { jQuery(“#disqus_thread”).remove(); } jQuery(‘
‘).insertAfter(source); if (window.DISQUS) { DISQUS.reset({ reload: true, config: function () { this.page.identifier = identifier; this.page.url = url; } }); } else { //insert a wrapper in HTML after the relevant “show comments” link disqus_identifier = identifier; //set the identifier argument disqus_url = url; //set the permalink argument //append the Disqus embed script to HTML var dsq = document.createElement(‘script’); dsq.type = ‘text/javascript’; dsq.async = true; dsq.src = ‘https://’ + disqus_shortname + ‘.disqus.com/embed.js’; jQuery(‘head’).append(dsq); } jQuery(‘.show-disqus’).show(); source.hide(); }; function disqusEvent() { idleTime = 0; }
READ MORE HERE