Intel’s ‘Virtual Fences’ Spectre Fix Won’t Protect Against Variant 4

Spectre and Meltdown fixes for Intel chips announced in March, to be embedded into new CPUs, do not address the newly disclosed Variant 4, sources said.

Intel introduced hardware-based safeguards to its new chips to protect against the Spectre and Meltdown flaws that rocked the silicon industry when the vulnerabilities were made public in early 2018. However, those protections are specific to V2 and V3, and will not impact the newly-discovered Variant 4 as well as other potential speculative execution side channel-related flaws in the future, sources familiar with the situation told Threatpost.

That said, chip experts familiar with the situation said that while these “protective walls” will not impact Variant 4, Intel has added a functionality into its microcode – the Speculative Store Bypass Disable (SSBD) bit – to protect against Variant 4. This functionality will continue to be utilized on future hardware platforms.

On Monday, Intel acknowledged that its processors are vulnerable to Variant 4, which could give attackers unauthorized read access to memory. Similar to the Meltdown and Spectre vulnerabilities, Variant 4 (CVE-2018-3639) is also a side channel analysis security flaw. However, Variant 4 uses a different process to extract information and is more of a cache exploit and that can be used in browser-based attacks.

After the disclosure of Spectre and Meltdown, Intel said earlier this year it has designed a new set of CPU design features that work with the operating system to install “virtual fences” protecting the system from speculative execution attacks that could exploit a variant of the Spectre flaw.

“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Brian Krzanich, CEO of Intel, said in a blog post at the time. “Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors.”

Krzanich said the new safeguards will be built into Intel’s next-generation Xeon Scalable processors, code-named Cascade Lake, as well as Intel’s eighth-gen Core processors that are expected to ship in the second half of 2018.

Patrick Moorhead, principal analyst at Moor Insights and Strategy, said that Variant 4 would be much harder to “fix” architecturally than V1, V2, or V3a.

“You either have to turn memory disambiguation on or off, which will be a BIOS setting,” he told Threatpost in an email. “It’s important to note that browsers have already included mitigations and that from a severity standpoint, has been flagged as ‘medium’ severity, compared to V1, V2, and V3, which were flagged as ‘high.’”

Variant 4 is most similar to Spectre V1 as opposed to Variant 2 or Variant 3, Moorhead said: “GPZv1 was exploiting the nature of the processor’s branch prediction. GPZv4 is taking advantage of a performance feature where the processor reorders loads/stores (memory disambiguation) to gain performance,” he said.

Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, said in a post on Monday,  that unlike Intel’s updates for other variants, the updates for Variant 4 will be optional and will be set to “off” by default.

“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” she wrote.

READ MORE HERE