A six-member security research team, comprising of three academics from Northeastern University and three researchers from IBM Research discovered a new CPU-based vulnerability. The flaw, dubbed SplitSpectre, is a variation of the Spectre CPU vulnerability which can be used to execute an attack through browser-based code.
This new vulnerability can also be ascribed to the design flaws in the microarchitecture of modern processors, similar to the case of Spectre v1 vulnerability discovered last year, as per the paper published by the research team. SplitSpectre, a new variation of Spectre v1 vulnerability, is easier to execute for the attacker and relies on the same processor design flaws. This attack increases the speculative execution window length which adds to the attacker’s capability, according to the research team.
Both the Spectre v1 and the SplitSpectre vulnerabilities can be exploited through attacks on the process of “speculative execution”, an optimization technique employed in modern processors to improve performance. The difference between the two lies in the way an attack can be executed.
SplitSpectre is a more powerful variant of Spectre v1. “Although Spectre v1 is powerful and does not rely on SMT (Simultaneous Multithreading), it requires [...] a gadget to be present in the victim's attack surface,” the researchers said.
Google Project Zero researchers said in a blog post on Spectre v1 [46] that they could not identify such a vulnerable code pattern in the kernel and instead relied on eBPF (extended Berkeley Packet Filter) to place one there themselves. As its name implies, SplitSpectre splits the Spectre v1gadget into two parts.
This attack increases the speculative execution window length, which adds to the attacker’s capability, according to the research team.
For its research paper, the team carried out successful attacks on three different CPU architectures - Intel’s Skylake, Broadwell, and AMD’s Ryzen. The team used SpiderMonkey 52.7.4, Firefox’s Javascript engine to inject attack code.
Fortunately, a user won’t be affected by SplitSpectre if they have installed the CPU microcode updates from CPU vendors. Code compiler updates like those in LLVM & MSVC, and the browser-level changes that have been released since the first revelations of Spectre v1 in January 2018 can help protect users from SplitSpecre. However, in absence of these mitigations, an attack is possible.
The researchers stated, "All things considered, our analyses lead us to conclude that the attack is viable and that the ability to trigger it in practice depends on the identified microarchitectural properties of individual CPU families.”
Apart from the discovery of the vulnerability, the research team also developed a new tool called Speculator which can be used to measure microarchitectural characteristics aid in investigating speculative execution. This tool can also help other researchers to further investigate speculative execution attacks in the future. The team has stated that they plan to release this tool as an open source software.
Further detailed technical information can be found in the research paper available here. In the light of this discovery, the predictions from the research team who first discovered the initial Meltdown and Spectre attacks last year, ring true. They predicted the possibility of discovering more variations of these attacks. That same team also recently published a paper detailing seven Meltdown and Spectre variations.
Publisher