In 2018, industrial and academic researchers uncovered a potentially devastating hardware flaw that made computers and other devices around the world vulnerable to attack.
The researchers called the Specter vulnerability because the flaw is embedded in modern computer processors, which derive their speed from a technique called “speculative execution,” in which the processor provides instructions that it can complete and prepares following the intended download path. from memory. Specter’s attack misleads the processor into executing instructions in the wrong way. Although the processor is recovering and performing its task properly, hackers have access to confidential data while the processor is going the wrong way.
Since the discovery of Specter, the world̵
They will have to return to the drawing board.
A team from the University of Virginia, School of Computer Engineering, has uncovered an attack line that shatters all of Specter’s defenses, meaning that billions of computers and other devices around the world are just as vulnerable today as when Specter was first announced. The team reports its discovery to international chipmakers in April and will present the new challenge at a global conference on computer architecture in June.
Researchers led by Ashish Venkat, William Wolfe’s career assistant in computer science at UVA Engineering, have discovered a whole new way for hackers to use something called “micro-operation cache” that speeds up calculations by storing simple commands and enabling the processor. to take them quickly and early in the speculative execution process. Micro-operational caches are built into Intel computers manufactured since 2011.
The Venkat team found that hackers can steal data when the processor retrieves commands from the micro-operation cache.
“Consider a hypothetical airport security scenario in which the TSA allows you to enter without checking your boarding pass because (1) it is fast and efficient and (2) you will be checked for your boarding pass at the gate anyway. Said Venkat. “A computer processor is doing something similar. It predicts that the check will pass and may run instructions on the pipeline. Eventually, if the forecast is incorrect, it will throw those instructions off the pipeline, but it may be too late because these instructions may to leave side effects while waiting in the pipeline, which the attacker can use later to bring out secrets such as a password. “
Because all of Specter’s current protections protect the CPU at a later stage of speculative execution, they are useless in the face of new attacks by the Venkat team. Two variants of attacks discovered by the team can steal speculatively available information from Intel and AMD processors.
“Intel’s proposed protection against Specter, called LFENCE, puts a sensitive code in a waiting area until security checks are performed, and only then is the sensitive code allowed to run,” Venkat said. “But it turns out that the walls of this waiting area have ears that the attack exploits us. We show how the attacker can transfer secrets through the cache of the micro-operation, using it as a hidden channel.”
Venkat’s team includes three of his doctoral students in computer science. student, Dr. Sida Wren student Logan Moody and Master’s degree recipient Matthew Jordan. The UVA team is collaborating with Dean Tulsen, a professor in the Department of Computer Science and Engineering at the University of California, San Diego, and his doctorate. student Mohammadkazem Taram for reengineering some undocumented documents in Intel and AMD processors.
They described the findings in detail in their report: “I See Dead? Ops: Leaking Secrets via Intel / AMD Micro-Op Caches.
This newly discovered vulnerability will be much more difficult to fix.
“In the case of previous Specter attacks, the developers have come up with a relatively easy way to prevent any kind of attack without a serious performance penalty,” Moody said. “The difference with this attack is that you will receive a much higher penalty for execution than these previous attacks.”
“Patches that deactivate the micro-operation cache or stop speculative performance of legacy hardware could effectively bring back critical performance innovations in most modern Intel and AMD processors, which is simply not feasible,” said Wren, a leading student author.
“It’s really not clear how to solve this problem in a way that offers high performance legacy hardware, but we need to make it work,” Venkat said. “Providing cache is an interesting line of research that we are considering.”
The Venkat team revealed the vulnerability of the product security teams at Intel and AMD. Wren and Moody gave a technical talk at Intel Labs around the world on April 27 to discuss the impact and potential fixes. Venkat expects computer scientists in academia and industry to work together quickly, as they did with Specter, to find solutions.
The team’s report was adopted by the highly competitive International Symposium on Computer Architecture or ISCA. The annual ISCA conference is the leading forum for new ideas and research results in computer architecture and will take place in practice in June.
Venkat also works closely with the Intel Labs CPU Architectural Team on other microarchitectural innovations through the National Partnership on Fundamental Microarchitecture Research Program.
Venkat was well prepared to lead the UVA research team in this discovery. He formed a long-standing partnership with Intel that began in 2012 when he interned at the company while a computer science student at the University of California, San Diego.
This research, as well as other projects led by Venkat, is funded by the National Science Foundation and the Agency for Advanced Defense Research Projects.
Venkat is also one of the university researchers who co-authored an article with collaborators Mohammadkazem Taram and Tulsen of UC San Diego, which introduces more targeted microcode-based protection against Specter. The context-sensitive fence, as it is called, allows the processor to patch working code with speculative fences in motion.
Introducing one of the few more targeted protections based on microcodes designed to stop Specter on its tracks, “Context-Sensitive F Fact: Ensuring Speculative Performance by Customizing Microcode” was published on ACM International Conference on Architectural Support for Programming Languages and Operating Systems in April 2019. The report was also selected as the best choice among all computer architecture, computer security and VLSI design conference papers published during the six-year period between 2014 and 2019.
The new variants of the Venkat Specter team even found a violation of the context-sensitive fencing mechanism outlined in Venkat’s award-winning book. But in this type of research, breaking your own defenses is just another big win. Any improvement in security allows researchers to delve even deeper into the hardware and uncover more flaws, which is exactly what Venkat’s research team did.