New variants of the Specter exploit discovered

After a few years in the background, it seems that the Specter exploit is returning to concern developers and users - as in the case of AMD and its Zen 3 CPUs and the vulnerabilities discovered on Linux. Finally, a group of researchers from the University of Virginia and the University of California San Diego have discovered new variants of the Specter exploit. These variants would affect all modern CPUs made by AMD and Intel with micro-op cache. How do these variants differ from previous Specter forms? How risky are they?

The two research teams have unveiled three new variants of the Specter exploit, which they described in a white paper. According to the Phoronix website, which specializes in Linux news, a further scientific article would be published by June. According to the scholars, the three variants use the vulnerabilities of micro-op caches. Since both Intel CPUs since 2011 and AMD CPUs since 2017 use a micro-op cache, potentially all CPUs are susceptible to an attack.

The paper presents three new types of potential attacks :

A cross-domain attack by the same thread, which retrieves data that emerges from the interaction between the user and the kernel; A cross-SMT attack that transmits information through two SMT threads, running on the same physical core but coming from different logical cores, through the micro-op cache; Transient execution attacks, which have the ability to steal unauthorized data that is accessed along the wrong path - even before the transient instruction is sent to be executed. The researchers clarify that both AMD and Intel have been notified in advance of the vulnerabilities. So far neither has released microcode updates or OS patches. The inability of AMD and Intel, according to the researchers, is determined by the inability to correct these exploits without serious impact on performance. The white paper proposes three possible ways to mitigate these new vulnerabilities.

The first method is to clear the micro-op cache on each domain change. But, in order to clean up the micro-op cache, contemporary CPUs also need to clean the Instruction Translation Lookaside Buffer (iTLB): frequent cleaning of the micro-op cache and the iTLB "will have serious consequences on performance, as the processor cannot carry out other operations until the iTLB fills up ”. The second method is to partition the micro-op cache based on user privileges. However, the increase in protection domains would lead to a burden on the operations that use the cache, with an inevitable impact on performance. Finally, the introduction of a monitoring system to detect anomalies is assumed. This solution also has strong repercussions on performance, as well as being susceptible to errors.

The new variants of the Specter exploit could, however, have a risk limited to direct attacks only. To exploit the new vulnerabilities of the micro-op cache, it is necessary to bypass all other software and hardware security measures of the CPUs: therefore the researchers put forward the hypothesis that the Specter variants will not contribute to the spread of large-scale malware, such as the five viruses most popular according to Kaspersky. Rather, it is expected that they can be used for targeted attacks carried out by efficient and organized groups and entities - such as national intelligence or the possible ransomware cartel. We'll see.

A solid software defense is the first barrier against the spread of ransomware, malware and viruses. On Amazon you will find many antivirus to choose from.