contact us see demo
Learn about RiskSense Products

Take me back to RiskSense.com
Dylan Davis - May 24, 2018

Spectre Rises from the Grave

Spectre Rises from the Grave

On May 21, 2018, Microsoft and Google released two new side-channel attacks called Spectre Variant 3a (CVE-2018-3640) and Variant 4 (CVE-2018-3639). These are only important to worry about if you are an operating system developer; for everyone else, these vulnerabilities will be addressed by routine patches to operating systems and CPU microcode and do not warrant emergency action.

About the Vulnerabilities

Spectre and Meltdown logos.

Spectre and Meltdown Logos

 

Variant 3a and Variant 4 are successors to the Spectre (CVE-2017-5715, CVE-2017-5753) and Meltdown (CVE-2017-5754) speculative execution vulnerabilities disclosed on January 3, 2018. The new vulnerabilities use the same core ideas as the original Spectre and Meltdown variants and achieve the same results, but are viable against hosts that are patched against the earlier vulnerabilities. These vulnerabilities are categorized as low to medium risk and are only relevant in very limited circumstances. They cannot be used to gain initial access to a system and can only be performed when an attacker has already achieved code execution on a system. These vulnerabilities cannot be used to execute code or modify memory, only to read memory a process would not otherwise be able to read. Remote code execution vulnerabilities should be considered a higher priority than speculative execution vulnerabilities because speculative execution vulnerabilities can only be used after code execution has been achieved.

Speculative execution occurs because a CPU tries to predict the most efficient code paths and saves time through a number of tricks such as executing instructions out of order, assessing when memory access will be a prerequisite to future access, and guessing the most likely loop/conditional branches to travel first.

Side-channel attacks are generally time-based and can leak information from residue left over after an attacker-controllable event. Affected CPUs cache memory during speculative execution, and with clever timings of the memory accesses, an attacker can determine with high confidence what values are stored in memory. In some cases, this can even cross process and the kernel/user mode barriers.

It wasn't really until this year that speculative execution and side channel analysis was combined to create a new hardware vulnerability class. Since the original Meltdown and Spectre white papers were released in January, numerous additional speculative execution side channel attacks have been discovered by other researchers.

The Practical Impact

When the first round of Spectre/Meltdown attacks was announced, the best-case scenario for speculative execution bugs was running them in JavaScript. However, browser vendors have cut that off at the root by limiting the ability of JavaScript to access high-precision timing information1 2. This mitigation is effective against both the old and new variants. As such, these attacks are only viable in malware that has already achieved full-featured local code execution.

The most likely way to use this vulnerability is as a supplement to another vulnerability; by reading memory, it is possible to bypass Address Space Layout Randomization, a mitigation that prevents the exploitation of some code execution vulnerabilities.

A secondary potential application for these vulnerabilities is elevating privilege from a low-privilege local process to a high privilege local process by reading password data from memory. This is unlikely to be practically possible or relevant in many real-world situations; local privilege escalation vulnerabilities are plentiful and these are unlikely to ever be first-choice tools for that job.

The new Spectre/Meltdown variants are fundamentally very similar to the original variants except with narrower applicability and more specific preconditions. No publicly known malware has yet made a significant impact using the original variants. If any malware was to make effective use of speculative execution vulnerabilities, it would likely be using the older variants.

The primary reason speculative execution vulnerabilities are attractive to malware authors is their near universal applicability. These vulnerabilities are not uniquely powerful, only uniquely widespread. These new variants have been released only five months after the original versions. Because that delay is short, the population of hosts patched against the original variants of Spectre/Meltdown but not against these new versions is likely to be small. As such, malware authors have little incentive to target these newer, harder-to-use variants of the vulnerability.

The Future of Speculative Execution

Speculative execution side-channel attacks are a relatively new area of research that have only recently received broad attention; there will almost certainly be more variants on this type of attack announced in the future. Regular patching applied broadly across your infrastructure will protect you against these variants, new variants as they are discovered, and the more serious vulnerabilities that put an attacker in a position where speculative execution attacks are something they have the opportunity to try.


1. https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

2. https://bugs.chromium.org/p/chromium/issues/detail?id=506723


Reveal Cyber Risk Across a Growing Attack Surface




contact us at +1 505.217.9422

  • follow us
© 2017 RiskSense, Inc. All rights reserved. Use of this website assumes acceptance of Legal Notices, Privacy Policy, Service Level Agreement and Acceptable Use Policy.