Spectre Rises from the Grave
Spectre Rises from the Grave
On May 21, 2018, Microsoft and Google released two new side-channel attacks called Spectre Variant 3a (CVE-2018-3640) and Variant 4 (CVE-2018-3639). These are only important to worry about if you are an operating system developer; for everyone else, these vulnerabilities will be addressed by routine patches to operating systems and CPU microcode and do not warrant emergency action.
About the Vulnerabilities
Variant 3a and Variant 4 are successors to the Spectre (CVE-2017-5715, CVE-2017-5753) and Meltdown (CVE-2017-5754) speculative execution vulnerabilities disclosed on January 3, 2018. The new vulnerabilities use the same core ideas as the original Spectre and Meltdown variants and achieve the same results, but are viable against hosts that are patched against the earlier vulnerabilities. These vulnerabilities are categorized as low to medium risk and are only relevant in very limited circumstances. They cannot be used to gain initial access to a system and can only be performed when an attacker has already achieved code execution on a system. These vulnerabilities cannot be used to execute code or modify memory, only to read memory a process would not otherwise be able to read. Remote code execution vulnerabilities should be considered a higher priority than speculative execution vulnerabilities because speculative execution vulnerabilities can only be used after code execution has been achieved.
Speculative execution occurs because a CPU tries to predict the most efficient code paths and saves time through a number of tricks such as executing instructions out of order, assessing when memory access will be a prerequisite to future access, and guessing the most likely loop/conditional branches to travel first.
Side-channel attacks are generally time-based and can leak information from residue left over after an attacker-controllable event. Affected CPUs cache memory during speculative execution, and with clever timings of the memory accesses, an attacker can determine with high confidence what values are stored in memory. In some cases, this can even cross process and the kernel/user mode barriers.
It wasn’t really until this year that speculative execution and side channel analysis was combined to create a new hardware vulnerability class. Since the original Meltdown and Spectre white papers were released in January, numerous additional speculative execution side channel attacks have been discovered by other researchers.
The Practical Impact
The most likely practical way to use this vulnerability is as a supplement to another vulnerability; by reading memory, it is possible to bypass Address Space Layout Randomization, a mitigation that prevents the exploitation of some code execution vulnerabilities.
A secondary potential application for these vulnerabilities is elevating privilege from a low-privilege local process to a high privilege local process by reading password data from memory. This is unlikely to be practically possible or relevant in many real-world situations; local privilege escalation vulnerabilities are plentiful and these are unlikely to ever be first-choice tools for that job.
The new Spectre/Meltdown variants are fundamentally very similar to the original variants except with narrower applicability and more specific preconditions. No publicly known malware has yet made a significant impact using the original variants. If any malware was to make effective use of speculative execution vulnerabilities, it would likely be using the older variants.
The primary reason speculative execution vulnerabilities are attractive to malware authors is their near universal applicability. These vulnerabilities are not uniquely powerful, only uniquely widespread. These new variants have been released only five months after the original versions. Because that delay is short, the population of hosts patched against the original variants of Spectre/Meltdown but not against these new versions is likely to be small. As such, malware authors have little incentive to target these newer, harder-to-use variants of the vulnerability.
The Future of Speculative Execution
Speculative execution side-channel attacks are a relatively new area of research that have only recently received broad attention; there will almost certainly be more variants on this type of attack announced in the future. Regular patching applied broadly across your infrastructure will protect you against these variants, new variants as they are discovered, and the more serious vulnerabilities that put an attacker in a position where speculative execution attacks are something they have the opportunity to try.