If anyone thought that we’d gotten over the impact of Meltdown and Spectre, two vulnerabilities that affected the entire microprocessor industry, boy do they have more surprises on the way. While Meltdown is patched in all recent operating systems, and Spectre mitigations are in place for a lot of systems, there are still more attacks and vulnerabilities that haven’t yet been discovered. As if the universe decided to continue its trolling, a group of security researchers at Princeton University has just detailed a new way to exploit Meltdown and Spectre in multi-core processor architectures. It’s not clear if these exploits have been patched already through the earlier work by Intel, AMD, and other processor manufacturers to close these gaps, though the research team behind these new exploits believes that current mitigations can take care of these exploits at the same time.
Dubbed MeltdownPrime and SpectrePrime, these attacks rely on using the same basic exploits found in Meltdown and Spectre, but apply them into a multi-core environment. Meltdown’s exploit, to remind readers, is a way to get the processor to leak the contents of kernel memory owned by other software processes, while Spectre is a flaw in the out-of-order speculative execution architecture inherent in all processors made in the last 20-odd years, allowing you to submit code to a CPU core that looks like something it should be executing, but is instead used to learn something about the memory contents of a specific process outside of kernel memory. It’s a complicated and messy thing to explain, but you can follow this link for the whitepapers of you’re interested in the technical aspects of it.
What the Princeton group managed to achieve is a new attack that gets processor cores in a multi-core system to probe the contents of another cores’ cache. This gets around any existing security checks a processor might have for memory spaces that are already protected, but it does so much more than that. In the group’s introduction to their whitepaper, they describe what else they can do with these new tools:
The ability to model microarchitectural subtleties like cache coherence protocols, enabled us to synthesize new security exploits. For example, we synthesized Prime+Probe variants of Meltdown and Spectre, MeltdownPrime and SpectrePrime, which leverage the invalidation messages sent to shared cores on a write request (even if the write is speculative) in many cache coherence protocols. This attack demonstrates that by exploiting invalidation messages, it is possible to easily retrieve the same information from a Prime+Probe Meltdown/Spectre attack as a Flush+Reload Spectre/Meltdown attack. As a proof of concept, we implemented and ran SpectrePrime on a MacBook with a 2.4 GHz Intel Core i7 Processor running macOS Sierra, Version 10.12.6. Across 100 runs, SpectrePrime averaged about the same accuracy as Spectre when run on the same hardware—97.9% for Spectre and 99.95% for SpectrePrime.
Breaking this down into non-technical speak, the team can use this attack not just to divulge privileged information in the processor’s cache, but to also learn more about the inner workings of a processor’s cache structure, and find more vulnerabilities in this manner. Not only is the attack smarter about what it’s looking for, it is also more accurate.
However, they note that the Prime variants of Spectre and Meltdown target how caches are managed by the processor cores, and thus Intel would have to make a significant change in their hardware architecture to work against attacks like these in the future. Once again, consumers and businesses running networked systems will simply have to fork out more money to stay protected. AMD isn’t affected, just as before.