In the past few weeks, the entire information security industry has grown very anxious about Meltdown and Spectre, two classes of exploits that can be used to manipulate vulnerabilities in the way many varieties of modern processors (but especially Intel ones) handle a performance-improving technique called speculative execution and extract hidden system data.
While numerous platforms have rushed to roll out patches, and Meltdown appears to be less of an issue than Spectre, it’s still unclear just how badly this situation could go.
Unfortunately, researchers are already coming up with ways to exploit the vulnerabilities that go beyond the proof-of-concept stage. A new paper from Princeton University and Nvidia researchers titled “MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols” has worked out yet more complex methods to use the vulnerabilities to extract some of the most sensitive user information on a system. In short, they trick multi-core systems into leaking data stored across more than one processor memory cache:
The MeltdownPrime and SpectrePrime variants are based on cache invalidation protocols and utilize timing attack techniques known as Prime+Probe and Flush+Reload, which provide insight into how the victim is using cache memory.
“In the context of Spectre and Meltdown, leveraging coherence invalidations enables a Prime+Probe attack to achieve the same level of precision as a Flush+Reload attack and leak the same type of information,” the paper explained. “By exploiting cache invalidations, MeltdownPrime and SpectrePrime – two variants of Meltdown and Spectre, respectively – can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel.”
The new attacks differ from the proof-of-concept methods revealed in the original research on Meltdown and Spectre, the researchers wrote, because while those methods simply pollute the cache during speculation, the newer attacks are “caused by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol.” Compromised information might include things like passwords, which attackers could potentially use to seize control of the targeted system.
There’s good news, namely that MeltdownPrime and SpectrePrime are likely resolved by the same patches that developers are releasing to resolve the original bugs. But the researchers also noted that hardware designers will need to design around the newly discovered attack methods.
Though Intel’s stock has recovered following the fiasco, numerous commentators called out the company as well as Apple and AMD for a lack of transparency regarding how vulnerable their processors remain and the rumored performance hits that may have resulted from patches. Though the impact on most uses of consumer-grade hardware appeared to be minimal, enterprise systems like servers may have taken a massive performance hit. Additionally, Linux systems may experience significant overhead as a result of patches that require extensive reworks of the way affected processors handle data. Intel has expanded its bug bounty program to offer hundreds of thousands to researchers who discover further flaws related to the exploits.