Spectre Security Vulnerability
What is Spectre security vulnerability?
Spectre is a security vulnerability that affects all modern processors that use mechanisms such as branch prediction and speculative action.
Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side-channel to the adversary. This also exposes otherwise protected memory space, allowing the malicious agent to access the data, or even modify it. It was discovered at the same time as Meltdown Vulnerability.
What are Branch Prediction and Speculative Action mechanisms?
- Branch Prediction: The branch prediction technique allows the processor to speed up the execution in a pipelined processor by converting instructions into predicate logic. Hence, only those instructions are executed whose predicate is true. This allows the CPU to avoid checking every single branch for execution.
- Speculative Execution: Speculative Execution, along with branch prediction, is a component of out-of-order execution that is used for speeding up execution in pipeline-based microprocessors. We learned from the previous definition that branch prediction is used to determine which instruction will execute in case of a conditional jump. Speculative action goes one step further. It determines what the result would be from executing the next instruction(s). If the branch prediction was correct, the result is used, otherwise, it is discarded.
How does Spectre Vulnerability work?
There are two ways in which Spectre Vulnerability works:
1. Local exploitation:
In this case, the malicious agent lies in the computer itself. The following are the steps that occur:
- It manipulates the process to execute an instruction that would never have been executed normally
- When the CPU evaluates the executed instruction, it throws away the computation.
- However, the expanded size of the cache isn’t restored.
- By simply looking up into the cache, the contents which were there, and their actual memory location can be deduced, thus exposing them to the malicious program
2. Remote Exploitation:
- The branch predictor would then be mistrained by iterating over a very large dataset using bitwise operations for setting the index to in-range values, and then using an out-of-bounds address for the final iteration.
- By iterating over a large dataset by using bitwise operations to set in-range values, and using out of bounds addresses for the final iteration, the branch predictor can be mistrained
- Timed-reads enable the script to read the location
What mitigation steps are being taken?
The discovery of this security issue leads to many prevention and mitigation measures to be developed. Different processor and software vendors addressed the issue differently in the following ways:
- In March 2018, Intel developed hardware fixes for Spectre. The vulnerabilities were mitigated by a new partitioning system that improves the process and privilege-level separation.
- Microsoft acted by isolating Kernel and user page tables. It has also designed new CPU instructions (Windows compatible) which eliminate branch speculation.
- Chrome 64 includes mitigation against the attack by default. Chrome 63 users can manually mitigate the attack by enabling the Site Isolation feature (chrome://flags#enable-site-per-process)
- Google created a new technique called ‘Retpoline’ that involves compiler-level steering of indirect branches towards a different target that does not result in a vulnerable speculative out-of-order execution taking place.
It is, however, to be noted that the introduction of software patches has led to significant performance issues, especially on old computers. Also, unwanted reboots have been reported even for newer Intel chips.