[The Exiled]

Spoiler Alert: New Security Vulnerability Found Affecting Intel CPUs

Citiraj:

Dubbed Spoiler, the newfound security vulnerability was discovered by the Worcester Polytechnic Institute in partnership with the University of Lübeck, and affects all Intel CPUs since the introduction of their Core architecture. The researchers also examined ARM and AMD processor cores, but found they did not exhibit similar behavior. This vulnerability too affects Intel's speculative execution design, and according to the researchers, works independent of OS, virtual machine, or sandboxed environments. As the researchers explain, Intel's speculative execution of certain memory workloads requires the full physical address bits for the information in memory to be known, which could allow for the full address to be available in user space - allowing for privilege escalation and other microarchitectural attacks. According to the researchers, a software solution to this problem is impossible, which means this is yet another silicon-level bug that needs to be addressed in future processor designs.

The issue is separate from the Spectre vulnerabilities, and is not addressed by existing mitigations. It can be exploited from user space without elevated privileges. Spoiler describes a technique for discerning the relationship between virtual and physical memory by measuring the timing of speculative load and store operations, and looking for discrepancies that reveal memory layout. Modern processors manage reading and writing to RAM using a memory order buffer to keep track of operations. The buffer is used to perform store instructions – copying data from a CPU register to main memory – in the order they are laid out in executable code, and perform load operations – copying data from main memory to a register – out-of-order, speculatively. It allows the processor to run ahead and speculatively fetch information from RAM into the registers, provided there are no dependency problems, such as a load relying on an earlier store that hasn't yet completed.

Spoiler will make existing Rowhammer (1 - 2) and cache attacks easier, and make JavaScript-enabled attacks more feasible – instead of taking weeks, Rowhammer could take just seconds. Moghimi said the paper describes a JavaScript-based cache prime+probe technique that can be triggered with a click to leak private data and cryptographic keys not protected from cache timing attacks.

Izvor: The Register i TechPowerUp