In 2018, industrial and academic researchers revealed a potentially devastating hardware flaw that left computers and other devices around the world vulnerable to attack.
Researchers named the Specter vulnerability because the flaw was built into modern computer processors which derive their speed from a technique called “speculative execution,” in which the processor predicts which instructions it might end up executing and prepares by following the process. path intended to extract the instructions. Memory. A Specter attack tricks the processor into executing instructions on the wrong path. Even if the processor recovers and performs its task properly, hackers can gain access to confidential data while the processor is heading in the wrong direction.
Since the discovery of Specter, the world’s most talented computer scientists in industry and academia have worked on software patches and hardware defenses, believing they have been able to protect the most vulnerable points in the process. speculative execution without slowing down computation speeds too much.
They will have to go back to the drawing board.
A team of computer scientists from the University of Virginia School of Engineering have discovered a line of attack that shatters all of Specter’s defenses, meaning billions of computers and other devices across the world are just as vulnerable today as they were when Specter was first announced. The team shared their discovery with international chipmakers in April and will present the new challenge at a global IT architecture conference in June.
The researchers, led by Ashish Venkat, William Wulf Career Enhancement Assistant Professor of Computer Science at UVA Engineering, have found a whole new way for hackers to exploit what is called a ‘micro-op cache’, which speeds up processing. computer by storing simple commands and the processor to retrieve them quickly and early in the process of speculative execution. Micro-op caches are built into Intel computers manufactured since 2011.
The Venkat team discovered that hackers can steal data when a processor retrieves commands from the micro-op cache.
“Think of a hypothetical airport security scenario where the TSA lets you in without verifying your boarding pass because (1) it’s fast and efficient, and (2) you will still be verified for your boarding pass at the gate. “said Venkat. “A computer processor does something similar. It predicts that the check will succeed and could let instructions go into the pipeline. Ultimately, if the prediction is incorrect, it will reject those instructions from the pipeline, but it could be too late. because these instructions could leave side effects while waiting in the pipeline that an attacker could later exploit to infer secrets such as a password. “
Because all of the current Specter defenses protect the processor at a later stage of speculative execution, they are useless in the face of further attacks from the Venkat team. Two variations of the attacks discovered by the team can steal information that Intel and AMD processors have accessed speculatively.
“Intel’s suggested defense against Specter, which is called LFENCE, puts sensitive code in a hold until security checks are completed, and only then is the sensitive code left. allowed to run, ”Venkat said. “But it turns out that the walls of this holding area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache using it as a secret channel. . “
Venkat’s team includes three of its computer science graduate students, Ph.D. student Xida Ren, Ph.D. student Logan Moody, and masters recipient Matthew Jordan. The UVA team collaborated with Dean Tullsen, professor in the Department of Computer Science and Engineering at the University of California at San Diego, and his doctorate. student Mohammadkazem Taram to reverse engineer some undocumented features in Intel and AMD processors.
They detailed the results in their article: “I See Dead? Ops: Leaking Secrets via Intel / AMD Micro-Op Caches ”.
This newly discovered vulnerability will be much more difficult to fix.
“In the case of previous Specter attacks, developers have come up with a relatively simple way to prevent any sort of attack without major performance penalties,” Moody said. “The difference with this attack is that you take a much higher performance penalty than those previous attacks.”
“Patches that disable micro-op cache or interrupt speculative execution on legacy hardware would effectively reverse critical performance innovations in most modern Intel and AMD processors, and this is simply not feasible,” said Ren, the main student author.
“It’s really not clear how to fix this problem in a way that gives high performance to existing hardware, but we have to make it work,” Venkat said. “Securing the micro-op cache is an interesting line of research and one that we are considering.”
The Venkat team disclosed the vulnerability to product security teams from Intel and AMD. Ren and Moody gave a tech talk at Intel Labs around the world on April 27 to discuss the impact and potential fixes. Venkat expects IT people in academia and industry to work together quickly, as they did with Specter, to find solutions.
The team’s paper has been accepted by the highly competitive International Symposium on Computing Architecture, or ISCA. ISCA’s annual conference is the premier forum for new ideas and research findings in computer architecture and will be held virtually in June.
Venkat also works closely with the Intel Labs processor architecture team on other microarchitectural innovations, through the National Science Foundation / Intel Partnership on Foundational Microarchitecture Research Program.
Venkat was well prepared to lead the UVA research team in this discovery. He has forged a long-standing partnership with Intel that began in 2012 when he did an internship with the company while a computer science student at the University of California, San Diego.
This research, like other projects led by Venkat, is funded by the National Science Foundation and the Defense Advanced Research Projects Agency.
Venkat is also one of the university researchers who co-authored an article with UC San Diego collaborators Mohammadkazem Taram and Tullsen who introduce a more targeted microcode-based defense against Specter. Context Sensitive Fence, as it’s called, allows the processor to patch running code with speculation fences on the fly.
Showcasing one of the few more targeted microcode-based defenses developed to stop Specter in its tracks, “Context-Sensitive Fencing: Securing Speculative Execution Through Firmware Customization” was published at ACM International Conference on Architectural Support of Programming Languages and Operating Systems in April 2019. The paper was also selected as the first choice among all the IT Architecture, IT Security and VLSI Design conference papers published during the six-year period between 2014 and 2019.
Venkat’s team of new Specter variants even discovered breaking the context-sensitive fencing mechanism described in Venkat’s award-winning article. But in this type of research, breaking your own defense is just another big victory. Each improvement in security allows researchers to dig even deeper into the hardware and discover more vulnerabilities, which is exactly what the Venkat research group did.