A group of researchers from Worcester Polytechnic Institute (USA) and the University of Lübeck (Germany) revealed the details of the new attack "SPOILER" to the mechanism of speculative operations in processors.
El ataque it is specific to Intel processors and does not manifest itself on AMD and ARM CPUs. The proposed attack technique allows to determine the reflection of virtual addresses in physical memory, which allows to significantly increase the effectiveness of performing known low-level attacks that manipulate the layout of the pages in physical memory.
What is SPOILER?
How to Live Aligned with the write buffer can affect the data loaded in the read buffer (for example, when an incomplete write operation may affect speculative read data), before committing the read operation, the dependency on the previous write operations is analyzed.
In the case of intersections, the speculative read operation it is discarded and the contents of the buffer cell are updated with the relevant data.
The problem is that it is possible to fully evaluate the dependency of the write operation only after receiving information about the complete physical address, so only partial verification based on incomplete address information is performed at read-ahead time.
Such manipulation causes a delay in the event of a physical address access conflict, the appearance of which can be traced.
Using the rdtscp and mfence instructions, you can ensure that the write buffer is full of addresses with the same offset, but on different virtual memory pages.
Also, when analyzing delays in accessing memory areas with the same offsets but on different memory pages, An attacker can detect dependency determination flaws in the ordered memory access buffer and determine the layout of the physical memory pages.
SPOILER also benefits other attacks
According to investigators, SPOILER technique allows the Prime + Probe attack to speed up an attack to determine memory content by analyzing the state of the processor cache 4096 times.
The method is also applicable to determine the memory pages allocated one after another, which allows to increase effectiveness from the RowHammer attack, used to selectively change the memory content of other processes, to 100%.
This includes the ability to implement such attacks from virtual machinesEg using JavaScript code that runs in the browser, despite measures previously taken in browsers to limit the accuracy of the timer.
The protection measures developed for Specter do not block the SPOILER attack. Specter class attacks manipulate the speculative execution of individual instructions, the results of which are discarded by the processor after determining a failed prediction, but the execution traces are deposited in the common cache.
The technique SPOILER involves the mechanism of preloading the contents of memory in the registers of the processor.
To interact with the memory in the processor, the buffer is a Memory Order Buffer (MOB), which implements two cyclic buffers, one to write data from registers to memory and the other to read from memory to memory. the registers.
The write buffer is always parsed in the order of the instructions, and the read buffer allows proactive loading of data into the cache, without waiting for sync with the write buffer and only partially checking for dependency.
The problem has been apparent since the first generation of Intel Core processors.
AMD and ARM processors use different logic to process memory orderly access buffer, so they are not affected by the problem.
Intel was notified of the vulnerability 3 months ago, but no fixes have yet been proposed.
Source: arxiv.org
You have to observe the development of the news these days ... at some point I mentioned it in a forum, the unbridled desire of the industry to produce hardware (includes peripherals and household appliances, for example, 5K TV's are already being made when most of the content production industry barely reaches HD and 4K is very little) to meet non-existent needs just to fill your pockets, it is generating many design errors. They are marketing many products like crazy. The case of Specter and Meltdown is only the tip of the mountain, there must be many more problems in the architecture that we do not even know, and make cool with the fingers that others out there have not discovered them yet. And these are the involuntary ones, we will have to see the facts on purpose, Intel must also have theirs well covered to get into our lives
Amen to the comment above.
For me it is on purpose, the level of design and intellectual level necessary to develop the architectures of the microprocessors, indicates to me that they cannot be improvised engineers ... on the contrary ... for my gentlemen, they are not design errors, rather design characteristics .
It cannot be explained because only Intel is affected in its vast majority and the other companies are not ... except, of course, that these other companies are even more intelligent and have less obvious mechanisms of espionage.
The human being is like this, this shows us how the vast majority of the human being really is.