BT

Spectre 1.1 and 1.2 Vulnerabilities Disclosed

| by Sergio De Simone Follow 14 Followers on Jul 15, 2018. Estimated reading time: 1 minute |

Two new vulnerabilities exploiting flaws in CPUs speculative execution have been recently disclosed. Dubbed Spectre 1.1 and 1.2, both are variants of the original Spectre (Spectre-v1) vulnerability and leverage speculative stores to create speculative buffer overflows which can escape Spectre-v1 mitigations.

According to the paper produced by Vladimir Kiriansky and Carl Waldspurger:

The ability to perform arbitrary speculative writes presents significant new risks, including arbitrary speculative execution. Unfortunately, this enables both local and remote attacks, even when Spectre1.0 gadgets are not present. It also allows attackers to bypass recommended software mitigations for previous speculative-execution attacks.

The security researchers that disclosed the new vulnerabilities, the following code provides a proof-of-concept attack for Spectre 1.1:

if (y < lenc)
    c[y] = z;

The problem with the code above lies with the possibility that during speculative branch execution the CPU might ignore the bounds check, thus leaving open the possibility for an attacker to arbitrarily overwrite memory. This mechanism makes it possible to temporarily overwrite data used by a subsequent Spectre-v1 attack.

Spectre 1.2 exploits instead lazy enforcement of user/superuser protection checks for page-table entries (PTEs). Thus a speculative data attack could overwrite read-only data, which include code pointers, vtables, and control-flow mitigation metadata.

The researchers described both software and hardware mitigations, which include the use of speculation fences, which stop speculative execution altogether; masking, which resorts to masking index values before they are used in an attempt to bound them, so a subsequent access to that position in the array is likely to not access out-of-bounds memory; and others. The researchers also pointed out that software defenses against the new attacks end up being the same as the techniques to prevent classical buffer overflows:

A good first step toward preventing them would be to strengthen existing checks against stack overflows, heap overflows, integer overflows, etc.

Although, Kiriansky and Waldspurger reported the two new Spectre variants to Intel, ARM, AMD, Google, IBM, and Microsoft, no patches are yet available.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT