Intel’s SGX blown wide open by, you guessed it, a speculative execution attack

Foreshadow explained in a video.[/url]
Another day, another speculative execution-based attack. Data protected by Intel’s SGX—data that’s meant to be protected even from a malicious or hacked kernel—can be read by an attacker thanks to leaks en…

Foreshadow explained in a video.[/url]

Another day, another speculative execution-based attack. Data protected by Intel's SGX—data that's meant to be protected even from a malicious or hacked kernel—can be read by an attacker thanks to leaks enabled by speculative execution.

Since publication of the Spectre and Meltdown attacks in January this year, security researchers have been taking a close look at speculative execution and the implications it has for security. All high-speed processors today perform speculative execution: they assume certain things (a register will contain a particular value, a branch will go a particular way) and perform calculations on the basis of those assumptions. It's an important design feature of these chips that's essential to their performance, and it has been for 20 years.

Read 22 remaining paragraphs | Comments

New Spectre attack enables secrets to be leaked over a network

Enlarge (credit: Pete)

When the Spectre and Meltdown attacks were disclosed earlier this year, the initial exploits required an attacker to be able to run code of their choosing on a victim system. This made browsers vulnerable, as suitably crafted…

Enlarge (credit: Pete)

When the Spectre and Meltdown attacks were disclosed earlier this year, the initial exploits required an attacker to be able to run code of their choosing on a victim system. This made browsers vulnerable, as suitably crafted JavaScript could be used to perform Spectre attacks. Cloud hosts were susceptible, too. But outside these situations, the impact seemed relatively limited.

That impact is now a little larger. Researchers from Graz University of Technology, including one of the original Meltdown discoverers, Daniel Gruss, have described NetSpectre: a fully remote attack based on Spectre. With NetSpectre, an attacker can remotely read the memory of a victim system without running any code on that system.

All the variants of the Spectre attacks follow a common set of principles. Each processor has an architectural behavior (the documented behavior that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behavior (the way an actual implementation of the architecture behaves). These can diverge in subtle ways. For example, architecturally, a program that loads a value from a particular address in memory will wait until the address is known before trying to perform the load. Microarchitecturally, however, the processor might try to speculatively guess at the address so that it can start loading the value from memory (which is slow) even before it's absolutely certain of which address it should use.

Read 11 remaining paragraphs | Comments

New Spectre-like attack uses speculative execution to overflow buffers

Enlarge (credit: Aurich Lawson / Getty Images)

When the Spectre and Meltdown attacks were disclosed earlier this year, the expectation was that these attacks would be the first of many, as researchers took a closer look at the way that the speculat…

Enlarge (credit: Aurich Lawson / Getty Images)

When the Spectre and Meltdown attacks were disclosed earlier this year, the expectation was that these attacks would be the first of many, as researchers took a closer look at the way that the speculative execution in modern processors could be used to leak sensitive information and undermine the security of software running on those processors. In May, we saw the speculative store bypass, and today we have a new variant on this theme: speculative buffer overflows, discovered by Vladimir Kiriansky at MIT and independent researcher Carl Waldspurger.

All the attacks follow a common set of principles. Each processor has an architectural behavior (the documented behavior that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behavior (the way an actual implementation of the architecture behaves). These can diverge in subtle ways. For example, architecturally, a program that loads a value from a particular address in memory will wait until the address is known before trying to perform the load. Microarchitecturally, however, the processor might try to speculatively guess at the address so that it can start loading the value from memory (which is slow) even before it's absolutely certain of which address it should use.

If the processor guesses wrong, it will ignore the guessed-at value and perform the load again, this time with the correct address. The architecturally defined behavior is thus preserved. But that faulty guess will disturb other parts of the processor—in particular the contents of the cache. These microarchitectural disturbances can be detected and measured, allowing a malicious program to make inferences about the values stored in memory.

Read 12 remaining paragraphs | Comments

New speculative-execution vulnerability strikes AMD, ARM, and Intel

Intel Skylake die shot. (credit: Intel)
A new attack that uses processors’ speculative-execution capabilities to leak data, named Speculative Store Bypass (SSB), has been published after being independently discovered by Microsoft’s Security Respons…

Intel Skylake die shot. (credit: Intel)

A new attack that uses processors' speculative-execution capabilities to leak data, named Speculative Store Bypass (SSB), has been published after being independently discovered by Microsoft's Security Response Center and Google Project Zero. Processors from Intel and AMD, along with some of those using ARM's designs, are all affected.

Since the Meltdown and Spectre flaws were announced earlier this year, the speculative and predictive capabilities of modern microprocessors have been closely examined, revealing several new attacks.

All the attacks follow a common set of principles. Each processor has an architectural behavior (the documented behavior that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behavior (the way an actual implementation of the architecture behaves). These can diverge in subtle ways. For example, architecturally, a program that loads a value from a particular address in memory will wait until the address is known before trying to perform the load. Microarchitecturally, however, the processor might try to speculatively guess at the address so that it can start loading the value from memory (which is slow) even before it's absolutely certain of which address it should use.

Read 8 remaining paragraphs | Comments