New 'Spoiler' speculative execution security flaw claimed in Intel Core CPUs
AMD and ARM architectures unaffected by new Spectre-like CPU security flaws
A new research paper [PDF] has claimed that Intel's first-generation Core processors are susceptible to cyber attacks exploiting flaws in their speculative execution capabilities.
While similar to the Spectre security flaws publicised in January 2018, the so-called Spoiler flaw works very differently, claim the team of researchers from Worcester Polytechnic Institute in Massachusetts and the University of Lübeck in Germany.
Speculative execution is a performance enhancing CPU feature whereby the CPU performs anticipated functions before they are called. The aim is to mitigate memory bottlenecks.
"Spoiler is not a Spectre attack. The root cause for Spoiler is a weakness in the address speculation of Intel's proprietary implementation of the memory subsystem which directly leaks timing behaviour due to physical address conflicts. Existing spectre mitigations would therefore not interfere with Spoiler."
The researchers claim that the flaw involves "a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes".
They add: "The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the first generation of Intel Core processors, independent of the operating system, and also works from within virtual machines and sandboxed environments."
"To exploit the leakage, we used the speculative load behaviour after jamming the store buffer. SPOILER can be executed from user space and requires no special privileges. While speculative execution enables both SPOILER and Spectre and Meltdown, our newly found leakage stems from a completely different hardware unit, the Memory Order Buffer
"We exploited the leakage to reveal information on the eight least significant bits of the physical page number, which are critical for many microarchitectural attacks such as Rowhammer and cache attacks. We analysed the causes of the discovered leakage in detail and showed how to exploit it to extract physical address information," the researchers write in their conclusion.
"Broadly put, the leakage described in this paper will enable attackers to perform existing attacks more efficiently, or to devise new attacks using the novel knowledge.
Intel, for its part, has suggested that software patches ought to be able to mitigate against the risks highlighted by the researchers, who informed Intel of the security flaw on 1 December 2018.
However, researcher Ahmad Moghimi, indicated in an interview with The Register that Intel's response was somewhat glib.
"My personal opinion is that when it comes to the memory subsystem, it's very hard to make any changes and it's not something you can patch easily with microcode without losing tremendous performance. So I don't think we will see a patch for this type of attack in the next five years and that could be a reason why they haven't issued a CVE."
However, in order to take advantage of the security flaw an attacker would first need to compromise users' PCs in some way with, for example, malware or via malicious JavaScript code running on a website.