In 2018, industrial and academic researchers revealed a potentially devastating hardware failure that made computers and other devices worldwide vulnerable to attack.
Researchers called the Specter vulnerability because the bug was built into modern data processors that derive their speed from a technique called “speculative driving”, where the processor predicts instructions that it may end up running and preps by following the predicted path to retrieve the instructions. memory. A Specter attack tricks the processor into following instructions incorrectly. Even if the processor recovers and completes the task correctly, hackers can gain access to confidential data while the processor is going the wrong way.
Since the discovery of Specter, the world̵
They have to go back to the drawing board.
A team of University of Virginia School of Engineering computer scientists has uncovered a line of attack that breaks all Specter defenses, meaning billions of computers and other devices around the world are as vulnerable today as they were when Specter was announced. The team reported its discovery to international chip manufacturers in April and will present the new challenge at a worldwide data processing architecture conference in June.
The researchers, led by Ashish Venkat, William Wulf Career Enhancement Assistant Professor of Computer Science at UVA Engineering, found a whole new way for hackers to exploit something called a “micro-op cache”, which speeds up computing by storing simple commands and allowing the processor to retrieve them quickly and early in the speculative execution process. Micro-op caches have been built into Intel machines manufactured since 2011.
Venkat’s team discovered that hackers can steal data when a processor retrieves commands from the micro-op cache.
“Think of a hypothetical security scenario at the airport where the TSA allows you to enter without checking your boarding pass because (1) it is fast and efficient, and (2) you will be checked for the boarding pass anyway,” Venkat said. “A computer processor does something similar. It predicts that the check will pass and can drop the instructions into the pipeline. Finally, if the prediction is incorrect, it will throw these instructions out of the pipeline, but this may be too late because these instructions could leave side effects. while they waited in line that an attacker could later use to extract secrets as a password. “
Because all current Specter defenses protect the processor at a later stage of speculative execution, they are useless in the face of the Venkat team’s new attacks. Two variants of the attacks the team discovered could steal information with speculative access from Intel and AMD processors.
“Intel’s proposed defense against Specter, called LFENCE, places sensitive code in a waiting area until security checks are performed, and only then is the sensitive code allowed to execute,” Venkat said. “But it turns out that the walls in this waiting area have ears that our attacker exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a hidden channel.”
Venkat’s team includes three of his computer science doctoral students, Ph.D. student Xida Ren, Ph.D. student Logan Moody and master’s degree recipient Matthew Jordan. The UVA team collaborated with Dean Tullsen, professor at the Department of Informatics and Engineering at the University of California, San Diego, and his doctorate. student Mohammadkazem Taram to convert certain undocumented features in Intel and AMD processors.
They have detailed the findings in the newspaper: “I See Dead? Ops: Leaking Secrets via Intel / AMD Micro-Op Caches.”
This newly discovered vulnerability will be much more difficult to fix.
“In the case of the previous Specter attacks, developers have come up with a relatively simple way to prevent any kind of attack without a major performance penalty,” for computing, Moody said. “The difference with this attack is that you take a much larger performance penalty than the previous attacks.”
“Updates that disable the micro-op cache or stop speculative performance on older hardware will effectively reduce critical performance innovations in most modern Intel and AMD processors, and this is simply not possible,” said Ren, lead student author.
“It is very unclear how to solve this problem in a way that gives high performance to older hardware, but we have to make it work,” Venkat said. “Securing micro-op cache is an interesting line of research that we are considering.”
Venkat’s team has revealed the vulnerability of the product safety teams at Intel and AMD. Ren and Moody gave a technical talk at Intel Labs around the world on April 27 to discuss the impact and potential solutions. Venkat expects computer scientists in academia and industry to work quickly together, as they did with Specter, to find solutions.
The team’s paper has been accepted by the highly competitive International Symposium on Computer Architecture, or ISCA. The annual ISCA conference is the leading forum for new ideas and research results in computer architecture and will be held practically in June.
Venkat also works closely with the Processor Architecture Team at Intel Labs on other microarchitectural innovations, through the National Science Foundation / Intel Partnership on Foundational Microarchitecture Research Program.
Venkat was well prepared to lead the UVA research team into this discovery. He has entered into a long-term partnership with Intel that began in 2012 when he practiced with the company while studying computer science at the University of California, San Diego.
This research, led by other projects Venkat, is funded by the National Science Foundation and the Defense Advanced Research Projects Agency.
Venkat is also one of the university researchers who co-authored an article with partners Mohammadkazem Taram and Tullsen from UC San Diego who introduce a more targeted microcode-based defense against Specter. Context-sensitive fences, as they are called, allow the processor to patch running code with speculation fences on the go.
We introduced one of only a handful of more targeted microcode-based defenses designed to stop Specter in the tracks, “Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization” was published on ACM International Conference on Architectural Support for Programming Languages and Operating Systems in April 2019. The thesis was also chosen as a top choice among all data architecture, data security and VLSI conference papers that were published in the six-year period between 2014 and 2019.
The new Specter variants Venkat’s team even discovered to break the context-sensitive fencing mechanism described in Venkat’s award-winning paper. But in this type of investigation, breaking your own defenses is just another big gain. Every security improvement allows researchers to dig even deeper into the hardware and uncover more errors, and that’s exactly what Venkat’s research team did.