A function of Intel’s processors dealing with speculative execution has another vulnerability that affects all Intel-based computers including Apple’s Mac, researchers have revealed, with “Spoiler” potentially allowing an attacker the ability to view the layout of memory, and in turn potentially access sensitive data stored in those locations.
The speculative execution function of Intel’s processors, used to increase the performance of a CPU by predicting paths an instruction will go through before the branch is completed, is a useful function but one that has caused Intel issues in the past. A new report from security researchers from Worcester Polytechnic Institute and the University of Lubeck published on March 1 indicates there’s another issue that needs to be fixed.
Dubbed “Spoiler,” the technique is able to determine how virtual and physical memory is related to each other, by measuring the timing of speculative load and store operations performed by the processor, reports The Register. By spotting discrepancies in the timing, it is possible for an attacker to determine the memory layout, and in turn know areas to attack.
“The root cause of the issue is that the memory operations execute speculatively and the processor resolves the dependency when the full physical address bits are available,” researcher Daniel Moghimi advised to the report. “Physical address bits are security sensitive information and if they are available to user space, it elevates the user to perform other micro architectural attacks.”
Speculative execution typically works by using a memory order buffer to track its operations, by copying data from a CPU register to main memory in the order it appears in code. Data can then be copied from the main memory to a register out of order, which potentially speeds up the overall speed of the operation if the speculative elements are right.
If they are wrong, the speculative elements are discarded and a normal non-speculative load of data is performed, allowing the instruction to be carried out, but without the performance boost.
The paper advises the main issue with Spoiler is Intel’s performance of memory disambiguation, which tries to prevent computation on data loaded by an incorrect speculation attempt, with its timing behavior being the actual vulnerability.
By filling the store buffer with addresses using similar offsets but different virtual pages, then issuing a memory load with the same offset on a different memory page, the team measures the time of the load. After performing multiple loads across numerous virtual pages, the timing differences provide clues about the memory locations.
“There is no software mitigation that can completely erase this problem,” according to the researchers. While the chip architecture could be fixed, it would considerably cut into the chip’s performance.
Intel was advised about the vulnerability on December 1, 2018, and was disclosed to the public after a typical 90-day grace period. So far, Intel has not issued a CVE number for the problem, with Moghimi speculating the issue is not easily patchable with microcode in an efficient enough manner, and that a patch for the attack vector may take years to produce.
As it is an issue that affects all Intel Core processors from the first generation onwards to the most recent releases, regardless of operating system, it is almost certain that all Macs are susceptible to attacks that take advantage of the vulnerability. It is unclear if Apple has specifically responded to the issue due to it potentially affecting its macOS-running products.
The researchers note that ARM and AMD processor cores do not exhibit the same behavior, which means iPhones and iPads are safe from such attacks.
The speculative execution function was core to the Spectre vulnerabilities found in January 2018, which affected Intel processors as well as ARM-based versions, including both macOS and iOS devices, something which Apple quickly released mitigations to defend against. While similar in this regard, Spoiler functions quite differently from Spectre, and is a completely separate vulnerability.
“We expect that software can be protected against such issues by employing side channel safe development practices,” said Intel regarding Rowhammer-style attacks. “Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”