Researchers at the universities of Virginia and California in the United States have devised new Spectre-style hardware attacks that make it possible to steal data when processors fetch commands from their micro-ops caches.
The new vulnerability affects billions of computers and other devices worldwide, and the researchers say it will be much harder to fix than the speculative execution flaws discovered over the last few years.
In their paper, I see dead µops: leaking secrets via Intel/AMD micro-op caches [pdf], the researchers present three attacks that break defences against the earlier discovered "Spectre" hardware flaws in processors' speculative execution mechanisms.
Introduced in 2011, Intel and AMD x86 architecture processors break down complex instructions into small commands for better performance, and store them in micro-ops caches to be fetched early on in the speculative execution process.
Speculative execution is a technique used by Intel and AMD processors to predict which instructions will be executed and prepares a specific path to fetch commands from memory.
Spectre attacks subvert the speculative execution process, allowing hackers to access sensitive data while instructions are being executed along the wrong path.
Since speculative execution is a hardware feature, the vulnerability has been challenging to fix without switching it off completely and incurring a large hit in processor performance.
Professor Ashish Venkat, who led the team of researchers on the new micro-ops cache attacks, said it is is unclear how the new vulnerability can be mitigated.
Venkat said Intel's suggested LFENCE defence against Spectre attacks places sensitive code in a waiting area until security checks on it are run.
Only after security checks are completed, can the code execute.
However, Venkat's team found that because the anti-Spectre measures all take place late in the speculative execution process, they are useless agains the new early-stage micro-ops cache attacks.
The new attacks even break an earlier context-sensitive fencing mechanism to defend against Spectre that Venkat outlined.
Intel and AMD have been notified of the new micro-ops vulnerability, but fixing them will be hard, the researchers note.
“Patches that disable the micro-op cache or halt speculative execution on legacy hardware would effectively roll back critical performance innovations in most modern Intel and AMD processors, and this just isn’t feasible,” said the paper's lead PhD student author Xida Ren.
