New Spectre Variants Discovered By Exploiting Micro-op Caches

Written by Michael Larabel in Linux Security on 1 May 2021 at 06:13 AM EDT. 39 Comments
LINUX SECURITY
University of Virginia and University of California San Diego researchers have discovered multiple new variants of Spectre attacks that are not protected by existing Spectre mitigations and could yield both Intel and AMD CPUs leaking data via micro-op caches.

This week the Virginia and California academic researchers went public with their discoveries on exploiting the micro-op cache of modern Intel and AMD processors for beating existing Spectre defenses. Both Intel and AMD were informed in advance of these two variants (or their whitepaper lays it out as three) that allow speculatively stealing information from the system.

The researchers believe this new attack by way of the micro-op cache will be harder to mitigate. Needless to say, at this point there is no kernel patches or microcode updates to pass along. The researchers also believe that any mitigation will come with "much greater performance penalty" than what was found by previous attacks. Among the potential mitigations would involve flushing the micro-op cache at domain crossings and/or privilege level-based partitioning of the caches.
This paper describes three attacks – (1) a same thread cross-domain attack that leaks secrets across the user-kernel boundary, (2) a cross-SMT thread attack that transmits secrets across two SMT threads via the micro-op cache, and (3) transient execution attacks that have the ability to leak an unauthorized secret accessed along a misspeculated path, even before the transient instruction is dispatched to execution, breaking several existing invisible speculation and fencing-based solutions that mitigate Spectre.

The researchers will be presenting at ISCA next month on their findings while there is the whitepaper for those interested in the research. Stay tuned!

Update (3 May 2021): Intel has provided us with the following statement on the matter, "Intel reviewed the report and informed researchers that existing mitigations were not being bypassed and that this scenario is addressed in our secure coding guidance. Software following our guidance already have protections against incidental channels, including the uop cache incidental channel. No new mitigations or guidance are needed."
39 Comments
Related News
Linux BHI Mitigation Being Tweaked Following 12% Database Performance Hit
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Linux 6.9 Sees Further Security Hardening
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.10 To Merge NTSYNC Driver For Emulating Windows NT Synchronization Primitives
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora 41 Looks To "-O3" Optimizations For Its Python Build
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
APT 2.9 Released: Debian's APT 3.0 To Have A New UI With Colors, Columnar Display & More
Ubuntu 24.04 Beta Now Available For Testing
Proposed "LibGodot" Lets You Embed Godot Game Engine Into Other Apps