New variants of Meltdown and Spectre cause information leaks

Developers insist that existing defenses will be enough to contain attacks, but experts disagree

Information security and digital forensic investigators have discovered a new set of transient execution attacks on modern CPUs that allow a local attacker to gain access to the system’s privileged data, confirming predictions made when the cybersecurity community revealed the Spectre and Meltdown vulnerabilities at the beginning of the year.

In short, these security failures can be exploited by malicious users and potentially remove passwords, encryption keys, and other sensitive information. To date, there is no knowledge of any software that exploits these vulnerabilities in the wild, however, this have been a wake-up call for the semiconductor industry, a situation that forced manufacturers to make new designs of silicon and tool chain changes.

Digital forensics investigators described seven new transient execution attacks, consisting of two new variants of Meltdown (Meltdown-PK on Intel and Meltdown-BR on Intel and AMD) and five new Spectre branches for previously described flaws known as Specter-PHT and Specter-BTB. The researchers say they have already informed the companies involved.

When Spectre gains access to transient data, Meltdown prevents isolation between applications and the operating system when evaluating out-of-order transients after a CPU exception to read kernel memory.

Previously, five variants of Meltdown were publicly disclosed: Meltdown-US (Meltdown), Meltdown-P (Foreshadow), Meltdown-GP (Variant 3a), Meltdown-NM (Lazy FP) and Meltdown-RW (variant 1.2).

The digital forensics investigators propose two more: Meltdown-PK and Meltdown-BR.

The Meltdown-PK attack can override a defense on the Intel Skylake-SP server chips called memory protection keys for user space (PKU), allowing processes to modify the access permissions of a memory page from the user space, without a syscall/hypercall.

For its part, Meltdown-BR provides a way to bypass linked checks, which generate exceptions when an out-of-bound value is encountered. It exploits the transient execution after such an exception to capture information outside of the limits that would otherwise not be accessible, the experts in digital forensics report.

Researchers demonstrated the attack on an Intel Skylake i5-6200U CPU with MPX support, an AMD 2013 E2-2000 and an AMD 2017 Ryzen Threadripper 1920X. They point out that this is the first time that a Meltdown-style transient execution attack can take advantage of exception handling delays in AMD hardware.

As for the new approaches to confuse the predictor of the branch in the attacks Specter-PHT and Specter-BTB, the researchers carried out the vulnerability proof of concept on Intel Skylake i5-6200U and Haswell i7-4790, in AMD Ryzen 1950X and Ryzen Threadripper 1920X, and on an Arm-based NVIDIA Jetson TX1.

Researchers say that all vendors have processors that are vulnerable to these attack variants. CVEs for these security flaws have not yet been assigned.

In a statement, an Intel spokesperson dismissed the possible risks. “The vulnerabilities documented in this research can be fully addressed by applying the existing mitigation techniques for Spectre and Meltdown, including those documented earlier in this document and elsewhere by other manufacturers of Chips”, the spokesperson mentions.

An ARM spokesman said: “The recent vulnerabilities of Spectre and Meltdown identified by a group of researchers can be addressed by applying existing mitigations”.

For its part, AMD has not issued any statement regarding the investigation.