Spectre relies on a generalised idea of memory management, instead of targeting on specific feature of the processor.
CVE-2017-5753 (Spectre-V1, bounds check bypass,) and CVE-2017-5715(Spectre-V2, branch target injection,) are two commonly known exposure IDs and vulnerabilities related to Spectre (Liu et al., 2015).
CVE-2017-5753 (bounds check bypass, Spectre-V1):
This attack works by allowing the malevolent code to get around the built in bounds inspecting the attributes in most binaries. What happens is even after the bounds checks fails, the CPU goes on to implement instructions that gives access to memory which is not normally available for the code (Godbolt, 2016).
When the CPU recognizes the failure of bounds, even though it removes any work that was done speculatively, some changes can still be observed to the system. The suspicious code can spot these modifications and as a result, read the accessed information (Liu et al., 2015).
The major problem with Variant 1 is that it becomes tough to restrict access to any untrusted links within any process in a system.
This variant also has implications in the kernel for systems that takes packet filters from user space code (Berkeley Packet Filter eBPF). JIT (just-in-Time) compiles and runs the packet filter code in the kernel (Godbolt, 2016). It also limits the memory access of packet filter with bounds checking but still Variant 1 circumvents these limitations by allowing the attacker to use speculation.
CVE-2017-5715(branch target injection, Spectre-V2) :
This attack variant exploits the capability of a process to impact on the implementation trait of a code under different security terms that run on the same CPU core of a system.
Modern processors have the ability to predict the target for unintended calls that a program makes and it start to speculatively executing code at that target location.
The prediction is driven by certain tables which are shared among the processes running on a CPU. Because of this it becomes possible for one process to corrupt and influence the analysis of a different process or kernel code that is running on a physical core. This also gives way for the attacker to speculatively execute the charted code in a different process or in the kernel, in the hypervisor (Gruss et al., 2016). This leads for the attacker to utilise techniques like Variant 1 to potentially access and read data from the other protection domain. Even though the technique of this variant is difficult to use, its ability to cross whimsical protection domains makes it potentially very dangerous.
2.2. How to mitigate Spectre Vulnerability?
There is a wide range of computer architecture affected by Spectre and so there cannot be a single patch to fix the problem. There are lot of researches undergoing in different parts of the world to study and find a solution and many have found out that it is not an easy fix. Even though many computer manufacturers using Intel Chips like Dell Computers are saying that these vulnerabilities will not actually be exploited practically, it needs to be fixed (Intel Software, 2016). There are several procedures published which will help protect home PCs and other devices from such vulnerability but some of the patches released are reported to slow down performance very significantly. This is very true in older computers.
Intel reported that the new partitioning system helps mitigate and improves process and privilege-level separation. By using processors with selective translation lookaside buffer flushing feature, the cost of mitigating this problem can be reduced to an extent. This feature is called process-context identifier or PCID in Intel 64 architecture and as address space number or ASN in Alpha architecture. The selective flushing causes the TLB behaviour to be enabled which can isolate the vulnerability and save cost also as the entire TLB is not flushed (Intel Software, 2016).
At the start of this year, a new technique called “Retpoline” was described by Google’s Project Zero time in their security blog. This technique uses binary modification to protect in opposition to ‘branch target injection’ attacks. This technique can also help save a significant amount of processor overhead (Kocher et al., 2018). It uses compiler level steering to avoid the occurrence of vulnerable speculative of out-of-order execution. Even though it was primarily developed for the x86 instruction set, the project engineers at Google has the confidence that the technique can be applicable to other processors as well.
In addition to this, the Google Project zero team also has put to action, the Kernel Page Table Isolation (KPTI) which is actually a common technique that can be used for better protection of data in the storage present in other software that runs on a machine. This is applicable to almost the whole fleet of Google Linux production servers carry all Google products such as Gmail, Search, Google Cloud Platform and YouTube (Kocher et al., 2018).
...(download the rest of the essay above)