While the chaotic Spectre vulnerability keeps coming back, another vulnerability has now come up to trouble users. Termed SplitSpectre, the recently discovered vulnerability could allow an attacker for speculative execution attacks.
SplitSpectre – Another Spectre Variant Discovered
After Foreshadow and other Spectre-like flaws, another Spectre variant has come to haunt users. This time, it is the SplitSpectre vulnerability that is even more dangerous. The vulnerability could allow an attacker to target a victim’s system by exploiting the speculative execution function of microprocessors. The researchers from Northeastern University and IBM Research have published their findings in a detailed research paper.
As stated in their paper, SplitSpectre seems a Spectre v1 variant. The difference, however, lies in the way it executes. It requires a small chunk of vulnerable code on the victim’s machine, without requiring the attacker to have an own malicious code.
Regarding how SplitSpectre works, they explain,
“As its name implies, it splits the Spectre v1 gadget into two parts: one consisting of the conditional branch and the array access (phase 3), and the other one consisting of the second array access that constitutes the sending part of the side channel (phase 4). This has the advantage that the second part, phase 4, can now be placed into the attacker-controlled code. It is more likely that an attacker finds such gadgets, thereby alleviating one of the main difficulties of performing a v1 attack. Furthermore, the attacker can choose to employ amplification of a v1 attack by reading multiple indices of the second array to deal with imprecise time sources.”
In case of SplitSpectre, the speculation window extends to cover the second part of the attack. This extension, in turn, facilitates a more robust attack.
The SplitSpectre vulnerability affects most modern CPUs. The researchers have successfully tested the attack against Intel Haswell, Skylake and AMD Ryzen processors.
Despite being vulnerable, the researchers suggest that the present mitigations against Spectre may certainly help mitigating such attacks. Nonetheless, they still advise,
“All things considered, our analyses lead us to conclude that the attack is viable, and that the ability to trigger it in practice depends on the identified microarchitectural properties of individual CPU families.”
In addition to explaining the vulnerability, the researchers have also presented a novel tool to investigate speculative execution.
“…we have designed and implemented SPECULATOR, a tool whose purpose is to reverse-engineer the behavior of different CPUs in order to build a deeper understanding of speculative execution.”
Following the successful utilization of SPECULATOR in their research, the researchers have planned to release the tool under open-source.