Two new vulnerabilities have been found which exploit flaws in CPU’s speculative execution. Dubbed Spectre 1.1 and 1.2, they are both variants of the original Spectre-v1 vulnerability. The new vulnerabilities leverage speculative stores in order to create speculative buffer overflows which are able to avoid Spectre-v1 mitigations. In a proof of concept attack for Spectre 1.1, researchers used the code “if (y < lenc) c[y] = z;” to reveal the possibility that while performing a speculative branch execution, the CPU may ignore the bounds check, and possibly allow an attacker to overwrite memory. This mechanism makes it possible for an attacker to temporarily overwrite data used for a subsequent Spectre-v1 attack. Spectre 1.2 can exploit “lazy enforcement of user/superuser protection checks for page-table entries (PTEs).” A speculative data attack can possibly overwrite read-only data, including vtables, code pointers, and control-flow mitigation metadata. Researchers have notified AMD, ARM, Intel, Google, IBM, and Microsoft of the two new Spectre variants, however no patches are available yet.
New Spectre Variants Disclosed
August 14, 2018