The ripples created by the widespread Spectre vulnerability, which impacted a multitude of processors and devices in 2018, are being felt to this day. Security researchers have discovered several new variants of the flaw that, while difficult to carry out, would be tricky to mitigate. The three new types of potential Spectre attacks affect all modern AMD and Intel processors with micro-op caches, according to a new paper from academics at the University of Virginia and University of California San Diego. To make matters worse, none of the existing Spectre mitigations can protect against attacks that use the new variants.
Before going public with the info, the researchers warned Intel and AMD of the exploits that would potentially allow hackers to steal data from a machine, reports Phoronix. But, as of now, no microcode updates or OS patches have been released, and it may just stay that way. That’s because the nature of the attacks and their mitigations are convoluted and come with a major caveat.
According to Tom’s Hardware, the danger may be limited to direct attacks as exploiting micro-ops cache vulnerabilities is extremely difficult. In essence, the malware would have to bypass all other software and hardware security measures that modern systems have.
For CPU makers, one of the biggest concerns will be the performance impacting mitigation measures outlined by the researchers, including the flushing of the micro-op cache at domain crossings or privilege level-based partitioning of the caches. The paper’s authors claim this mitigation would come with “much greater performance penalty” than those related to previous attacks.
The first of the trio of possible exploits is a same thread cross-domain attack that leaks secrets across the user kernel boundary. A separate variant relies on a cross-SMT thread attack that transmits secrets across two SMT threads via the micro-op cache. The paper also describes “transient execution attacks” that can be used “to leak an unauthorized secret accessed along a misspeculated path, even before the transient instruction is dispatched to execution.”