Promo2day
New Variant of Spectre Security Flaw Discovered: Speculative Buffer Overflows - Printable Version

+- Promo2day (https://www.promo2day.com)
+-- Forum: News Center (https://www.promo2day.com/forumdisplay.php?fid=21)
+--- Forum: Security News (https://www.promo2day.com/forumdisplay.php?fid=52)
+--- Thread: New Variant of Spectre Security Flaw Discovered: Speculative Buffer Overflows (/showthread.php?tid=24714)



New Variant of Spectre Security Flaw Discovered: Speculative Buffer Overflows - mrtrout - 07-11-2018

You are not allowed to view links. Register or Login to view.            New Variant of Spectre Security Flaw Discovered: Speculative Buffer Overflows
It's a variant of the first Spectre security vulnerability
Jul 10, 2018 21:48 GMT  ·  By Marius Nestor ·  Share:      
Security researchers Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) have published a paper to disclose a new variant of the infamous Spectre security vulnerability, which creates speculative buffer overflows.

In their paper, the two security researchers explain the attacks and defenses for the new Spectre variant they discover, which they call Spectre1.1 (CVE-2018-3693), a new variant of the first Spectre security vulnerability unearthed earlier this year and later discovered to have multiple other variants.

The new Spectre flaw leverages speculative stores to create speculative buffer overflows. Similar to the classic buffer overflow security flaws, the new Spectre vulnerability is also known as "Bounds Check Bypass Store" or BCBS to distinguish it from the original speculative execution attack.

Though the researchers consider the new Spectre variant a minor version of the Spectre V1 family due to the fact that it uses the same opening in the speculative execution window, namely conditional branch speculation, Spectre 1.1 affects billions of devices powered by modern processors, including those from Intel and AMD.

According to the researchers, speculative buffer overflows allow local attackers to execute arbitrary untrusted code on the vulnerable system with microprocessors utilizing speculative execution and branch prediction to expose sensitive information via side-channel analysis and speculative buffer overflow.

"Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks," said the researchers.

Spectre1.2
In addition to the Spectre1.1 vulnerability, the security researchers have also introduced a Spectre1.2 flaw, another minor variant of the first Spectre vulnerability, which appears affect CPUs that don't enforce read/write protections and depends on lazy PTE enforcement.

"In a Spectre1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers, and code metadata, including vtables, GOT/IAT, and control-flow mitigation metadata. As a result, sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective," explain the security researchers.

The researchers have validated the Spectre1.1 and Spectre1.2 attacks on both Intel x86 and ARM processors. For Spectre1.1, they recommend the SLoth family of microarchitectural mitigations, and Spectre1.1 can be mitigated in future processors if chip manufacturers implement a so-called Rogue Data Cache Store protection feature.

As you might expect, Intel and other industry partners are working on patches for the newly discovered Spectre flaws, which presents significant new risks as they allow attackers to perform arbitrary speculative writes, both local and remote, as well as to bypass existing software mitigations for former speculative-execution attacks.

While the researchers believe Spectre1.1 vulnerability can be completely mitigated with microcode processor updates, Intel recommends users to check with their operating system vendors for security patches. As initially believed, industry experts expect a number of new Spectre variants to be disclosed in the foreseeable future.