Researchers discover a new Spectre-like ‘Spoiler’ Intel CPU Vulnerability

Summary: All of Intel’s Core CPUs are susceptible to cyber attacks exploiting flaws in their speculative execution capabilities, has revealed. 

Intel processors are vulnerable to an attack, nicknamed Spoiler, to which AMD processors are immune according to new research paper [PDF] at the Worcester Polytechnic Institute and the University of Lübeck. Intel will not be able to spin this as an industry-wide problem as they did last January when two other vulnerabilities, Spectre and Meltdown, were revealed. This bodes well for AMD shareholders.

While similar to the publicised January 2018, Spectre security flaws, new Spoiler flaw works very differently, claim the team of researchers from Worcester Polytechnic Institute in Massachusetts and the University of Lübeck in Germany.

Speculative execution is a performance enhancing CPU feature whereby the CPU performs anticipated functions before they are called. The aim is to mitigate memory bottlenecks.

“Spoiler is not a Spectre attack. The root cause for Spoiler is a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem which directly leaks timing behaviour due to physical address conflicts,” the researchers write.

“Existing spectre mitigations would therefore not interfere with Spoiler.”

The researchers claim that the flaw involves “a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes”.

“The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the first generation of Intel Core processors, independent of the operating system, and also works from within virtual machines and sandboxed environments.”

“To exploit the leakage, we used the speculative load behaviour after jamming the store buffer. Spoiler can be executed from user space and requires no special privileges. While speculative execution enables both Spoiler and Spectre and Meltdown, our newly found leakage stems from a completely different hardware unit, the Memory Order Buffer

“We exploited the leakage to reveal information on the eight least significant bits of the physical page number, which are critical for many microarchitectural attacks such as Rowhammer and cache attacks. We analysed the causes of the discovered leakage in detail and showed how to exploit it to extract physical address information,” the researchers write in their conclusion.

“Broadly put, the leakage described in this paper will enable attackers to perform existing attacks more efficiently, or to devise new attacks using the novel knowledge.

Intel, for its part, has suggested that software patches ought to be able to mitigate against the risks highlighted by the researchers, who informed Intel of the security flaw on 1 December 2018.

However, researcher Ahmad Moghimi, indicated in an interview with The Register that Intel’s response was somewhat glib.

“My personal opinion is that when it comes to the memory subsystem, it’s very hard to make any changes and it’s not something you can patch easily with microcode without losing tremendous performance. So I don’t think we will see a patch for this type of attack in the next five years and that could be a reason why they haven’t issued a CVE.”

However, in order to take advantage of the security flaw an attacker would first need to compromise users’ PCs in some way with, for example, malware or via malicious JavaScript code running on a website. 

Intel was made aware of Spoiler at the beginning of December. In a comment provided on TechRadar, the chipmaker downplayed the severity of it all.

“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest,” Intel said.

“We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research,” Intel added.

In other words, the situation is not as dire as perhaps the paper makes it sound, from Intel’s vantage point. But then we’d expect Intel to take that stance. We’ll be keeping an eye on this and will report any significant updates.