Spectre 1.1 and 1.2 Vulnerabilities Disclosed

Two new vulnerabilities exploiting flaws in CPUs speculative execution have been recently disclosed. Dubbed Spectre 1.1 and 1.2, both are variants of the original Spectre (Spectre-v1) vulnerability and leverage speculative stores to create speculative buffer overflows which can escape Spectre-v1 mitigations.

The ability to perform arbitrary speculative writes presents significant new risks, including arbitrary speculative execution. Unfortunately, this enables both local and remote attacks, even when Spectre1.0 gadgets are not present. It also allows attackers to bypass recommended software mitigations for previous speculative-execution attacks.

According to Vladimir Kiriansky and Carl Waldspurger, the security researchers that disclosed the new vulnerabilities, the following code provides a proof-of-concept attack for Spectre 1.1:

if (y < lenc)
    c[y] = z;

The problem with the code above lies with the possibility that during speculative branch execution the CPU might ignore the bounds check, thus leaving open the possibility for an attacker to arbitrarily overwrite memory. This mechanism makes it possible to temporarily overwrite data used by a subsequent Spectre-v1 attack.

Spectre 1.2 exploits instead lazy enforcement of user/superuser protection checks for page-table entries (PTEs). Thus a speculative data attack could overwrite read-only data, which include code pointers, vtables, and control-flow mitigation metadata.

The researchers described both software and hardware mitigations, which include the use of speculation fences, which stop speculative execution altogether; masking, which resorts to masking index values before they are used in an attempt to bound them, so a subsequent access to that position in the array is likely to not access out-of-bounds memory; and others. The researchers also pointed out that software defenses against the new attacks end up being the same as the techniques to prevent classical buffer overflows. Thus,

A good first step toward preventing them would be to strengthen existing checks against stack overflows, heap overflows, integer overflows, etc.

Intel and ARM have publicly acknowledged that some of their CPUs are vulnerable to Spectre 1.1. AMD has not published a statement, but AMD has been historically slow at reviewing security issues.

Although, Kiriansky and Waldspurger reported the two new Spectre variants to Intel, ARM, AMD, Google, IBM, and Microsoft, no patches are yet available.