Update: In a statement provided to us, Intel counters that the vulnerability outlined in the research paper is not addressed by existing patches or firmware updates. [Intel has reviewed the report and informed the researchers that existing mitigations have not been bypassed and that this scenario is addressed in our secure coding guidance. Software following our guidance already has protection for the incidental channels, including the uop cache incidental channel. No new mitigations or guidance are required," Intel stated. 3]

Original story: computer science researchers at the University of Virginia School of Engineering and the University of California, San Diego have jointly published a paper (PDF) outlining new Spectre variants that they say affect "billions" of AMD and Intel PCs. The researchers also state that these variants will not accept all existing hardware and software mitigations, and even worse, potential fixes will have a significant impact on system performance.

"In the case of previous Spectre attacks, developers came up with relatively simple ways to prevent all kinds of attacks without incurring a significant performance penalty. The difference with this attack is that it suffers a much larger performance penalty than those previous attacks," said Logan Moody, one of the researchers.

A series of CPU exploits called Meltdown and Spectre caused quite a stir three years ago, prompting AMD, Intel, and Microsoft to scramble to issue patches with firmware and software updates. [The name Spectre comes from the exploits that take advantage of the CPU's speculative execution and branch prediction capabilities, optimization techniques that play an important role in performance. With these techniques, modern processors predict the instructions that may be executed in order to stay ahead of the curve and execute them speculatively. If the prediction is correct, the program can access the code. If not, the instructions are discarded.

Specter attacks take advantage of prediction errors to trick the CPU into executing code in the wrong path. This is a bad idea.

In most cases, fixes have been in place for quite some time. However, researchers at two universities say they have discovered "a new attack method to defeat all Spectre defenses." Specifically, the CPU steals data when it uses the micro-ops cache.

"Consider a hypothetical airport security scenario in which the TSA allows people to enter the country without checking their boarding passes. 'Computer processors do something similar. It can predict that the check will go through and put orders in the pipeline. [Eventually, if the prediction is incorrect, it throws those instructions out of the pipeline, but this may be too late. Because those instructions leave side effects while waiting in the pipeline, which could later be exploited by an attacker to guess secrets like passwords," Venkat added. [Existing mitigations against Spectre focus on the latter stages of speculative execution. And unfortunately, disabling the micro-op cache or eliminating speculative execution would have a significant negative impact on performance.

Therefore, the researchers state that it is "really unclear how to solve the problem" without significantly degrading CPU performance levels. They also claim that it is "much more difficult to fix" than previous exploits.

"Intel's proposed defense against Spectre, called LFENCE, is to place sensitive code in a waiting area until a security check is performed, and only then allow execution of sensitive code," Venkat said. 'However, we found that the walls of this waiting area have ears, which our attackers exploit. We show how attackers can smuggle secrets by using micro-operational caches as covert channels."

The bright sign is that targeting low-level caches is not particularly easy; as our friends at Tom's Hardware point out, this requires bypassing other hardware and software security measures. Hackers would have to be not only skilled but truly motivated to go this route. [AMD and Intel have been informed of this discovery, but have yet to issue a patch or statement.