Computer experts believed they had created adequate security patches following the 2018 major flaw in the global Spectre network. But, UVA’s discovery has shown that processors are still vulnerable to hackers.
2018 saw academic, and industry researchers discover a potential fatal hardware flaw that makes computers and other devices vulnerable to attacks.
Researchers identified the vulnerability Spectre because it was embedded in modern processors. This flaw is known as “speculative execution” and involves the processor predicting which instructions it will execute, then preparing the path to retrieve the instructions from memory. The Spectre attack tricked the processor into executing the wrong instructions. Although the processor completes its task correctly and recovers, hackers can gain confidential data from the processor while going in the wrong direction.
Since Spectre’s discovery, computer scientists from industry and academia have been working on hardware defenses and software patches. They are confident they can protect the most sensitive points of the speculative execution process while not slowing down computing speeds.
They will need to start over.
University of Virginia School of Engineering researchers discovered a way to attack Spectre. This means that computers worldwide, including billions of laptops and desktops, are as vulnerable today as when Spectre was announced. In April, the team disclosed its findings to international chip manufacturers and will present their new challenge at a global computing architecture conference in June.
Ashish Venkat (William Wulf Career Enhancement Assistant Professor Computer Science at UVA Engineering) led the research and discovered a new way for hackers. This is known as a “micro-op cache,” which allows the processor to retrieve simple commands early in the speculative execution quickly. Since 2011, micro-op caches have been a feature of Intel computers.
Venkat’s team discovered hackers could steal data when a processor fetches commands in the micro-op cache.
Venkat stated, “Think about an airport security scenario in which TSA allows you to enter without checking your passport because (1) it’s fast and efficient and (2) you will be checked at the gate for your boarding passes anyway.” A computer processor can do something similar. It predicts that the check will pass, and it could allow instructions to enter the pipeline. If the prediction is wrong, it will throw the instructions out of the channel. However, this could be too late as side effects could remain in the pipeline, allowing an attacker to infer secret information such as a password later.
Venkat’s new attacks make it impossible to use the current Specter defenses. They protect the processor at a later stage in speculative execution. The team discovered two variants of attacks that can steal information from Intel or AMD processors.
Venkat stated that Intel’s suggested defense against Spectre (LFENCE) places sensitive code in a waiting room until security checks are completed. Only then can the sensitive code be executed. The walls in this area are equipped with ears that our attackers can exploit. We demonstrate how an attacker can use the micro-op cache as a covert channel to smuggle secrets.
Three of Venkat’s computer science graduate students are part of Venkat’s team: Ph.D. candidate Xida Ren and Logan Moody, and Matthew Jordan, a master’s recipient. To reverse-engineer undocumented components in Intel and AMD processors, the UVA team worked with Dean Tullsen (Professor of Computer Science and Engineering, University of California, San Diego) and Mohammadkazem Taram, his Ph.D. student.
They describe the findings and their paper “I See Dead Uops: Leaking Secrets via Intel/AMD micro-Op Caches.”
This new vulnerability will be more challenging to fix.
Moody stated that developers had developed a relatively simple way to stop attacks like the Spectre attacks. However, this does not entail a significant performance penalty for computing. This attack has a greater performance penalty than the previous attacks.
Ren, the student lead author, stated that “patches that disable micro-op caches or halt speculative execution for legacy hardware would effectively roll back critical performance innovations in most modern Intel/AMD processors, and this just doesn’t work.”
Venkat stated that it needs to be clarified how to solve the problem in a way that offers high performance over legacy hardware. However, Venkat believes that we must make it work. “Securing micro-op cache security is an interesting area of research and one we are currently considering.”
Venkat’s team disclosed the vulnerability to Intel and AMD product security teams. Ren and Moody presented a tech talk to Intel Labs worldwide on April 27 about the potential impacts and possible fixes. Venkat hopes that computer scientists from academia and industry will work together quickly to find solutions, just as they did with Spectre.
Intel stated on May 3 in response to the extensive media coverage of the vulnerability. It said there would not be any additional mitigation if software developers used a method known as “constant time programming,” which is not susceptible to side-channel attacks.
Venkat stated that “certainly, we agree that software should be more secure” and that constant-time programming is an effective way to write invulnerable code against side-channel attacks. Venkat said that the vulnerability was in hardware and that it is crucial to design resilient and secure processors against such attacks.
He added that constant-time programming was complex in terms of programmer effort and involved high-performance overhead and significant deployment difficulties related to patching sensitive software. “Constant-time principles are used in tiny amounts of code. This would make it dangerous to rely on. This is why we need to make sure that the hardware is secure.
The highly competitive International Symposium on Computer Architecture (ISCA) has accepted the team’s paper. The ISCA annual conference, held virtually in June, is the premier forum for research and new ideas in computer architecture.
Venkat also works closely with the Processor Architecture Team of Intel Labs on microarchitectural innovation through the National Science Foundation/Intel Partnership on Foundational Microarchitecture Research Program.
Venkat was prepared to lead the UVA team in this discovery. Since 2012, Venkat has been a part of a long-standing partnership with Intel. He interned at Intel while studying computer science at the University of California San Diego.
Like other Venkat-led projects, this research is funded by the National Science Foundation and Defense Advanced Research Projects Agency.
Venkat was also one of the university researchers that co-authored a paper, along with Mohammadkazem Taram from UC San Diego, which introduces a microcode-based defense against Spectre. It is also known as context-sensitive fencing. This allows the processor to patch up running code with speculation barriers quickly.
One of a few targeted microcode-based defenses that can stop Spectre is “Context Sensitive Fencing”: Securing Speculative Execution through Microcode Customization. It was presented at the ACM International Conference on Architecture Support for Programming Languages and Operating Systems in April 2019. This paper was also chosen as the top choice among all conference papers on computer architecture, computer security, and VLSI design published between 2014 and 2019.
Venkat’s new Spectre variants that Venkat’s team discovered broke the context-sensitive fencing mechanism detailed in Venkat’s award-winning paper. This type of research is a great way to break your defense. Venkat’s research team uncovered more vulnerabilities in hardware with each security improvement.