Researchers Discover Speculative Store Bypass Attack That Affects Intel, AMD, Arm CPUs

Months after the Meltdown and Spectre vulnerabilities were revealed, Google Project Zero and Microsoft researchers discovered a Speculative Store Bypass (SSB) attack that affects processors from Intel, AMD, and Arm. The researchers dubbed this attack SSB Variant 4--Meltdown and Spectre represent the first three variants--and disclosed it after giving affected chipmakers the usual 90 day waiting period.

All of these vulnerabilities enable speculative execution-based side-channel attacks on modern processors. They differ in how they can be exploited and to what kinds of information they offer access. Meltdown, for example, was said to be easy to exploit and let applications gather data from protected kernel memory. Spectre was harder to exploit and offered access to kernel memory as well as data from other applications.

Meltdown and Spectre were disclosed in January. Afterwards, Ken Johnson of the Microsoft Security Response Center (MSRC) and Jann Horn of Google Project Zero independently discovered the SSB attack. While this indicates that Meltdown and Spectre were just the beginning, it also means that efforts to mitigate those vulnerabilities have made it easier for chipmakers, OEMs, and other companies to respond to new flaws.

To wit: Intel executive vice president and general manager of Product Assurance and Security Leslie Culberston said in a blog post that the company has already delivered a beta microcode update for Variant 4 to OEM system manufacturers and system software vendors. Culbertson also said that browser makers' efforts to prevent attackers from exploiting Meltdown have already made it more difficult to exploit this new  flaw.

AMD and Arm have also released security bulletins about Google Project Zero and Microsoft's findings. AMD said that mitigations for the SSB flaw will be delivered by Microsoft and Linux distributors. Arm said the majority of its processors aren't affected by this flaw--for the ones that are, it recommended disabling memory disambiguation at boot if you're worried about someone conducting these side-channel attacks on your system.

So the good news is that many companies have already responded to Variant 4's revelation. (Which is the benefit of giving them 90 days to work on fixes before revealing the vulnerabilities to the public.) The bad news is that securing devices against SSB attacks does appear to have an impact on performance. Culbertson said that if the mitigation is enabled, "we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client and server test systems."

Culbertson got more specific in her footnotes:

Client measurements are based on Intel internal reference platform and an 8th Generation Intel® Core™ desktop microprocessor. Specifically, observed performance impact was 4% as measured by SYSmark 2014 SE overall score, 2 % as measured by  SPECint_rate_base2006 (n copy) total score, and 8% impact as measured by SPECint_rate_base2006 (1 copy) total score.

Server measurements are based on Intel internal reference platforms and an Intel® Xeon® Processor Scalable Family (formerly Skylake) microprocessor.  Specifically, observed performance impact was 3% as measured by SPECint_rate_base2006 (n copy) total score, and 8% as measured by SPECint_rate_base2006 (1 copy) total score.

Note that we haven't been able to independently test any processors that have received this mitigation--remember that it just reached Intel's partners in beta form--so we can't vouch for any of those numbers. Still, those performance hits prompted Intel to set the mitigation to "off" by default, which means you'll have to manually enable the mitigation (and therefore accept any performance hits) if you want to be protected.

Meltdown And Spectre's Legacy

It's clear by now that Meltdown and Spectre weren't just a set of vulnerabilities that chipmakers, operating system developers, and system manufacturers could fix and move on from. Instead, their discovery represented the finding of a new type of attack that affects many recent CPUs. Researchers and hackers were bound to find similar flaws, just like they did with this Variant 4, and figure out how to exploit them.

Not that we needed Variant 4 to make this clear. Researchers have reportedly already discovered flaws similar to Meltdown and Spectre--earlier this month a German magazine called Heise.de reported that eight new vulnerabilities were discovered in Intel and Arm chips. We don't really know much about this "next generation" of flaws, because the researchers are waiting to reveal technical details, but we do know that they exist.

The fact that vulnerabilities like this will become a fact of life has prompted companies like Microsoft and Intel to introduce their own speculative execution bug bounty programs. Combine those financial incentives with researchers' natural curiosity and we're bound to hear more about the successors to Meltdown and Spectre over the coming weeks, months, and years.

Create a new thread in the UK News comments forum about this subject
No comments yet
Comment from the forums
    Your comment