Spectre Attack
According to Wiki, we know that Spectre is a subset of security vulnerabilities with vulnerabilities in the class of vulnerabilities known as microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.
At present, in order to improve performance, CPU uses two seemingly flawless technologies: out-of-order execution and branch prediction. With these two technologies, the CPU can no longer be limited to just executing operations in sequence, nor is it limited to the subject statement that waits for the conditional judgment to be completed before executing the statement, so that the CPU can execute those codes that are not strongly related or first. Load the variables in the statement into the memory and cache, make full use of the idle units in the CPU, and greatly improve the efficiency of the CPU.
For out-of-order execution, it seems that there is nothing wrong at first, but for branch prediction, the problem arises: what if the branch prediction fails? Intel and other CPU manufacturers have also eliminated this situation. If the branch prediction fails, the CPU will roll back to the state before the branch prediction, restore the original registers, etc., so that the program can be executed again from the branch judgment.
But the reality is that these two technologies both load the data into the cache without judging whether it has permission to access the data. If the branch prediction fails, although the CPU is rolled back, my cache is still not rolled back, which leads to information leakage.
The memory architecture of contemporary CPUs:
According to the course, we know that when the CPU accesses the memory, it will first load the data in the memory into the cache, and then access it from the cache. The speed of the CPU accessing the cache is much faster than accessing the data in the main memory. The data of different processes will be stored in different parts of the memory, and through the operating system’s judgment on permissions, a process cannot modify the data in the memory of other processes. Different processes can access the cache and operate on the data in the cache.
Out-of-order execution
The CPU will not execute the program in strict accordance with the order of the code, but will execute it out of order. If executed in sequence, the CPU will execute these three statements in sequence, first put the data in the memory into RAX, add the data in RAX, and then put the data in rbx into rax. In this way, it can be found that the memory load module required by the c instruction is idle when the b instruction is processed. Scientists do not waste resources like this, so out-of-order execution came into being.
Note that there is no judgment on the permissions of the process. If the data accessed by the c statement cannot be modified, the out-of-order execution will still load it into the cache, but when the c statement is executed, the operating system will perform permissions. If it is found that the process does not have permission, it will give up the result of out-of-order execution, roll back to the original state and execute it in sequence.
Branch prediction
The CPU will not judge the if first and execute the corresponding branch as we wrote in the code, but will execute the statement in the branch in advance. Generally, according to our expectations, the CPU first judges the conditional judgment statement in the if, and then executes the memory access assignment statement in the main body, so that when the judgment statement is executed, the CPU will not execute the memory load, which will waste the memory loading module. Resources. Branch prediction technology can reduce the waste of such resources. For such a statement, it allows the operating system to first load the corresponding data into the cache, and then execute the main statement if the condition is judged correctly, so that the main statement will go back when accessing memory. Time is saved by accessing cache instead of memory.
However, if the branch prediction fails, the state information of the CPU will be rolled back and restored, but the data in the cache will remain unchanged.
Side-channel attack
A side-channel attack is a new type of attack method for cracking passwords. It mainly uses side-channel information such as time consumption, power consumption, or electromagnetic radiation during the operation of encrypted electronic equipment to attack encrypted equipment.
Patch Prevention
Because these two loopholes allow programs to access other programs’ data across permissions, there are great security risks, so after these two vulnerabilities were announced, major CPU manufacturers invested in the research and development process of patches, and the results were soon obtained, because these two vulnerabilities used the knowledge of operating systems and hardware, so many fields gave out the response:
1. Chip manufacturers
Intel has identified related issues in its own CPUs and is working closely with many other tech companies, including AMD, ARM, and various operating system vendors, to develop an industry-wide approach to address these vulnerabilities in a timely and constructive manner. In addition, Intel believes that the reports in some media are inaccurate. These problems are not only related to Intel but also related to problems in the CPUs of other manufacturers. The performance impact of the fixes of these issues is related to specific work scenarios. For general users, the impact is not significant, and these impacts will be alleviated over time.
ARM confirmed that most processors are not affected by the vulnerability, but gave a list of affected processors. ARM believes that exploiting these vulnerabilities requires running malware locally, and users updating software in a timely manner and not clicking on links of unknown origin will reduce the risk of attacks. For programs on Linux, ARM provides a new compiler that can be recompiled with the new compiler. A separate Linux ARM kernel patch was released to patch the vulnerability.
2. Operating system
Microsoft has issued a security notice, fixed related issues in IE, Edge, and Windows kernels, and provided protection guidelines for ordinary users, server users, and cloud users. Linux kernel developer Thomas Gleixner posted instructions on the new KAISER quarantine patch on the Linux kernel mailing list in December 2017. At present, some people suspect that this batch of patches may be aimed at addressing the Metldown and Spectre vulnerabilities in Linux systems.
The impact of the patch
Because these two vulnerabilities use two technologies: out-of-order execution and branch prediction, these two technologies can improve the work efficiency of the CPU, so patches at the operating system level are bound to bring certain effects to these two data. impact, thereby affecting the efficiency of computer work.
That is to say: if the patches of these two vulnerabilities are installed for security reasons, the performance of the system will be reduced. If there is no confidential information on the personal computer, the installation of these two patches can be abandoned, in exchange for higher security.
About DeHacker
DeHacker is a team of auditors and white hat hackers who perform security audits and assessments. With decades of experience in security and distributed systems, our experts focus on the ins and outs of system security. Our services follow clear and prudent industry standards. Whether it’s reviewing the smallest modifications or a new platform, we’ll provide an in-depth security survey at every stage of your company’s project. We provide comprehensive vulnerability reports and identify structural inefficiencies in smart contract code, combining high-end security research with a real-world attacker mindset to reduce risk and harden code.
