New Spectre Chip Security Vulnerability Found That Leaves Billions Of PCs Still Defenseless

Of the vulnerabilities that appeared in 2018, Spectre was the nastier of the two primary threat vectors, with the other being Meltdown. In short, Spectre works by leveraging modern CPU features called branch prediction and speculative execution, to access memory that would not otherwise be accessible during traditional compute operations. Exposed system memory could contain confidential information, which could then be piped out through a side channel to an adversary looking to exploit it. The original whitepaper explained that this problem ultimately arose from a “long-standing focus in the technology industry on maximizing performance,” without focusing on adequate security measures to protect system memory data in flight.
After the paper was published and coverage began to take off, companies like Intel, AMD and others such as Microsoft, worked to patch these vulnerabilities via software and firmware. Further, this family of vulnerabilities received more scrutiny, leading to new discoveries such as AMD processors being found as vulnerable to a different side-channel attack. Now, researchers at the University of Virginia School of Engineering and Applied Science have found a way to revive Spectre that  breaks all the currently deployed mitigations that exist today.

According to an article released yesterday by University of Virginia, this newly discovered line of attack means “billions of computers and other devices across the globe are just as vulnerable today as they were when Spectre was first announced.” It was initially reported to international chip makers in April, and now presents new challenges for both consumers and enterprise customers alike.

Spectre's New Threat Vector Discovery And How It Works

The researcher team was led by Ashish Venkat, Assistant Professor of Computer Science at UVA Engineering, who likens the team’s discovery to how security works in an airport. He explained a hypothetical scenario “where TSA lets you in without checking your boarding pass because (1) it is fast and efficient, and (2) you will be checked for your boarding pass at the gate anyway.” However, when you are between the metaphorical TSA checkpoint and the gate, something bad could still happen. "A computer processor does something similar. It predicts that the check will pass and could let instructions into the pipeline. Ultimately, if the prediction is incorrect, it will throw those instructions out of the pipeline," notes Venkat. However, at that point it may be too late and these nefarious instructions could leave "side-effects" in the pipeline that an attacker could use to exploit for critical information like credentials, etc. 
Venkat and his team now believe that this problem will be much harder to fix than the original Spectre vulnerabilities. Ph.D. student researcher Logan Moody explained that when attempting a fix, the “difference with this attack is you take a much greater performance penalty than those previous attacks.” This is because the clear solution is disabling a micro-op cache or halt speculative execution. However, this fix would “effectively roll back critical performance innovations in most modern Intel and AMD processors, and this just isn’t feasible,” according to lead student author Xida Ren.