Spectre and Meltdown vulnerabilities are one of the most significant known hardware vulnerabilities that affect the modern computer processors. Meltdown and Spectre vulnerabilities were exploited through malicious programs to retrieve secrets stored in the memory of other running programs, sensitive information like passwords.
Both ‘Meltdown‘ and ‘Spectre‘ make use of a feature in the processor chip known as “speculative execution“, a technique which is used by most modern CPUs to optimize performance.
Seven new variants of Meltdown & Spectre
These are seven new transient execution attacks that are discovered by the same team of Google Project Zero researchers, who discovered previous CPU vulnerabilities in the form of Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715). Intel, AMD, and ARM are the three processor vendors which are affected by these vulnerabilities. Among these seven processor vulnerabilities, two are Meltdown variants and other five are Spectre variants.
a. Meltdown-PK (Protection Key Bypass): Intel Skylake-SP server CPUs presently called Intel Xeon processor family supports memory-protection keys for user space. The access permissions of a page are allowed to change directly from the user space through the memory protection keys and an attacker can bypass both read/write isolation if he/she can control code execution over the process.
b. Meltdown-BR (Bounds Check Bypass): 32-bit processors in which out-of-bound array indices are encountered in hardware instructions that raise a bound range exceeded exception (BR). Sensitive information can be accessed after the out-of-bound exception using transient execution attack.
Spectre-PHT (Pattern History Table)
Branch predictor can be mistrained in the following four ways:
* Inside the same address space and the same branch location (same-address-space in-place mistraining)
* Inside the same address space but with a different branch (same-address-space out-of-place)
* Inside an attacker controlled address space but with a branch at the same address as victim branch (cross-address-space in-place)
* Inside an attacker controlled address space at a agreed address to victim branch (cross-address-space out-of-place)
c. Spectre-PHT-CA-OP (Cross-Address-space Out of Place): Here the Pattern History table is used for exploiting the issue. It is exploited within an attacker-controlled address space with an agreed address to the victim branch.
d. Spectre-PHT-SA-IP (Same Address-space In Place): This attack can be performed by performing Spectre-PHT attacks within the same address space and with a same branch location.
e. Spectre-PHT-SA-OP (Same Address-space Out of Place): This attack can be performed by performing Spectre-PHT attacks within the same address space but with a different branch location.
Spectre-BTB (Branch Target Buffer)
Branch Target Buffer, a register that is used to store the predicted destination of a branch in a processor using branch prediction is used for exploiting this vulnerability.
f. Spectre-BTB-SA-IP (Same Address-space In Place): The same address space and same branch location can be used to perform Spectre-BTB-SA-IP attack.
g. Spectre-BTB-SA-OP (Same Address-space Out of Place): The same address space with a different branch can be used to perform Spectre-BTB-SA-OP attack.
Defense for the vulnerabilities:
According to the researchers who researched these issues, patches that need hardware modifications are only exploited theoretically. As these issues need some changes to processor architecture and are not easy to patch in order to fully mitigate the vulnerabilities.
To patch the other vulnerabilities, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) , refer to ‘Patching Meltdown and Spectre’: