Seven new Meltdown and Spectre-type CPU vulnerabilities that affect Intel, AMD, ARM CPUs

Spectre and Meltdown vulnerabilities are one of the most significant known hardware vulnerabilities that affect the modern computer processors. Meltdown and Spectre vulnerabilities were exploited through malicious programs to retrieve secrets stored in the memory of other running programs, sensitive information like passwords.

Both Spectre and Meltdown vulnerabilities make use of a feature in the processor chip known as “speculative execution“, a technique which used by most modern CPUs to optimize performance. A vulnerability scanning tool can detect these vulnerabilities.

These are seven new transient execution attacks that discovered by the same team of Google Project Zero researchers, who discovered previous CPU vulnerabilities in the form of Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715). Moreover, Intel, AMD, and ARM are the three processor vendors affect by these vulnerabilities. Among these seven processor vulnerabilities, two are Meltdown variants and other five are Spectre variants. However, a patch management tool can patch these vulnerabilities.

a. Meltdown-PK (Protection Key Bypass): Intel Skylake-SP server CPUs presently called Intel Xeon processor family supports memory-protection keys for user space. The access permissions of a page allowed to change directly from the user space through the memory protection keys and then an attacker can bypass both read/write isolation if he/she can control code execution over the process.

b. Meltdown-BR (Bounds Check Bypass): 32-bit processors in which out-of-bound array indices are encountered in hardware instructions that raise a bound range exceeded exception (BR). Sensitive information accessed after the out-of-bound exception using transient execution attack.

Branch predictor mistrained in the following four ways:

* Inside the same address space and the same branch location (same-address-space in-place mistraining)

* Within the same address space but with a different branch (same-address-space out-of-place)

* Inside an attacker controlled address space but with a branch at the same address as victim branch (cross-address-space in-place)

* Inside an attacker controlled address space at a agreed address to victim branch (cross-address-space out-of-place)

c. Spectre-PHT-CA-OP (Cross-Address-space Out of Place): Here the Pattern History table is used for exploiting the issue. It exploits within an attacker-controlled address space with an agreed address to the victim branch.

d. Spectre-PHT-SA-IP (Same Address-space In Place): This attack performed by performing Spectre-PHT attacks within the same address space and with a same branch location.

e. Spectre-PHT-SA-OP (Same Address-space Out of Place): This attack can be performed by performing Spectre-PHT attacks within the same address space but with a different branch location.

Spectre-BTB (Branch Target Buffer)

Branch Target Buffer, a register that used to storethepredicted destination of a branch in a processorusing branch prediction used for exploiting this vulnerability.

f. Spectre-BTB-SA-IP (Same Address-space In Place): The same address space and same branch location can be used to perform Spectre-BTB-SA-IP attack.

g. Spectre-BTB-SA-OP (Same Address-space Out of Place): The same address space with a different branch can be used to perform Spectre-BTB-SA-OP attack.

Defense for Spectre and Meltdown vulnerabilities:

However, according to the researchers who researched these issues, patches need hardware modifications exploited theoretically. As these issues need some changes to processor architecture and are not easy to patch in order to fully mitigate the vulnerabilities.

Also, to patch the other vulnerabilities, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) , refer to  ‘Patching Meltdown and Spectre’: