Two security researchers Vladimir Kiriansky from MIT and consulting firm Carl Waldspurger have just published a paper highlighting the notorious new variant of the Spectre vulnerability, which creates a speculative buffer overflow. In the paper, the two explained how the new variant (Spectre 1.1 / CVE-2018-3693) could attack and defend.
For the processor manufacturers, the loopholes exposed at the beginning of the year, as well as several other variants that have emerged in succession, have caused headaches in the industry. The latest Spectre 1.1 vulnerability exploits speculative buffer overflows. Similar to the classic buffer overflow security vulnerability, Spectre 1.1 is also known as ‘Bounds Check Bypass Store’ (BCBS), which distinguishes it from the first speculative execution attacks.
The researchers considered a new variant to be assigned to a tiny version of the Spectre V1 variant: “Spectre 1.1 affects billions of devices powered by modern processors, including those from Intel and AMD.”
Researchers say predicting buffer overflows allows local attackers to execute arbitrary untrusted code on vulnerable systems. Through side-channel analysis and speculative buffer overflow, it can exploit the speculative execution and branch prediction of the microprocessor to expose sensitive information.
“Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks.”
Even more frightening is that the researchers also pointed out the so-called Spectre 1.2 vulnerability.
“In a Spectre1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers, and code metadata, including vtables, GOT/IAT, and control-flow mitigation metadata. As a result, sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective.“
Although researchers believe that processor microcode updates can completely mitigate the Spectre 1.1 vulnerability, Intel recommends that users and operating system vendors deploy security patches to address some of the new variants that will emerge in the foreseeable future.