Researchers in the HexHive and Parallel Systems Architecture (PARSA) laboratories of EPFL's School of Computer and Communication Sciences, in collaboration with IBM researchers, have identified a widespread computer security vulnerability affecting laptop, desktop and server hardware.
Last year, the so-called Spectre and Meltdown security vulnerabilities made headlines when it was discovered that they affect the Intel central processing units (CPUs) in most laptop and desktop computers and servers. Now, researchers in the EPFL's HexHive and PARSA laboratories, in collaboration with IBM Research in Zurich, have characterized a similar, but novel attack called SMoTherSpectre.
In computer science terms, SMoTherSpectre is known as a “speculative side channel attack”, meaning that it allows a potential attacker to leak data by taking advantage of a CPU optimization technique in which instructions are executed ‘speculatively’ after a branch (decision point) in the code.
Modern CPUs implement many instructions concurrently, but instead of waiting until branch instructions complete their execution, these CPUs ‘guess’ which target will be used and execute those instructions speculatively. If the guess was correct, the speculatively executed instructions are committed, improving performance; otherwise they are discarded. Unfortunately, incorrect guesses result in a so-called “side channel” that can leak information to an attacker.
The Meltdown and Spectre attacks also leveraged speculative execution, but the EPFL researchers’ unique approach gets to the root of such vulnerabilities: port contention, which occurs when series of instructions to be executed simultaneously on a CPU are delayed due to scheduling conflicts. A SMoTherSpectre attack takes advantage of port contention to determine what instructions have been executed speculatively.
“SMoTherSpectre times the instruction sequences that are executed speculatively, allowing an attacker to infer what sequences of instructions have been executed, and pinpoint what is being done,” explains HexHive head and EPFL professor Mathias Payer.
No easy fix
Payer says that this vulnerability is especially difficult to address because it affects CPU hardware, rather than software.
“Even if a software program is 100% secure against attacks, it can still be affected by this vulnerability. The solutions are all difficult to implement, and all have performance impacts or costs,” he says, adding that future versions of Intel hardware would have to be updated to eliminate the problem.
Payer notes that the distinction between hardware and software vulnerability is also what sets SMoTherSpectre apart from another concurrently developed attack, PortSmash. The latter can leak information about regularly executed CPU instructions if a software bug is present, but is resolved when the faulty software is fixed.
The researchers have disclosed the SMoTherSpectre attack to Intel, AMD, OpenSSL and IBM. They have published their full findings on the arXiv online database, and described the technical details in a blog post.