UVA Engineering’s Ashish Venkat hopes industry and academia will work together to find solutions.
Billions of computers and other devices across the globe remain vulnerable to a potentially devastating hardware flaw called ‘Spectre’ discovered in 2018, according to computer science researchers led by Indian American Ashish Venkat.
Led by Venkat, William Wulf Career Enhancement Assistant Professor of Computer Science at University of Virginia School of Engineering, the researchers have uncovered a line of attack that breaks all Spectre defenses.
The team reported its discovery to international chip makers in April and will present the new challenge at a worldwide computing architecture conference in June, according to a UVA Engineering press release.
Discovered In 2018, the flaw was named Spectre because it was built into modern computer processors that get their speed from a technique called “speculative execution.”
In this technique, the processor predicts instructions it might end up executing and preps by following the predicted path to pull the instructions from memory.
A Spectre attack tricks the processor into executing instructions along the wrong path. Even though the processor recovers and correctly completes its task, hackers can access confidential data while the processor is heading the wrong way.
Computer scientists believed they have been able to protect the most vulnerable points in the speculative execution process without slowing down computing speeds too much with software patches and hardware defenses.
But Venkat’s team found a whole new way for hackers to exploit something called a “micro-op cache,” which speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process.
Micro-op caches have been built into Intel computers manufactured since 2011. Venkat’s team discovered that hackers can steal data when a processor fetches commands from the micro-op cache.
“Think about a hypothetical airport security scenario where TSA lets you in without checking your boarding pass because (1) it is fast and efficient, and (2) you will be checked for your boarding pass at the gate anyway,” Venkat said.
“A computer processor does something similar. It predicts that the check will pass and could let instructions into the pipeline.”
“Ultimately, if the prediction is incorrect, it will throw those instructions out of the pipeline, but this might be too late because those instructions could leave side-effects while waiting in the pipeline that an attacker could later exploit to infer secrets such as a password.”
Because all current Spectre defenses protect the processor in a later stage of speculative execution, they are useless in the face of Venkat’s team’s new attacks.
Two variants of the attacks the team discovered can steal speculatively accessed information from Intel and AMD processors.
“Intel’s suggested defense against Spectre, which is called LFENCE, places sensitive code in a waiting area until the security checks are executed, and only then is the sensitive code allowed to execute,” Venkat said.
“But it turns out the walls of this waiting area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a covert channel.”
“It is really unclear how to solve this problem in a way that offers high performance to legacy hardware, but we have to make it work,” Venkat said. “Securing the micro-op cache is an interesting line of research and one that we are considering.”
Venkat’s team has disclosed the vulnerability to the product security teams at Intel and AMD. Venkat expects computer scientists in academia and industry to work quickly together, as they did with Spectre, to find solutions.
In a statement May 3, Intel suggested that no additional mitigation would be required if software developers write code using a method called “constant-time programming,” not vulnerable to side-channel attacks.
“Certainly, we agree that software needs to be more secure, and we agree as a community that constant-time programming is an effective means to writing code that is invulnerable to side-channel attacks,” Venkat said.
“However, the vulnerability we uncovered is in hardware, and it is important to also design processors that are secure and resilient against these attacks.
“In addition, constant-time programming is not only hard in terms of the actual programmer effort, but also entails high performance overhead and significant deployment challenges related to patching all sensitive software,” he said.
“The percentage of code that is written using constant-time principles is in fact quite small. Relying on this would be dangerous. That is why we still need to secure the hardware.”
The team’s paper has been accepted by the highly competitive International Symposium on Computer Architecture, or ISCA.
The annual ISCA conference is the leading forum for new ideas and research results in computer architecture and will be held virtually in June.