What’s the Perfect Crime?The one that leaves no trace: the Spectre one?
By Felipe Zárate | May 27, 2021
Spectre was in the spotlight of cyber threat news in 2018. Its name is a direct reference to the only agent capable of attacking in that way: a specter. Since every ghost always comes back, Spectre has reappeared! To start talking about it, we have prepared a story and a challenge for you. Can you solve it?
Imagine the following scenario: one businessman increased his company’s efficiency by hiring different people to perform routine tasks even before someone asked them to do so. If a posteriori instruction contradicted what the employees had done, they reversed and forgot those failed actions.
Some years later, the businessman’s lifeless body appeared in his library. He had a deep wound in his heart with an undue pool of blood. There was nothing nearby that could have been used to kill him. The room had doors and windows closed from the inside with no openings in walls, ceiling, or floor. The only suspect was an employee who was with him two hours before his death. However, after drinking the infallible truth serum, it was confirmed his innocence. The victim’s sister claims the assassin was a ghost. But was it?
Clues are already given, and we can suggest a solution. But, before that, if you think that this story is merely fiction, I invite you to read what happened with the Spectre case.
Since 2004 the 3.8GHz Pentium 4 has been allowed to "bump in speed from the already available 6xx line of processors." Computers and devices that work with microchips increased their efficiency. Behind that increased performance, there was an effort to boost pipeline in average cases, reduce memory delays by using caches, and work during delays using speculative execution. That allowed routine processes (such as move data from one memory location to another, or jump to a different address) to be much more efficient. Now, how did this advantage become a vulnerability?
A CPU could start a course of action without confirming that it is the correct path. In other words: "the CPU guess likely future execution directions and prematurely execute instructions on these paths." This means that even before the value that executes an instruction appears, the CPU is already performing it.
This solution responded to the limited number of processes a CPU can execute at the same time. That number is conditioned by each CPU clock cycle. To avoid waiting,
When the value is known, a CPU identifies if the speculation was correct. If so, "the code continues as supposed, and the result would come faster." If the assumption was wrong,
There is no cost in time or resources since the alternative option is to wait for the value to be revealed. Then either the CPU expects data to execute orders or "get ahead of the job" and perform the process before the command. However, over time it was seen that there were security implications from speculative execution. In fact, the CPU was opening a vulnerability on its own: a fault attack hardware was built-in.
Branch Predictor and Out-of-bounds
One way to change instructions is by taking advantage of Branch predictors. These are architectural units used "to guess where guess where the next instruction, after a branch, will come from." Through them, the CPU speculates whether a conditional branch will be taken and the possible outcome of the instruction if it is executed. If the speculation is wrong, the CPU will reverse all registry contents back to where they were before proceeding.
Now, the CPU performs a legal out-of-bounds, i.e., "the software reads data past the end, or before the beginning, of the intended buffer." The Buffer is a memory piece in the processor that allows returning from cache or temporary memory to complete long-lasting memory addresses. Here is where a security breach is performed. In Kocher’s words, the problem is that:
What is astonishing is that it is not only allowed, but it is integrated into CPU operations!
This vulnerability has been widely known and analyzed. Since 2018, when it first came to light, Intel and AMD, two of the world’s biggest processor companies, "adjusted their microcode to change the behavior of some assembly-language instructions in ways that limit speculation." Their solution was to limit "spaces" in which speculation is allowed. By doing so, they made specific processing moments safer but slower.
A paper published by the University of Virginia concludes that this threat is not over yet. Researchers have "uncovered a line of attack that breaks all Spectre defenses," which means that "billions of computers and other devices across the globe are just as vulnerable today as they were when Spectre was first announced."
Specifications of this new threat can be reviewed in their article (Ren et al., 2021). However, the main risk identified in their study is that Spectre vulnerability is not in the software but in the hardware. Notably, Intel, AMD, and AMR processors use micro-ops to process complex instructions into small micro-op caches. And published research describes "attacks that exploit the micro-op cache as a timing channel to transmit secret information." As a result of those attacks, criminals can leak secrets in three primary settings (see those settings in detail here).
Although this finding is recent and will be publicly discussed this year in June at the International Symposium on Computer Architecture, the team that wrote the paper has already talked to Intel and AMD about their findings. On May 4, an Intel spokesman said: "that existing mitigations were not being bypassed and that this scenario was addressed in its secure coding guidance." Still, that response is disappointing because the problem should not be solved using constant-time programming. Instead, it should be fixed from its source: processors.
Let us go back to our crime scene. The key is in the truth serum test. Is it possible that the employee does not remember what he did? Why did he act this way, if he is the assassin? What did he use to get through the victim’s heart? The answer is, perhaps, in the excessive pool of blood. If there is a way to make an object disappear in a couple of hours… Can you think of what it could be?
We hope you have enjoyed this post, and we look forward to hearing from you. Contact us!