It's back — and it may have never left.
More than six years after the Spectre flaw affecting CPUs was first reported, researchers learned that that Intel and AMD processors are still vulnerable to speculative execution attacks.
In a study posted by ETH Zurich, a public research university in Switzerland, the researchers said the attacks mainly seek to exploit the Indirect Branch Predictor Barrier (IBPB) on x86 chips, a chip’s built-in security mechanisms for warding off speculative execution attacks.
Modern CPUs depend on speculative execution to optimize a chip’s performance by predicting the future path of code execution and executing certain instructions ahead of time. If these predictions are correct, this "pre-execution" reduces delays and speeds up system performance.
The problem with Spectre speculative execution attacks: An attacker could intentionally manipulate the speculative execution process to access data they normally wouldn't be authorized to read.
“They might force a CPU to mispredict to gain access to cached information like encryption keys or personal data from another process,” said Callie Guenther, senior manager of cyber threat research at Critical Start. “This kind of attack sidesteps traditional access controls by focusing on unintended microarchitectural behavior, which is difficult to detect and prevent with standard security checks."
The ETH Zurich researchers said these new issues were disclosed to Intel and AMD in June 2024, and both companies confirmed their respective issues. Intel has made a microcode patch available to address the issue, CVE-2023-38575. AMD has been tracking the vulnerability for the past couple of years as CVE-2022-23824, according to its advisory.
“Intel informed us that their issue, tracked under INTEL-SA-00982, had been found internally and fixed in a microcode update,” wrote the ETH Zurich researchers. “This microcode update was, however, not available in Ubuntu repositories at the time of writing this paper. We are currently working with the Linux kernel maintainers to merge our proposed software patch.”
John Gallagher, vice president of Viakoo Labs, said speculative execution has been around for more than 20 years, and today all modern CPUs use this approach — it significantly speeds up processing, even accounting for times it might get the anticipated instructions wrong. Gallagher said if this approach was not available, we would see a significant drop in CPU performances, thus creating a giant business impact from slower processing.
“Chip-level vulnerabilities are typically hard to patch,” said Gallagher. “Organizations should have a ‘defense-in-depth’ approach to security, where even if data is compromised from reading chip-level caches there would be other ways to stop an attacker from using it. In addition, ensuring key systems are on segmented networks is important to prevent lateral movement.”
Guenther, an SC Media columnist, offered six tips for security teams to mitigate against speculative execution attacks:
Stay updated on microcode patches: Intel and AMD regularly release microcode updates that address known vulnerabilities. Security teams should ensure that these updates are applied promptly to all affected hardware. Microcode updates are crucial as they address vulnerabilities at the firmware level, reducing the attack surface.
Enable speculative execution mitigations: Even though these mitigations may have performance implications, such as IBPB, Single Thread Indirect Branch Predictors (STIBP), and Retpoline, they are critical to reducing the risk posed by speculative execution attacks. Understanding the trade-offs between performance and security in your environment is key.
Leverage software-based defenses: Implement memory-safe programming techniques and encourage the use of compiler-based mitigations like Control Flow Integrity (CFI). These help in making exploitation of speculative execution more difficult.
Monitor and isolate sensitive processes: Segment and limit high-privilege code execution from lower-privilege processes. Ensure that sensitive applications or services do not share CPU cores with potentially malicious or untrusted workloads.
Implement rigorous access controls and sandboxing: Limit a user-level application’s ability to execute untrusted code that might trigger speculative execution bugs. In scenarios where untrusted code must be executed, consider using isolated environments like containers or virtual machines.
Perform risk assessments: Regularly assess the impact of speculative execution vulnerabilities in the context of the organization’s specific threat model. This is especially crucial in shared environments like cloud infrastructure or multi-tenant data centers.
