5W1H: Speculative Side Channel Vulnerabilities De-mystified

The classes of vulnerabilities that brought us Meltdown and Spectre are not going away anytime soon. Here’s what you need to know about Speculative Execution vulnerabilities, with our guidance on steps you can take to reduce your risk.

Spectre and Meltdown generated a lot of confusion and discussion in the security world when they first hit the news. Understanding the risks associated with speculative execution vulnerabilities will help organizations prioritize and communicate effectively about their exposure. In this post, we present what it is known, how it affects companies and ways to stay ahead in the game.

Start from the beginning…

Speculative Execution is a technique used to enhance processor performance by anticipating which instructions will be required in advance. According to Intel, this helps minimize latency and extract greater parallelism, thereby leading to performance gains.The boost in performance comes with a tradeoff: results will be discarded if they are not needed. The technique is used by various microprocessor vendors including Intel, AMD and ARM.

While academic papers dating back to 1985 have covered theoretical attacks on CPU caches and translation lookaside buffers (TLBs), rumors about the existence of vulnerabilities in the wild that leveraged Speculative Execution began surfacing in late 2017. However, the real saga began publicly on January 3, 2018 when a blog post from Google’s Project Zero Initiative detailed their findings. Spectre and Meltdown were unleashed to the public just as people were coming back from their New Year holiday. The reports included three variants of the vulnerabilities: CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2) for Spectre and CVE-2017-5754 (Variant 3) for Meltdown.

This mega-event sparked a huge discussion in the community for various reasons: the impact of the vulnerabilities themselves; the number of vendors affected directly and indirectly at various levels of the supply chain; the sheer number of systems impacted worldwide; and the mammoth task of getting these systems updated (if at all possible). Clearly, Pandora’s box had been opened and there was no going back. Pundits predicted (accurately!) we would see more of these in the months and years to come.

In late May 2018, two more vulnerabilities were discovered and reported by Microsoft and Google. These were tagged Variant 3A (CVE-2018-3640) and Variant 4 (CVE-2018-3639). The fourth variant presented a new method for leaking information from a system and could be exploited from a browser, thereby enhancing the ease of exploitation. These variants are part of eight additional Spectre-class flaws provisionally named Spectre-NG.

Soon to follow were other flaws from the Spectre-NG class: Lazy FP State Restore (CVE-2018-3665); Bounds Check Bypass Store (BCBS) aka Spectre 1.1 (CVE-2018-3693); Spectre 1.2; ret2spec (aka Spectre v5); and SpectreRSB (Return Stack Buffer).

In July 2018, NetSpectre surfaced and changed the scope in terms of exploitability of the Spectre family: a remote attack was now possible. By virtue of this new vulnerability, reported by researchers of the Graz University of Technology, an exposed Network Interface or API would be enough for an attacker to execute the remote side-channel attack. NetSpectre is capable of leaking information from the target system and even though the rate of transmission is low (around 15 to 60 bits per hour in a local network) it is still proof that novel variations of speculative execution can target a broad range of devices.

Most recently, on August 14, a new set of vulnerabilities dubbed Foreshadow and Foreshadow-NG were made public. The new set of vulnerabilities exploiting a Side-Channel attack causing a L1 Terminal Fault could affect processors, Virtual Machines and Cloud environments. These vulnerabilities can be triggered when accessing a linear or logical address that is not mapped to a physical location on the hardware resulting in a Terminal Fault.

So what difference does it make?

Spectre and Meltdown opened a broad discussion in regards to the current state of security and their implications. With the remarkably large number of systems vulnerable to speculative execution attacks, and the closing gap between Proofs of Concepts and weaponization, it’s imperative for security teams and companies collaborate to keep an eye on and be aware of the evolution of these threats.

Speculative Execution vulnerabilities not only affect microprocessor manufacturers, but the whole security community. Some of the discovered vulnerabilities will not be fully patched until new architectures are developed and deployed, which will take a few years to happen. More vulnerabilities will be discovered in the upcoming months and years expanding on the current attack vectors.

Why is this important?

• The Spectre and Meltdown vulnerabilities affect a very large number and wide range of devices, including computers, mobile devices and servers. Given the widespread nature, it is certain all affected systems will never be actually patched.
• These classes of vulnerabilities are not going away anytime soon. While some of these vulnerabilities have been mitigated by software patches provided by different vendors, this has come at the cost of performance, and, in some cases, holistic fixes have required architectural changes.
• New, but related vulnerabilities will be discovered, unveiling novel types of attacks that might not be possible to patch via software alone.

What you can do…

Keeping up to date with information on new vulnerabilities and mitigating them via software patches or microcode provides a first line of defense.

Knowing how you are exposed can help to manage and mitigate risks associated with vulnerabilities. By visualizing, analyzing and measuring cyber risk, one can confidently manage and reduce it to an acceptable level.

Security teams must become proactive to close the gap between the publication of a new vulnerability and becoming aware that it is present in their ecosystem. As per Tenable Research’s report on the Attacker’s Advantage, 34% of the analyzed vulnerabilities had an exploit available on the day they were disclosed. Teams willing to protect their organization’s infrastructure can be a step ahead of the curve and reduce the seveday window of opportunity attackers have to exploit a given vulnerability.

On our part, we will keep you updated on the saga of speculative side channel vulnerabilities as things evolve. Stay tuned!

深入瞭解：

• New Side-Channel Attacks Target Graphics Processing Units
• Intel CPUs impacted by new PortSmash side-channel vulnerability

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.