Hardware design changes are needed to squash the new bugs
Researchers have discovered new ways to exploit the Meltdown and Spectre flaws that potentially go beyond the proof of concept theories that had companies scrambling to patch Intel and AMD processors last month.
The Meltdown and Spectre flaws were first revealed to be early concepts of what could potentially be exploited by hackers and although there were no instances of the flaws being used in the wild, experts warned exploits could be created based on the original findings.
It now appears that such exploits have been discovered by a team from Princeton University, in collaboration with Nvidia. Dubbed MeltdownPrime and SpectrePrime, the exploits are able to take advantage of modern processor designs that prioritise speed and efficiency over security.
In order for processors to be as efficient as possible, individual instructions are carried out based on what resources are available, rather than in a serial fashion. This means that a process isn't necessarily carried out in a step-by-step order, as this might leave parts of the chip idle while it waits for the first step to be finished.
In the event that a resource does become idle, modern processors are also built to perform speculative executions. For example, if the next instruction in the line tries to access a memory resource using a read operation, it may take some time to determine whether it has permission to access it. In order to avoid a slowdown in the process as the determination is made, the processor can speculatively execute the read instruction, which can either be deleted if permission is rejected, or used to provide a speed boost once it's accepted.
Meltdown and Spectre are referred to as side-channel attacks that exploit this processor architecture. Meltdown in effect breaks the mechanism that allows instructions to access the system memory at random, while Spectre tricks the processor into assigning instructions to predefined memory locations that a hacker can exploit.
"Rather than leveraging cache pollution during speculation, they exploit the ability of one core to invalidate an entry in another core's cache by speculatively requesting write permissions for that address," the paper explained.
In other words, the MeltdownPrime and SpectrePrime exploits are able to figure out what addresses were speculatively accessed by the processor. Once this happens, it can use an illegal process (without permission) as the basis for inducing a second legal process that's capable of leaking cached memory to the hackers – something that would otherwise be impossible to do.
The researchers managed to prove their concepts on an Apple MacBook using a 2.4GHz Intel Core i7 processor, although it was using a version of MacOS High Sierra that predates Apple's Spectre patch, meaning it's not a zero-day attack.
The good news is that the researchers believe software patches addressing the original Meltdown and Spectre flaws will be enough to deal with the Prime variants, however hardware manufacturers will need to tweak their designs going forward.
"We believe that any software techniques that mitigate Meltdown and Spectre will also be sufficient to mitigate MeltdownPrime and SpectrePrime," the researchers explained. "On the other hand, we believe that microarchitectural mitigation of our Prime variants will require new considerations."
The news of the discovery coincided with a move by Intel to up its bug bounty reward program from $100,000 to $250,000 for any security researcher who finds new side-channel vulnerabilities in its processors.