MeltdownPrime and SpectrePrime could trick systems into leaking data. Security researchers have found new ways to exploit the Meltdown and Spectre vulnerabilities that have plagued modern CPUs.

According to a research paper authored by Princeton University and Nvidia researchers, titled “MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols”, more complex methods have been discovered that that use the vulnerabilities to exfiltrate sensitive user information on a system.

MeltdownPrime and SpectrePrime use two techniques called Prime+Probe and Flush+Reload to conduct side-channel attacks or take advantage of hardware related to a system's security. The side-channel attacks are cache-based and rely on the timing of cache activity to collect information, according to the report.

"By exploiting cache invalidations, MeltdownPrime and SpectrePrime - two variants of Meltdown and Spectre, respectively - can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel," said researchers.

They added that by leveraging software dependencies from victim memory accesses to attacker memory accesses, “the attacker can increase the scope of addresses on which traditional Flush+Reload attacks can be performed to include any memory location (rather than only shared memory).”

As a proof of concept, researchers implemented SpectrePrime as a C program and ran it on Intel x86 hardware, showing that it achieves the same average accuracy as Spectre on the same hardware—97.9 percent for Spectre and 99.95 percent for SpectrePrime over the course of 100 runs.

Researchers said that while the software fix for SpectrePrime and MeltdownPrime is largely the same as those for Spectre and Meltdown, “these attacks bring to light new considerations when it comes to microarchitectural mitigation.”

“Rather than leveraging cache pollution during speculation, they exploit the ability of one core to invalidate an entry in another core's cache by speculatively requesting write permissions for that address,” said researchers.

