Spectre flaws continue to haunt Intel and AMD as researchers find fresh attack method
Six years after the Spectre transient execution processor design flaws were disclosed, efforts to patch the problem continue to fall short.
Johannes Wikner and Kaveh Razavi of Swiss university ETH Zurich on Friday published details about a cross-process Spectre attack that derandomizes Address Space Layout Randomization and leaks the hash of the root password from the Set User ID (suid) process on recent Intel processors. The researchers claim they successfully conducted such an attack.
Spectre refers to a set of attacks made possible because of the way processors conduct speculative execution - a performance optimization technique that involves making calculations in advance. The results can be used if needed, or otherwise discarded.
Branch prediction is a form of speculative execution, and modern processors use it to make guesses about the path a program will take. It's related to branch target prediction, which attempts to predict the target address of the next instruction to be executed in a given branch.
Spectre attacks try to make the branch predictor forward an incorrect prediction – such that when the processor executes the associated instructions, it accesses out-of-bounds memory that contains secrets like passwords or encryption keys. Subsequent operations on the memory area storing secrets may allow the attacker to infer those secrets by observing side-channels – such as CPU cache accesses and power fluctuations.
