New Research Reveals Spectre Vulnerability Persists in Latest AMD and Intel Processors

Recent research conducted by ETH Zürich has revealed that modern AMD and Intel processors remain vulnerable to speculative execution attacks more than six years after the initial disclosure of the Spectre flaw. The new study, led by researchers Johannes Wikner and Kaveh Razavi, highlights the potential for these attacks to undermine the Indirect Branch Predictor Barrier (IBPB), a key mitigation strategy against these types of vulnerabilities.

Speculative execution allows CPUs to optimize performance by predicting program branches and executing various instructions out-of-order. When the prediction is incorrect, the speculatively executed instructions, known as transient instructions, are discarded. Despite this, the execution results of these transient instructions can still load sensitive data into the processor cache, leaving the data exposed to malicious access.

IBPB serves as an indirect control mechanism designed to block previous software from manipulating the predicted targets of future indirect branches on the same logical processor. This function is critical as it helps mitigate vulnerabilities like Branch Target Injection (BTI), which is part of the broader Spectre v2 attack category. A “disclosure gadget” refers to an attacker’s ability to access sensitive data that would typically remain architecturally concealed, enabling data exfiltration through covert channels.

The ETH Zürich research has identified a microcode bug within Intel’s microarchitectures, specifically in Golden Cove and Raptor Cove designs, which can be exploited to bypass IBPB protections. This exploitation has been characterized as the first practical “end-to-end cross-process Spectre leak.” They found that the flaw leads to residual branch predictions that can be used even after an IBPB is enacted, thus allowing attackers to breach security barriers enforced by process contexts and virtual machines.

Additionally, the research revealed that AMD’s implementation of IBPB can also be circumvented. The variant discovered in AMD processors, specifically Zen 1(+) and Zen 2, similarly allows attackers to leak privileged memory, using a technique called Post-Barrier Inception (PB-Inception). Intel has released a microcode patch to address this flaw, with a CVE identifier of CVE-2023-38575 and a CVSS score of 5.5. AMD is monitoring their vulnerability under CVE-2022-23824, first disclosed in November 2022.

In light of this vulnerability, the researchers recommend that users ensure their Intel microcode is current and that AMD users apply the necessary kernel updates to protect against potential attacks. This announcement follows ETH Zürich’s earlier disclosures regarding new RowHammer attack techniques, particularly ZenHammer and SpyHammer, which leverage similar principles to undermine system security.

RowHammer attacks exploit vulnerabilities in DRAM to induce bit errors, which are sensitive to temperature variations. The researchers noted that an attacker could infer DRAM temperature with high accuracy, revealing insights about system utilization and, potentially, users’ habits within their homes. SpyHammer is particularly concerning as it can assess critical system temperatures without needing prior modifications or insider knowledge of the victim system.

The implications of these findings underscore an ongoing challenge in combating speculative execution and RowHammer vulnerabilities in modern hardware. As technology advances and processors continue to scale, the risks associated with such security flaws are exacerbated, necessitating robust defenses against existing and emerging threats. Until such defenses are fully developed and implemented, these vulnerabilities pose significant risks to the privacy and security of computing systems.