A team of Google researchers has demonstrated the Spectre vulnerabilities present in many of today's processors cannot be completely mitigated by applying software fixes, as has been assumed.
Variants of the Spectre flaw discovered last year, which involves information leaking via 'speculative execution' or functions performed early to speed up computation, are not just software glitches but lie in the foundations of the hardware.
In their paper titled 'Spectre is here to stay: An analysis of side-channels and speculative execution', the researchers concluded that Spectre fundamentally defeats an important layer of software security.
As part of the process, the researchers built a universal read gadget that destroys the idea of language-enforced confidentiality when deployed, which could allow an attacker, for instance, to read all the memory in the same address space.
"We now believe that speculative vulnerabilities on today's hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations," the researchers wrote, "as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels.
"Computer systems have become massively complex in pursuit of the seemingly number-one goal of performance. We've been extraordinarily successful at making them faster and more powerful, but also more complicated, facilitated by our many ways of creating abstractions.
"Our models, our mental models, are wrong; we have been trading security for performance and complexity all along and didn't know it," they added. "It is now a painful irony that today, defence requires even more complexity with software mitigations, most of which we know to be incomplete."
One of the major challenges identified was mitigating the vulnerabilities presented by the Spectre flaw, with the researchers learning that the four variants analysed bypassed normal safety checks and the assumption of language type safety.
Variant 4, for example, dubbed speculative aliasing confusion, "defeats everything we can think of", with the researchers exploring more prospective mitigations for this attack over any other but found "it proved to be more pervasive and dangerous than we anticipated".
The Spectre and Meltdown attacks are the terms prescribed to variants of the same processor vulnerability discovered last year, which involves a malicious program gaining access to data normally protected by a kernel. This kernel on a computer chip moves data around the various sections of memory in response to the functions a user is carrying out.
Either, or both, vulnerabilities have affected more or less all chips from the major manufacturers built in the last couple of decades, with CPUs from not just Intel but also ARM and AMD vulnerable to exploitation.
As opposed to Meltdown attacks, which 'melts' the boundaries set in place at a chip's hardware level that should in theory protection sections of the memory, Spectre attacks are more targeted and require knowledge of the victims' systems. They have always been harder to exploit, but also harder to mitigate.
"It was always apparent that the Spectre vulnerabilities were not easily fixable," Kaspersky's principal security researcher David Emm told IT Pro. "Spectre opened new ways of exploitation that might affect different software in the months and years to come.
"Most of the patches that were released in the wake of Spectre and Meltdown, minimised the surface of the attack but did not eradicate it completely. This is likely to continue to be the case."
-
Is the traditional MSP service desk dead?Industry Insights AI and B2C expectations are reshaping B2B service desks and MSP strategy
-
From phone calls to roll calls: 3CX has the answerHow Yellowgrid, a 3CX Platinum distributor, has taken advantage of 3CX Phone System’s customisable nature to create a time-saving solution already embraced by over 100 UK schools
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Millions of Dell laptops are are at risk thanks to a Broadcom chip vulnerability – and more than 100 device models are impactedNews Widely used in high-security environments, the PCs are vulnerable to attacks allowing the theft of sensitive data
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
‘A huge national security risk’: Thousands of government laptops, tablets, and phones are missing and nowhere to be foundNews A freedom of information disclosure shows more than 2,000 government-issued phones, tablets, and laptops have been lost or stolen, prompting huge cybersecurity concerns.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
