A team of Google researchers has demonstrated the Spectre vulnerabilities present in many of today's processors cannot be completely mitigated by applying software fixes, as has been assumed.
Variants of the Spectre flaw discovered last year, which involves information leaking via 'speculative execution' or functions performed early to speed up computation, are not just software glitches but lie in the foundations of the hardware.
In their paper titled 'Spectre is here to stay: An analysis of side-channels and speculative execution', the researchers concluded that Spectre fundamentally defeats an important layer of software security.
As part of the process, the researchers built a universal read gadget that destroys the idea of language-enforced confidentiality when deployed, which could allow an attacker, for instance, to read all the memory in the same address space.
"We now believe that speculative vulnerabilities on today's hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations," the researchers wrote, "as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels.
"Computer systems have become massively complex in pursuit of the seemingly number-one goal of performance. We've been extraordinarily successful at making them faster and more powerful, but also more complicated, facilitated by our many ways of creating abstractions.
"Our models, our mental models, are wrong; we have been trading security for performance and complexity all along and didn't know it," they added. "It is now a painful irony that today, defence requires even more complexity with software mitigations, most of which we know to be incomplete."
One of the major challenges identified was mitigating the vulnerabilities presented by the Spectre flaw, with the researchers learning that the four variants analysed bypassed normal safety checks and the assumption of language type safety.
Variant 4, for example, dubbed speculative aliasing confusion, "defeats everything we can think of", with the researchers exploring more prospective mitigations for this attack over any other but found "it proved to be more pervasive and dangerous than we anticipated".
The Spectre and Meltdown attacks are the terms prescribed to variants of the same processor vulnerability discovered last year, which involves a malicious program gaining access to data normally protected by a kernel. This kernel on a computer chip moves data around the various sections of memory in response to the functions a user is carrying out.
Either, or both, vulnerabilities have affected more or less all chips from the major manufacturers built in the last couple of decades, with CPUs from not just Intel but also ARM and AMD vulnerable to exploitation.
As opposed to Meltdown attacks, which 'melts' the boundaries set in place at a chip's hardware level that should in theory protection sections of the memory, Spectre attacks are more targeted and require knowledge of the victims' systems. They have always been harder to exploit, but also harder to mitigate.
"It was always apparent that the Spectre vulnerabilities were not easily fixable," Kaspersky's principal security researcher David Emm told IT Pro. "Spectre opened new ways of exploitation that might affect different software in the months and years to come.
"Most of the patches that were released in the wake of Spectre and Meltdown, minimised the surface of the attack but did not eradicate it completely. This is likely to continue to be the case."
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Millions of Dell laptops are are at risk thanks to a Broadcom chip vulnerability – and more than 100 device models are impactedNews Widely used in high-security environments, the PCs are vulnerable to attacks allowing the theft of sensitive data
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
‘A huge national security risk’: Thousands of government laptops, tablets, and phones are missing and nowhere to be foundNews A freedom of information disclosure shows more than 2,000 government-issued phones, tablets, and laptops have been lost or stolen, prompting huge cybersecurity concerns.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
