Spectre vulnerabilities cannot be mitigated by software alone

Spectre processor flaw

A team of Google researchers has demonstrated the Spectre vulnerabilities present in many of today's processors cannot be completely mitigated by applying software fixes, as has been assumed.

Variants of the Spectre flaw discovered last year, which involves information leaking via 'speculative execution' or functions performed early to speed up computation, are not just software glitches but lie in the foundations of the hardware.

In their paper titled 'Spectre is here to stay: An analysis of side-channels and speculative execution', the researchers concluded that Spectre fundamentally defeats an important layer of software security.

As part of the process, the researchers built a universal read gadget that destroys the idea of language-enforced confidentiality when deployed, which could allow an attacker, for instance, to read all the memory in the same address space.

"We now believe that speculative vulnerabilities on today's hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations," the researchers wrote, "as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels.

"Computer systems have become massively complex in pursuit of the seemingly number-one goal of performance. We've been extraordinarily successful at making them faster and more powerful, but also more complicated, facilitated by our many ways of creating abstractions.

"Our models, our mental models, are wrong; we have been trading security for performance and complexity all along and didn't know it," they added. "It is now a painful irony that today, defence requires even more complexity with software mitigations, most of which we know to be incomplete."

One of the major challenges identified was mitigating the vulnerabilities presented by the Spectre flaw, with the researchers learning that the four variants analysed bypassed normal safety checks and the assumption of language type safety.

Variant 4, for example, dubbed speculative aliasing confusion, "defeats everything we can think of", with the researchers exploring more prospective mitigations for this attack over any other but found "it proved to be more pervasive and dangerous than we anticipated".

The Spectre and Meltdown attacks are the terms prescribed to variants of the same processor vulnerability discovered last year, which involves a malicious program gaining access to data normally protected by a kernel. This kernel on a computer chip moves data around the various sections of memory in response to the functions a user is carrying out.

Either, or both, vulnerabilities have affected more or less all chips from the major manufacturers built in the last couple of decades, with CPUs from not just Intel but also ARM and AMD vulnerable to exploitation.

As opposed to Meltdown attacks, which 'melts' the boundaries set in place at a chip's hardware level that should in theory protection sections of the memory, Spectre attacks are more targeted and require knowledge of the victims' systems. They have always been harder to exploit, but also harder to mitigate.

"It was always apparent that the Spectre vulnerabilities were not easily fixable," Kaspersky's principal security researcher David Emm told IT Pro. "Spectre opened new ways of exploitation that might affect different software in the months and years to come.

"Most of the patches that were released in the wake of Spectre and Meltdown, minimised the surface of the attack but did not eradicate it completely. This is likely to continue to be the case."

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.