IT experts believed they had developed adequate security patches after Specter’s 2018 major global flaw, but UVA’s discovery shows processors are once again open to hackers.
Charlottesville, Virginia, April 30, 2021 (GLOBE NEWSWIRE) – In 2018, researchers from industry and academia revealed a potentially devastating hardware flaw that left computers and other devices around the world vulnerable to attack.
The researchers named the vulnerability Spectrum because the flaw has been built into modern computer processors which derive their speed from a technique called “speculative execution”, in which the processor predicts which instructions it might end up executing and prepares by following the intended path to extract the instructions from. Memory. A Specter attack tricks the processor into executing instructions on the wrong path. Even if the processor recovers and performs its task properly, hackers can gain access to confidential data while the processor is heading in the wrong direction.
Since the discovery of Specter, the world’s most talented IT professionals from industry and academia have worked on software patches and hardware defenses, believing they have been able to protect the most vulnerable points in the process. speculative execution without slowing down computation speeds too much.
They will have to go back to the drawing board.
A team of computer scientists from the School of Engineering at the University of Virginia have discovered a line of attack that shatters all of Specter’s defenses, meaning billions of computers and other devices across the world are just as vulnerable today as they were when Specter was first announced. The team shared their discovery with international chipmakers in April and will present the new challenge at a global IT architecture conference in June.
The researchers, led by Ashish Venkat, William Wulf Career Enhancement Assistant Professor of Computer Science at UVA Engineering, have found a whole new way for hackers to exploit what is called a ‘micro-op cache’, which speeds up processing. computing by storing simple commands and allowing the processor to retrieve them quickly and early in the process of speculative execution. Micro-op caches are built into Intel computers manufactured since 2011.
The Venkat team discovered that hackers can steal data when a processor retrieves commands from the micro-op cache.
“Think of a hypothetical airport security scenario where TSA lets you in without verifying your boarding pass because (1) it’s fast and efficient, and (2) you’ll be verified for your boarding pass at the airport anyway. door, ”Venkat said. “A computer processor does something similar. He predicts that control will pass and could let instructions enter the pipeline. Ultimately, if the prediction is incorrect, it will throw those instructions out of the pipeline, but it might be too late as these instructions could leave side effects waiting in the pipeline that an attacker could later exploit to infer secrets. such as a password. . “
Because all of the current Specter defenses protect the processor at a later stage of speculative execution, they are useless in the face of further attacks from the Venkat team. Two variations of the attacks discovered by the team can steal information that Intel and AMD processors have accessed speculatively.
“Intel’s suggested defense against Specter, which is called LFENCE, puts sensitive code in a hold until security checks are completed, and only then is the sensitive code left. allowed to run, ”Venkat said. “But it turns out that the walls of this waiting room have ears, which our attack exploits. We show how an attacker can pass secrets through the micro-op cache by using it as a secret channel. “
Venkat’s team includes three of its computer science graduate students, Ph.D. student Xida Ren, Ph.D. student Logan Moody, and masters recipient Matthew Jordan. The UVA team collaborated with Dean Tullsen, professor in the Department of Computer Science and Engineering at the University of California at San Diego, and his doctorate. student Mohammadkazem Taram to reverse engineer some undocumented features in Intel and AMD processors.
They detailed the results in their article: “I See Dead µops: Leaking Secrets via Intel / AMD Micro-Op Caches.”
This newly discovered vulnerability will be much more difficult to fix.
“In the case of previous Specter attacks, developers have come up with a relatively simple way to prevent any sort of attack without major performance penalties,” for IT, said Moody. “The difference with this attack is that you suffer a much higher performance penalty than previous attacks.”
“Patches that disable micro-op cache or stop speculative execution on legacy hardware would effectively reverse critical performance innovations in most modern Intel and AMD processors, and this is simply not feasible,” said Ren, the main student author.
“It’s really not clear how to fix this problem in a way that delivers high performance to existing hardware, but we have to make it work,” Venkat said. “Securing the micro-op cache is an interesting line of research that we are considering.”
The Venkat team disclosed the vulnerability to product security teams from Intel and AMD. Ren and Moody gave a tech talk at Intel Labs around the world on April 27 to discuss the impact and potential fixes. Venkat expects IT people in academia and industry to work together quickly, as they did with Specter, to find solutions.
The team’s paper has been accepted by the highly competitive International Symposium on Computing Architecture, or ISCA. ISCA’s annual conference is the premier forum for new ideas and research findings in computer architecture and will be held virtually in June.
Venkat is also working closely with the Intel Labs processor architecture team on other microarchitectural innovations, through the National Science Foundation / Intel partnership on the basic research program in microarchitecture.
Venkat was well prepared to lead the UVA research team in this discovery. He has forged a long-standing partnership with Intel that began in 2012 when he did an internship with the company while a computer science student at the University of California, San Diego.
This research, like other projects led by Venkat, is funded by the National Science Foundation and the Defense Advanced Research Projects Agency.
Venkat is also one of the university researchers who co-authored an article with UC San Diego collaborators Mohammadkazem Taram and Tullsen who introduce a more targeted microcode-based defense against Specter. Context Sensitive Fence, as it’s called, allows the processor to patch running code with speculation fences on the fly.
Introducing one of the few more focused microcode-based defenses developed to stop Specter in its tracks, “Context sensitive closure: securing speculative execution through microcode customization ” was published at the ACM International Conference on Architectural Support for Programming Languages and Operating Systems in April 2019. The paper was also selected as the first choice among all conference papers on computer architecture, IT security and VLSI design published during the six-year period between 2014 and 2019.
Venkat’s team of new Specter variants even discovered breaking the context-sensitive closure mechanism described in Venkat’s award-winning article. But in this type of research, breaking your own defense is just another big victory. Each improvement in security allows researchers to dig even deeper into the hardware and discover more vulnerabilities, which is exactly what the Venkat research group did.
About UVA Engineering: Part of the top ranked and comprehensive University of Virginia, UVA Engineering is one of the oldest and most respected engineering schools in the country. Our mission is to make the world a better place by creating and disseminating knowledge and preparing future leaders in engineering. Outstanding students and faculty around the world choose UVA engineering because of our growing and internationally recognized education and research programs. The AVU is the first public engineering school in the country for the percentage of female graduates, among schools with at least 75 graduates; the first public engineering school in the United States for undergraduate four-year graduation rate; and the best public engineering school in the country for doctorate rate. growth in registrations since 2015. Learn more about engineering.virginia.edu.
# # #
CONTACT: Ashish Venkat William Wulf Career Enhancement Assistant Professor of Computer Science at University of Virginia School of Engineering 858-436-6414 [email protected] Elizabeth Thiel Mather Executive Director of Communications, UVA Engineering 757-319-3664 [email protected]