Fourth Spectre-style Intel chip flaw revealed: speed vs security trade-off

News by Mark Mayne

New Spectre-style vulnerability affecting Intel chips uncovered by bug bounty programme. Intel has confirmed a new exploit - titled Variant 4 - that uses speculative execution, to potentially expose data through a side channel.

Intel has confirmed a new exploit - titled Variant 4 - that uses speculative execution, a feature common to most modern processor architectures, to potentially expose data through a side channel.

The disclosure of the exploit was made jointly by Google Project Zero's (GPZ) and Microsoft's Security Response Center (MSRC), and follows disclosure of similar speculative execution-based side-channel analysis methods in January - dubbed Spectre.

The new exploit is not thought to be in active use yet, but would theoretically work in a “language-based runtime environment….the most common use of runtimes, like JavaScript, is in web browsers…” stated Intel.

On a brighter note, the work done by the industry to mitigate Spectre-style side channel vulnerabilities should cross-over to mitigate Variant 4 too.

“Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today. However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates”, confirmed executive vice president and general manager of Product Assurance and Security at Intel, Leslie Culbertson, in a blogpost.

Intel also stated that mitigation would be set to default off, and when enabled would translate to a performance impact between two and eight per cent.

Renaud Deraison, CTO and co-founder, Tenable commented: "We as an industry have trained people to expect speed. The speed of the chips inside our personal computers, our tablets and our phones is critical to their performance -- everybody knows that. In this case, the vulnerabilities take advantage of the very features that make them fast. Intel optimised for performance and later learned they were facing a trade-off between security and performance. The vast majority of people would choose speed over security, too."

Niall Sheffield, lead solution engineer at SentinelOne, said that visibility and awareness will continue to be critical for enterprises: “This latest batch of disclosures is the latest in a long line of vulnerabilities being acknowledged by depended-on technology providers. What organisations need to do is to implement technology that allows for the ability to monitor what all of the technology in their estate is doing, in order to ensure that when attacks are designed to exploit these vulnerabilities, they are keeping their own watchful eye, not just listening to what the technology provider is saying they are secure against.”

In an email to SC Media UK, Joseph Carson, chief security scientist at Thycotic agreed observing: No surprises here, once a major vulnerability is found the world's cyber-security researchers will zoom in to find other possible variations and as expected we are starting to learn about more Meltdown and Spectre chip-level security flaws.  This particular variant exploits the speculative Store Bypass attack commonly used in “Language-based runtime environments” used in web browsers for example JavaScript.  Currently there is no permanent solution for these flaws (a nice way to avoid saying major security vulnerability) and everything we have seen so far is turn it off and accept reduced performance. 

"It is a bit like a car manufacturer telling you to “remember that car we sold you? Well the locks don't really work so to keep it from being stolen you can no longer drive it at 70 mph but now it is limited to 50 mph. Sorry you can't have fast performance and security at the same time so you must choose only one”        

"Spectre/Meltdown will absolutely impact performance of systems especially critical systems that are already running at near or full resource capacity. Organisations must again decide what is the greater risk, system downtime and business performance impact or the risk of a cyber-attack that exposes sensitive data or full access to the corporate network. The crucial decision is to patch or not to patch and that is indeed the question.”

Intel launched a new Bug Bounty Programme with HackerOne in March 2017 to help uncover new vulnerabilities, with a specific programme focused on side channel vulnerabilities through to 31 December, 2018, awarding up to up to US$ 250,000 (£186,000) for disclosures.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews