Researchers find new ways to exploit Meltdown and Spectre flaws in chips

News by Rene Millman

MeltdownPrime and SpectrePrime could trick systems into leaking data. Security researchers have found new ways to exploit the Meltdown and Spectre vulnerabilities that have plagued modern CPUs.

Security researchers have found new ways to exploit the Meltdown and Spectre vulnerabilities that have plagued modern CPUs.

According to a research paper authored by Princeton University and Nvidia researchers, titled “MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols”, more complex methods have been discovered that that use the vulnerabilities to exfiltrate sensitive user information on a system.

MeltdownPrime and SpectrePrime use two techniques called Prime+Probe and Flush+Reload to conduct side-channel attacks or take advantage of hardware related to a system's security. The side-channel attacks are cache-based and rely on the timing of cache activity to collect information, according to the report.

"By exploiting cache invalidations, MeltdownPrime and SpectrePrime - two variants of Meltdown and Spectre, respectively - can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel," said researchers. 

They added that by leveraging software dependencies from victim memory accesses to attacker memory accesses, “the attacker can increase the scope of addresses on which traditional Flush+Reload attacks can be performed to include any memory location (rather than only shared memory).”

As a proof of concept, researchers implemented SpectrePrime as a C program and ran it on Intel x86 hardware, showing that it achieves the same average accuracy as Spectre on the same hardware—97.9 percent for Spectre and 99.95 percent for SpectrePrime over the course of 100 runs.

Researchers said that while the software fix for SpectrePrime and MeltdownPrime is largely the same as those for Spectre and Meltdown, “these attacks bring to light new considerations when it comes to microarchitectural mitigation.”

“Rather than leveraging cache pollution during speculation, they exploit the ability of one core to invalidate an entry in another core's cache by speculatively requesting write permissions for that address,” said researchers.

Nicholas Griffin, senior cyber-security specialist at Performanta, told SC Media UK that this new attack vector is extremely similar to the original exploit proof-of-concept that was developed. “The analogy here is that criminals have found a new way to break in to your front door by picking the lock in a slightly different way. The advice remains the same; ensure that you have patched against the Meltdown and Spectre vulnerabilities to mitigate against these threats, as the attack vector here does not change the landscape of the attack,” he said.

Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that it's likely that attackers will use the new variants in pretty much the same way – to get access to critical information. “While the new method takes a different approach towards exploiting the CPU design flaws, the end result is the same, which is leaking victim memory that may contain sensitive data,” he said.

“Applying the latest Spectre and Meltdown security patches allegedly addresses the new variants, according to researchers. However, addressing the CPU design flaw may require more work from chip manufacturers, currently leaving organisations with few options other than applying current patches.”

Javvad Malik, security advocate at AlienVault, told SC Media UK that most organisations need not focus too much on individual specific attacks, but have a broad security strategy in place that ensure critical assets are identified and managed with more rigor. “Comprehensive threat detection controls should be updated continually with reliable threat intelligence, so as to be able to spot new attacks. Finally, companies should have a response and recovery plan in place to be able to take the appropriate steps to contain any breach, while maintaining business functionality,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews