By now, most people have heard about Spectre, a security vulnerability present in just about all modern-day processors, namely AMD and Intel. If you wish to understand this vulnerability in more detail, you can do so at https://spectreattack.com/spectre.pdf.
But these vulnerabilities have been fixed, right? Well, yes, there are indeed OS, browser, and firmware updates that patch both Spectre. That’s good, but keep in mind that these patches also create significant performance issues. Modern CPUs use something known as speculative execution to “speed things up”. Speculative execution is an optimization technique where a CPU performs instructions on data that may not be needed. It is this functionality that Spectre attempts to exploit as follows:
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
As of June 26th, Spectre has now returned… Researchers Noam Hadad & Jonathan Afek of Aleph Security have developed a PoC that side-steps the patch for the Google Chrome browser. Their PoC allowed the researchers to:
- Read speculatively accessed memory in Chrome at around 1 bit per second.
- Read accessed memory in Edge (not speculatively accessed) at around 1 bit per second.
- Read accessed memory in Safari (not speculatively accessed) at around 1 bit per second.
The bottom line is that initial fixes for Spectre are performance-damaging and perhaps not as effective as once thought. A determined (perhaps state-run) attacker could theoretically take Aleph Security’s PoC and turn it into an exploit capable of low-rate data exfiltration. So what? The most recent advice from security researchers is to only run Spectre patches on systems that absolutely must have those patches or consider reverting those patches altogether. There have even been some cases where legitimate JavaScript web app functionality has been broken due to applying Spectre patches.