Collaborating Authors

Spectre Attacks

Communications of the ACM

Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side-channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, such as operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems because vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. Although makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak. Computations performed by physical devices often leave observable side effects beyond the computation's nominal outputs. Side-channel attacks focus on exploiting these side effects to extract otherwise-unavailable secret information. Since their introduction in the late 90s,14 various physical effects such as power consumption have been leveraged to extract cryptographic keys as well as other secrets.13 External side-channel measurements can be used to extract secret information from complex devices such as PCs and mobile phones.

Spectre and Meltdown: Insecurity at the heart of modern CPU design


On 2 January 2018, news broke of a novel class of security flaws in modern processors. Known inside the chip and software industry since the middle of 2017, and deeply embedded in the fundamental design of the processors, the problems were reported by the Google Project Zero security research team -- one of several to discover the flaws -- to exist in some form in most Intel CPUs since 1995. Some AMD and ARM processors were also reported as affected, but a full list of which chips have what class of problem does not yet exist (the Raspberry Pi, however, is secure).

AMD Downplays CPU Threat Opening Chips to Data Leak Attacks


AMD is seeking to downplay side-channel attacks that can leak potentially sensitive data from its processors released between 2011 and 2019. The "Take A Way" attack, so-called by researchers with the Graz University of Technology in a new analysis this weekend, is a side-channel attack. Side-channel attacks extract sensitive information from signals created by electronic activity within computing devices as they carry out computation. There are an array of techniques to launch side-channel attacks, including using caches, branch predictors or analog signals. In this case, "Take A Way" leverages the way AMD stores memory, through the L1-data (L1D) which refers to the data cache and pools of memory that contain the leak-able data within CPUs.

How a researcher hacked his own computer and discovered Meltdown

The Japan Times

FRANKFURT – Daniel Gruss didn't sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel Corp.

9 Years of AMD Processors Vulnerable to 2 New Side-Channel Attacks


AMD processors from as early as 2011 to 2019 carry previously undisclosed vulnerabilities that open them to two new different side-channel attacks, according to a freshly published research. Known as "Take A Way," the new potential attack vectors leverage the L1 data (L1D) cache way predictor in AMD's Bulldozer microarchitecture to leak sensitive data from the processors and compromise the security by recovering the secret key used during encryption. The research was published by a group of academics from the Graz University of Technology and Research Institute of Computer Science and Random Systems (IRISA), who responsibly disclosed the vulnerabilities to AMD back in August 2019. "We are aware of a new white paper that claims potential security exploits in AMD CPUs, whereby a malicious actor could manipulate a cache-related feature to potentially transmit user data in an unintended way," AMD said in an advisory posted on its website over the weekend. "The researchers then pair this data path with known and mitigated software or speculative execution side-channel vulnerabilities. AMD believes these are not new speculation-based attacks."