The Spectre vulnerability on CPUs was first discovered in 2018 and affected almost all devices. Spectre is a bug that appeared on a performance-enhancing feature on modern CPUs called branch prediction. With the Spectre bug, it is possible to manipulate branch prediction to reveal sensitive data on the CPU cache to attackers.
Hardware-level fixes were not enough
Spectre was one of the biggest security incidents in 2018. Most of the CPUs affected by Spectre have been patched by software mitigations with the cost of performance. Intel also had to take further steps to fix the issue by making changes in the hardware level in its future products.
The researchers of VUSec have recently found new vulnerabilities that are based on Spectre v2. It is called Branch History Injection (BHI) and it allows extracting sensitive data such as security keys. This process is done by using BHI to trigger speculative execution features. VUSec states that speculative execution controls were not locked in Intel CPUs despite the other hardware mitigations done, most likely because of performance, thus competition. Researchers of VUSec summarizes the new vulnerability with the following:
« Branch History Injection (BHI or Spectre-BHB) is a new flavor of Spectre-v2 in that it can circumvent eIBRS and CSV2 to simplify cross-privilege mistraining. The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel. However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more “interesting” kernel targets (i.e., gadgets) that leak data »
The researchers have also published a video showing the exploitation of the vulnerability:
Once again, almost all of the CPUs are affected by vulnerability including products from Intel, AMD, and ARM. The companies have immediately published/updated the mitigation methods which can be found in the links below:
The mitigations cause a decrease in the performance of the CPUs. Some first tests show that Intel CPUs are suffering from performance loss on the mitigations; goes up to 35% of loss on specific benchmarks. On AMD’s side, the overall performance loss by mitigations is way more negligible. Other than one specific test, Stress-NG/Context Switching that crushes CPU performance by 54%, the overall performance loss sits around 5%. Ironically, Intel has found some flaws in AMD’s mitigations; performance loss values might change with the company’s new mitigation solutions.
Intel states that the best mitigation method is making adjustments to the Linux kernel. It is possible to lock down the protected memory by using Linux kernel 5.16 and applying the solutions from the guides.