New flaws and even more patches - "Spectre Next Generation" is just around the corner. According to information exclusively available to c't, researchers have already found eight new security holes in Intel processors.
The vulnerabilities known as Spectre and Meltdown shook the IT world to its foundations: researchers proved that there is a fundamental design flaw in all modern processors with serious repercussions for system security (see c't issue 3/2018). After several patches were released, it seemed everything would be fine after all, although some experts warned that more revelations could follow. But the hope remained that the manufacturers could solve the problem with a few security updates.
As it turns out, we can bury that hope. A total of eight new security flaws in Intel CPUs have already been reported to the manufacturer by several teams of researchers. For now, details on the flaws are being kept secret. All eight are essentially caused by the same design problem – you could say that they are Spectre Next Generation.
c't has exclusive information on Spectre-NG, which we have been able to verify in several ways – we double and triple checked all the facts. Nonetheless, we will not publish technical details as long as there is still a chance that manufacturers will get their security updates ready before the details of the flaws become public. However, we will use our information to report about future releases of patches and provide background information.
Eight new security flaws
Each of the eight vulnerabilities has its own number in the Common Vulnerability Enumerator (CVE) directory and each requires its own patches. It is likely that each vulnerability will receive its own name. Until then, we will jointly call these flaws Spectre-NG in order to distinguish them from the previously uncovered issues.
So far we only have concrete information on Intel's processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable. Further research is already underway on whether the closely related AMD processor architecture is also susceptible to the individual Spectre-NG gaps, and to what extent.
Intel is already working on its own patches for Spectre-NG and developing others in cooperation with the operating system manufacturers. According to our information, Intel is planning two waves of patches. The first is scheduled to start in May; a second is currently planned for August.
Knowing that Google Project Zero discovered one of the Spectre-NG flaws gives us an idea of when to expect the first patch. Googles elite hackers are scrupulous about observing the 90 day deadline that is meant to give companies time to address flaws after they have been notified – but they have no qualms about going public when the deadline ends, even if a patch has yet to be released. Time will run out on May 7 – the day before the next Windows patch day. Intel itself expects that information about a second flaw could be published any day now. Therefore, we can expect to see patches for these two vulnerabilities sooner rather than later.
There are signs that Microsoft is also preparing for CPU patches. Originally the Redmond based company expected the problems would be solved through microcode updates. Now it seems the fixes (or mitigations) will be distributed as (optional) Windows updates. PC manufacturers are simply taking too long to provide BIOS updates. Microsoft is also offering up to $250,000 in a bug bounty program for Spectre flaws. Linux kernel developers are continuously working on hardening measures against Spectre attacks as well.
More dangerous than Spectre
Intel itself classifies four of the Spectre-NG vulnerabilities as "high risk"; the remaining four are rated as "medium". According to our own research, risks and attack scenarios at Spectre-NG are similar to those at Spectre – with one exception.
One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example. Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap. Intel's Software Guard Extensions (SGX), which are designed to protect sensitive data on cloud servers, are also not Spectre-safe.
Although attacks on other VMs or the host system were already possible in principle with Spectre, the real-world implementation required so much prior knowledge that it was extremely difficult. However, the aforementioned Spectre-NG vulnerability can be exploited quite easily for attacks across system boundaries, elevating the threat potential to a new level. Cloud service providers such as Amazon or Cloudflare and, of course, their customers are particularly affected.
Still, the concrete danger for private individuals and corporate PCs is rather small, because there are usually other weak points which are easier to exploit. Nevertheless, they should be taken seriously and the upcoming Spectre-NG updates should be installed quickly after their release.
However, if the past is any indication, things won't go so smoothly in practcice. Even when the Spectre updates were made available, there were several glitches, despite a lead time of more than six months. In addition, some patches reduce performance and some companies refuse BIOS updates for computers that are only a few years old. All this will get worse rather than better with Spectre NG.
A fundamental security problem
Overall, the Spectre-NG gaps show that Spectre and Meltdown were not a one-off slip-up. It is not just a simple gap that could be plugged with a few patches. Rather, it seems that for each fixed issue, two others crop up. This is the result of the fact that during the past twenty years, safety considerations have only played second fiddle to performance in processor development.
An end to patches for hardware problems of the Spectre category is not in sight. But a never-ending flood of patches is not an acceptable solution. You can't shrug off the fact that the core component of our entire IT infrastructure has a fundamental security problem that will keep leading to more problems.
Of course, Intel needs to fix the current weaknesses as quickly as possible – and that's what is happening. At the same time, however, the CPU design needs to be fundamentally rethought. Werner Haas of the German company Cyberus Technology and one of the co-discoverers of Spectre/Meltdown, considers it quite possible to equip high-performance processors with a solid security design. However, this would require security aspects to be taken into account in the architecture right from the start. Paul Kocher, who was also involved in unveiling Spectre, suggested implementing additional, specially secured CPU cores. And with methods such as threat modeling, risky techniques can be implemented in such a way that security remains controllable.
Intel made the promise of "security first" at the beginning of January. Now the company must provide more transparency and, for example, publish risk analyses of potential weak points. So far, Intel has been acting more along the lines of "We are the experts, we're doing it right", relying on technologies such as the Intel Management Engine and the Software Guard Extensions. We should no longer be fobbed off with vague promises when it comes to central components of our IT infrastructure.
|Die bisherigen CPU-Sicherheitslücken Meltdown und Spectre|
|Spectre Variante 1||Bounds Check Bypass||CVE-2017-5753|
|Spectre Variante 2||Branch Target Injection (BTI)||CVE-2017-5715|
|Meltdown (GPZ V3)||Rogue Data Cache Load||CVE-2017-5754|
|GPZ steht für Google Project Zero, Spectre V1 und V2 werden auch GPZ V1 und GPZ V2 genannt|