Researchers keep finding Spectre-style bugs in processors


Originally published at:


You’ve got to give it to the products, they’ve got style.


It’s unfortunate that (safely and correctly) dividing software activity between “so disclosure sensitive; redder than you would believe” and “not a huge deal, so long as it can’t be modified” is definitely never going to happen for older software; and likely to be really, really, hard in a substantial number of cases even in principle.

This class of attacks is mostly a side effect of optimisations(some handled less safely than others, which is why Intel’s woes were deemed more severe; but subtler flavors affected basically everything that wasn’t contentedly trundling along at lower speed); so if you could get a neat division throwing some ‘dumb; but reliable’ cores into the CPU would allow you to put the problem to rest at the (fairly low) cost of a little brute force(in most cases, to the best of my understanding, the dumb cores could even be 100% ISA compatible; just with an implementation free of the problem optimizations, which are implementation details rather than required by the instruction set).

If you can’t, though, (or if the disclosure-critical stuff also requires high performance), you have a much bigger problem. Especially if any of the mitigation attempts on full complexity cores end up adding exploitable behaviors of their own.


I’m not an expert here, but my understanding was that the original Spectre and Meltdown bugs were effectively information disclosure vulnerabilities (e.g., you could indirectly read parts of protected memory, like a password or encryption key). Unless there’s been a new development, I’m unaware of a speculative execution bug that allows the attacker to run arbitrary code (even speculatively). I think they can sometimes get short stretches of system code to run speculatively and then observe some of the results that, but I think that would still be classified as an information disclosure.


I remember the days when computers were actually Turing machines, running synchronously in a single thread and always giving the same garbage out for a particular set of garbage in. I don’t know how anyone debugs or verifies these modern systems where a butterfly in China causes a different execution path. I suppose this is the answer: they don’t.


Yes, but disclosing the right information can be used to escalate your privileges to the point where you can run anything you want, so that distinction doesn’t mean much.


Does anyone know a good explanation of these sorts of flaws for those of us who, while technical, aren’t super knowledgeable about electrical engineering/hardware?

Like, what is the threat model here, what can an attacker DO leveraging this type of bug?


In general, they enable privilege escalation attacks, which require some kind of access to begin with. This is very bad for cloud providers, people who use the cloud, people who run web servers, people whose personal data are stored on web servers, and companies that operate industrial supercomputers but want to compatmentalize access to trade secrets store on that computer. It’s not so bad for a personal computer without things like flash and JavaScript enabled.

There are some suggestions that there could be actually remotely exploitable versions of these bugs, but those are pretty tenuous at this point.


adding to what @Space_Monkey said, the bugs allow you to (very slowly) read memory that an application isn’t supposed to have access to, application to application, or application to system memory.

potentially, maybe you could grab at passwords, authentication tokens, or sensitive documents.

so far as i understand anyway.




Ah, so if I understand correctly then for example, if I sign up for an account with a shared hosting provider like Dreamhost (many sites, 1 server), someone can leverage an attack like this to get admin access and control everyone’s data?

So in for example, I’m running an operating system like Qubes that puts everything in it’s own virtual environment, would this let you punch through that protection?


Yes. The classic use case for this kind of exploits is tunneling between different VMs or accounts on a multi-user machine.


Yikes. And you just need to know they have a relatively recent Intel processor? (Not like, the exact model #?)

So for example run some JS to pull down code that punched through the VMs abd sends out your secret journalism docs?



This topic was automatically closed after 5 days. New replies are no longer allowed.