The Specter defense of Intel against data leaks fails again

Researchers of ETH Zurich in Switzerland have tried to bypass Intel's security measures against Specter. Specter is a family of weaknesses in the Intel processor architecture that enables data leaks.

Sandro Rüegge, Johannes Wikner and Kaveh Razavi discovered a new class of security problems, which are referred to as Branch Predictor racing conditions (BPRC). You describe it in a scientific article that you will later present at the USSenix Security 2025 and Black, USA 2025 security conferences. This was reported by the register.

Specter refers to hardware weak spots in processors that have been known since 2018. They take advantage of the speculative execution, with the processor carried out certain code paths before it is certain that they are needed. This can expire sensitive data such as passwords and encryption keys between the programs. Or even between virtual machines on the same server.

Several versions of Specter

Specter has several variants, including Specter V2. This version enables an attacker to manipulate so -called indirect jumps in order to read the normally protected memory, e.g. B. Information from the operating system or other programs.

Since then, Intel has taken several hardware measures to prevent these attacks, such as: These techniques are intended to ensure that speculations remain in their own security area and do not expire across borders.

However, the researchers found that the so-called branch-predictor mechanisms that predict which code path the processor will follow-inside the processor asynchronous. This can lead to racial conditions in which two processes try to change the same information at the same time, which can lead to unpredictable behavior.

It turns out that when changing from the user mode to the kernel mode, incorrect links can occur while the predictions are still updated. The researchers call this new attack vector branch privilege injection (BPI). This makes it not privileged code to insert predictions that are viewed as a core level, and undermines the original security goal of Eibr.

According to Kaveh Razavi, BPI makes it possible to carry out a classic Specter V2 attack despite the presence of security measures such as Eibrs. In this way, data can expire across security limits.

Several attack scenarios

He stated that several attack scenarios are conceivable. An attacker in a cloud environment could use a virtual machine, for example, to delete data from the hypervisor or even from other virtual machines. In the Proof-of-Concept, however, they mainly showed an attack in which a normal user process receives information from the operating system.

With BPI, an attacker can inject predictions from the user mode that are incorrectly recognized as a kernel mode. The attacker can then carry out a Specter V2 attack to get access to sensitive data in the memory.

Since then, Intel has released a microcode update, which is solved by this susceptibility to security, which is called CVE 2024-45332. Intel describes the error delayed as an indirect branch gate. According to the researchers, all Intel X86 processors from the 9th generation (Coffee Lake Refresh) are susceptible and possibly even models from the 7th generation (Kaby Lake).

Intel thanked ETH Zurich for her research and cooperation in coordinating disclosure. The company says that it further improve its hardware measures against Specter V2 and recommend users to contact their system manufacturer for updates. According to Intel, there is no evidence that this vulnerability in the wild is actively exploited.

Derivation of performance after the update

Intel states that performance tests show the performance after the update remains within the normal variation edges. However, the researchers quote certain figures. On an Alder Lake system, the microcode update should cause a loss of performance of 2.7 percent. Alternative software solutions ranged from a loss of 1.6 percent (on the Coffee Lake refresh) up to 8.3 percent (on Rocket Lake).

Although the attack on Linux was tested, other operating systems could also be susceptible to the Intel processors concerned. AMD and arm processors do not seem to be susceptible to this specific attack.

Razavi stated that we have not yet got rid of spectreamic problems. As long as processors are designed for maximum performance based on the speculative execution, such weak points remain a risk. He noticed that chip manufacturers are now more aware of these risks and are more careful with new designs. In addition, progress in the development of tools is made to recognize these problems earlier before chips are physically generated. He says that there is hope for improvement, although we are not there yet.

Tip: New Specter variant meets Intel and AMD processors