All Intel Chips Open To New 'Spoiler' Non-Spectre Attack

Spoiler is the newest speculative attack affecting Intel's micro-architecture. From a report: Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets. However, it targets a different area of the processor called the Memory Order Buffer, which is used to manage memory operations and is tightly coupled with the cache. Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lubeck in north Germany detail the attack in a new paper, 'Spoiler: Speculative load hazards boost Rowhammer and cache attacks'. The paper [PDF] was released this month and spotted by The Register. The researchers explain that Spoiler is not a Spectre attack, so it is not affected by Intel's mitigations for it, which otherwise can prevent other Spectre-like attacks such as SplitSpectre.

Actual Link to Register Article

[j_f_chamblee]

As opposed to spammy, pop-up filled ZDNet article.

https://www.theregister.co.uk/...

Re:Actual Link to Register Article

[TFlan91]

And what should've been the summary:

The researchers – Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth and Berk Sunar – have found that "a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem" reveals memory layout data, making other attacks like Rowhammer much easier to carry out.

The researchers also examined Arm and AMD processor cores, but found they did not exhibit similar behavior.

"We have discovered a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes," the researchers explain.

"The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments."

Also, in before f**k JavaScript. The researchers just chose to use this has a means to demonstrate the weakness in Intel processors, not a weakness in JS.

Re:intel is ghey

I see the Republicans have arrived.

Please explain the rowhammer relationship

[goombah99]

Perhaps I've misunderstood what Rowhammer was. I thought it was a a corruption attack caused by repeated adjacent bank accesses flipping bits in another bank. Thus I thought it's intent was to corrupt the adjacent bank not read back the adjacent bank. I don't even see how the bit flipping could work in the reverse direction to leak out information.

Yet this article seems to say it amplifies a rowhammer attacks efficiency and also can be used to spy on other processes.

Not seeing how. So maybe I have this wrong?

Re:Please explain the rowhammer relationship

[DamnOregonian]

It's a good question. I'll answer.
Rowhammer allows you to flip bits in memory with specific relationships to memory you can access.
If one of the bits you're able to flip happens to be bits in a page table, and enough stars line up, allows you to flip access bits on pages you're interested in, the MMU will let you read them as you will. Meltdown addresses this problem by completely swapping out the kernel pagetables between context switches.
However, if even more stars line up, then you can potentially map pages back in.
Leaking information about the page tables does make that a much faster process.
To be clear: Rowhammer is a problem on all CPUs. This accelerates the speed at which Rowhammer can try to brute force a page table entry.

Re:There is an immediate fix:

[Misagon]

The researchers had tested only an AMD processor of the previous generation: Bulldozer.
It is still unknown if Zen is susceptible to this attack or not.