All Intel Chips Open To New 'Spoiler' Non-Spectre Attack

Spoiler is the newest speculative attack affecting Intel's micro-architecture. From a report: Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets. However, it targets a different area of the processor called the Memory Order Buffer, which is used to manage memory operations and is tightly coupled with the cache. Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lubeck in north Germany detail the attack in a new paper, 'Spoiler: Speculative load hazards boost Rowhammer and cache attacks'. The paper [PDF] was released this month and spotted by The Register. The researchers explain that Spoiler is not a Spectre attack, so it is not affected by Intel's mitigations for it, which otherwise can prevent other Spectre-like attacks such as SplitSpectre.

Effective from Javascript

[phantomfive]

Quoth the article:

The researchers say that Spoiler improves Rowhammer attacks and cache attacks that reverse-engineer virtual-to-physical address mapping. Using Spoiler, they show the leakage can be used to speed up reverse-engineering by a factor of 256. It also can speed up JavaScript attacks in the browser.

It's not clear that this vuln allows you to attack anything by itself, but being able to speed up Rowhammer shows why you need to take vulnerabilities seriously, even if you can't figure out how to exploit them.

Re:Here we go again!

"So I don't think we will see a patch for this type of attack in the next five years and that could be a reason why they haven't issued a CVE."

That's actually a silly reason not to open a CVE. A CVE is opened even before there are fixes available. It's made to track vulnerabilities.

Re:Actual Link to Register Article

[thereddaikon]

Also, in before f**k JavaScript. The researchers just chose to use this has a means to demonstrate the weakness in Intel processors, not a weakness in JS.

Fair enough, but still fuck javascript.

Re:Actual Link to Register Article

[phantomfive]

The problem with Javascript is that every day you allow complete strangers to run their javascript on your computer.

Most people don't want to use no-script, but even if you don't, then it is imperative to use adblock. There is too much malware in ads otherwise.

Re:There is an immediate fix:

[willaien]

AMD has had some speculative execution attacks that are viable against them, and there's probably undiscovered/undisclosed ones.

The correct answer is: don't run untrusted code, even from websites. Come up with better (slower) execution environments that enforce timings.

Reminder - BULLSHIT

"The researchers also examined Arm and AMD processor cores, but found they did not exhibit similar behavior."

""The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments.""

There is nothing similar in AMD land, and no, there are no functional POC's right now for AMD. ARM yes. Malware waves use POC's that exist, not ones that don't.

Re:Reminder - BULLSHIT

With regard to THIS type of attack, AMD is not vulnerable. It's 1:1 a result of Intel's specific instructions. With regard to Spectre, there is a POC for "in-process" corruption on AMD, but critically NOT CROSS-PROCESS.

That really is a key distinction. You'd have to run the exploit IN the process you're trying to get data OUT of. This makes it a PURE EDGE POC, it cannot be readily exploited without other at-level vulns. And since we're talking about CPU Ring-0 process security, other vulns that would allow that would allow ANYTHING else, and doing a Spectre attack in such an environment would be a waste of time as you already have your hooks in.

Intel's problem is that ANY process (even in VM's!) can access ANY other process's memory despite all mitigations, and then on top of that in Spectre, we have this new way of simply jumping through their front door register methodology.

ARM has similar cross-process issues, though different from Intel, and without this new Intel-specific attack in this article.

Short story - Intel is borked. They need to rewrite the way EVERYTHING works under the hood. AMD took a more sanitary approach and either got lucky, has yet to be exposed as swiss cheese, or is actually more secure.

We don't know which of those three is the case because we're not 100% through this entire case study, but either way given the state of POC's that exist NOW, comparing these vulns on AMD to Intel is just not a 1:1 and not close.

You can't have a malware wave without a POC, public or secret. If there are public POC's for trivially unlocking Intel methods, and none such for AMD, that's not comparable.

Re:Intel engineers should seriously consider suici

[gweihir]

And it is also possible that AMD just fucked up a lot less than Intel. Remember that technologically, AMD has been ahead for quite a while (e.g. integrated memory controller, far better multi-core support, etc.), just speed-wise they lagged behind. We do now know where Intel got a significant part of that speed. So while AMD will have some vulnerabilities, it is quite possible that they have a lot less and that what they have is often a lot harder to exploit. This is the verdict on Spectre and Meltdown and there are good reasons to believe this is not an accident, but a systematic difference.

DO NOT MAKE FALSE EQUIVOCATIONS PLEASE.

In a word, wrong. AMD is not cross-process vulnerable without another vuln at RING-0, you can only attack in-process. That makes it much less useful - you need to have an existing hacked process to get THAT PROCESS data.

With intel you can get ANY process data from ANY OTHER PROCESS, even in VM's. It's not comparable. This article is a NEW, additional attack that makes it even more trivially exploited.

FTFY