Intel introduced hardware-based “safeguards” and ‘additional’ protections to its new chips to protect against the Spectre and Meltdown flaws that shocked the silicon industry when the vulnerabilities were made public earlier this year. However, those protections are specific to V2 and V3, and will not impact the newly-discovered Variant 4 as well as other potential speculative execution side channel-related flaws in the future – in other words, it just the beginning.
Spectre Variant 4
On Monday, Intel acknowledged that its processors are vulnerable to Variant 4, which could give attackers unauthorized read access to memory. Similar to the Meltdown and Spectre vulnerabilities, Variant 4 (CVE-2018-3639) is also a side channel analysis security flaw. However, Variant 4 uses a different process to extract information and is more of a cache exploit and that can be used in browser-based attacks.
After the disclosure of Spectre and Meltdown, Intel said earlier this year it has designed a new set of CPU design features that work with the operating system to install “virtual fences” protecting the system from speculative execution attacks that could exploit a variant of the Spectre flaw.
Medium Risk (according to Intel)
As the chip manufacturer said earlier this week, the new bug is ‘medium risk’, and it has “already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.”
The issue with this fix is, unlike baked-in protection, there’s a performance price to pay, just like previous Meltdown and Spectre patches. Intel estimates that to be a slowdown of around 2% to 8% based on SYSmark and other benchmarks, but of course, mileage will doubtless vary from system to system.
Interestingly, Intel will be delivering this Variant 4 fix as an optional measure, and it will actually be set to off by default. That means users will need to enable protection if they so wish, or carry on regardless and avoid any performance hit, with the potential risk of being exploited down the line.
- Speculative Store Bypass explained: what it is, how it works
- Advancing Security at the Silicon Level
- Retpoline: A Branch Target Injection Mitigation (.PDF)
- Analysis and mitigation of speculative store bypass (CVE-2018-3639)
- speculative execution, variant 4: speculative store bypass