Overview
Microprocessors that speculatively execute CPU instructions are susceptible to information disclosure. The attacker uses local user access to run an unsuspecting code and steals secret data. Also known as Spectre Variant 2, this hardware vulnerability is a variation of broader side-channel attacks collectively known as Spectre and Meltdown.
Details
An attacker tricks the processor into executing unauthorized instructions and reads data from a privileged memory location. This leverages a performance feature of the processors that speculatively execute instructions ahead of time. Modern microprocessors can predict the direction of the program flow and execute subsequent instructions. Even before the instructions are validated, the relevant memory values are cached in speculation for later use. Once the correct memory values are resolved, the information pertaining to other incorrect predictions are discarded. While the incorrect values are immediately discarded, they remain in the cache for several CPU cycles. The attacker then uses Branch Target Injection as a side-channel method to leak these cached values. The attack occurs in 3 steps: The attacker mistrains the Branch Target Buffer by running a malicious process. The attacker can run this malicious process either on the user’s system or a JavaScript code on the user’s browser. When the user runs a legitimate process, a mistrained Branch Target Buffer incorrectly guesses the attacker selected memory location. This unauthorized memory call speculatively saves the target data in the cache. The privileged data is exfiltrated by using the cache timing side-channel.
Affected Environments
Any system based on microprocessors utilizing speculative execution for indirect branch predictions is affected. This includes all modern portable computers, PCs, mobile devices and other chip based devices. Following is a non-exhaustive list of affected processors by major vendors: Intel Nehalem Haswell Broadwell Skylake Kaby Lake Coffee Lake Silvermont Goldmont AMD Bulldozer Piledriver Steamroller ARM Cortex-R7 Cortex-R8 Cortex-A8 Cortex-A9 Cortex-A15 Cortex-A17 Cortex-A57 Cortex-A72 Cortex-A73 Cortex-A75 IBM POWER6 POWER7 POWER7+ POWER8 POWER8+ POWER9 Cloud providers using these processors in their hosting environments are also affected.
Remediation
Retpoline enabled Windows and Linux OS updates
Prevention
Install patches and updates at OS and BIOS levels that change the branch prediction behaviors Use browsers with site isolation feature that limits data sharing between different websites Check for Spectre Variant 2 vulnerability regularly Use Processors unaffected by the vulnerability or not utilizing speculative execution
Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
What is a WS vulnerability ID? 
