In the past three days, reports of new Specter-class attacks have emerged that allegedly breach all previous speculative execution patches and require mitigation techniques that compromise performance. There’s only one problem: Intel and the researchers basically disagree over whether or not a flaw exists.
The research team The University of Virginia wrote an article claiming that there are catastrophic flaws in how AMD and Intel currently implement micro-op caches that allow them to lose data under certain circumstances. Both Zen 2 and Skylake class architectures are said to be vulnerable; the document does not refer to any tests performed on Ice Lake, Tiger Lake, Rocket Lake or Zen 3 processors.
The micro-op cache on a modern x86 CPU stores the decoded instructions so that they can be accessed again if needed. This improves power consumption by avoiding the need to repeatedly decode the same short set of instructions during certain operations. It can also improve performance because you can access already decoded instructions on demand.
According to the research team, solutions to this micro-operational cache data loss problem, such as constantly flushing its contents, “could severely degrade performance.”
“Also,” they continue, “since current processors require an iTLB flush to achieve a micro-op cache flush, frequent flushing of both structures would severely impact performance, as the processor cannot make progress until the ‘iTLB won’t charge “.
Sounds pretty bad. The only problem is that Intel doesn’t completely agree. The official press release of the company reads as follows:
Intel reviewed the report and informed researchers that existing mitigations were not being circumvented and that this scenario was addressed in our guide to secure coding. The software that follows our guide already has protections against incident channels, including the incident channel of the uop cache. No new mitigations or guidelines are needed.
We have had news from AMD since this story was published; the company statement is included below:
Intel released a number of patches for various defects related to the initial Specter / Meltdown disclosure in 2018. It has also released its own writings, reports and documentation. However you think about the existence of these problems, Intel appears to have committed itself to the process of resolving them in good faith.
Over the past year, I have criticized several public relations-based security disclosures. In some cases, the histrionic tones of the press release and / or blog post did not match the more measured claims of the newspaper itself. This is different. The research paper isn’t catastrophic, but it presents the team’s findings as evidence of an ongoing problem. According to Intel, this issue is addressed in existing guidelines.
These guidelines advise developers to mitigate side channel data loss by ensuring that algorithms always perform operations performed on secret data in exactly the same amount of time, that the value or values derived from a secret never affect a conditional branch. or the goal of an indirect branch and that secret values should never “cause a change in the order of the addresses accessed or the size of the load / store data”.
According to security researcher Jon Masters (tip of hat ad Ars Technica), the document is “interesting reading:”
It is far from the dizzying sensationalism implicit in the “Defenseless” language on the Virginia site, and in the press so far … A bit of cleaning may be needed in light of this latest document, but there are mitigations available, albeit always at some cost in terms of performance. (original emphasis)
Research lead Ashish Venkat told Ars that he believes the problem his team identified deserves a fix in the microcode and argues that the constant-time programming approach advocated by Intel is rather difficult.
For now, that’s where we’ll leave this. Intel’s lead is that this isn’t a problem and the third-party review ranks it as interesting but overrated in most reports. The research team that unearthed it believes it deserves more of a fix than Intel and that Intel’s guidance on software programming isn’t practical enough to fix the problem. More than three years after Specter and Meltdown, no one is known to have attempted to exploit a side canal attack in the wild. There remain simpler and more direct ways of stealing data.
To update: After publication, AMD responded with its own statement: “AMD has reviewed the research paper and believes that existing mitigations have not been circumvented and that no new mitigations are needed. AMD recommends following mitigation guidelines. of existing side channel and standard secure coding practices ”.
Both AMD and Intel, therefore, are rejecting the idea that this research poses a new or emerging threat.