A new vulnerability called SPOILER has been revealed which affects Intel CPUs, and has massive potential to undermine existing hardware security.
The new vulnerability was revealed through research from specialists and researchers at Worcester Polytechnic Institute and the University of Lübeck, and published in a research paper distributed this month through pre-print service ArXiv, “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks,” as it was called. But just to be clear, SPOILER isn’t an acronym, and doesn’t stand for anything, except the first two letters ‘sp’ which refer to ‘speculative’ execution.
The SPOILER exploit uses a speculative mapping technique to disclose physical addresses in memory on a target system. This technique relies on measuring the timing of various operations within both virtual and physical memory, this timing then allows the attacking software to map out physical memory. This happens due to the way modern CPUs keep track of different operations and data within the memory buffer.
The memory buffer is part of the systems a CPU uses to manage reading and writing to RAM, which is a crucial part of PC operations. And because these processes happen at high-speed, there’s always the potential for errors. Let’s say a system tries to read and write to a space in memory that’s already occupied by the time the operation is completed. That invalid memory could cause a crash, so CPUs attempt to mitigate these issues using speculation. By writing objects to memory out-of-order, a system can preemptively use memory ahead of when it’s actually needed, both speeding up system processes and preventing errors.
But this speculative processing has some major flaws, as we’ve seen with other exploits like Spectre and Meltdown. The core issue concerning SPOILER is that since physical memory spaces are often protected and “privileged” within a system, this allows the attacker to execute what is essentially privilege escalation at the hardware level.
“We have discovered a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes,” the researchers explain.
“The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments.”
SPOILER is fundamentally different from other major hardware exploits like Spectre and Meltdown, as it can’t be addressed with software-based mitigation or patching. This means that Intel will need to implement mitigation directly into their CPU architectures in the future.
Now don’t freak out too much just yet, as there are a few saving graces with this vulnerability that make it a little harder to execute. An attacker leveraging this flaw would need to have access to the system directly, either through malware or some other means, like a rogue user account, to take advantage of SPOILER. So some basic hardening techniques and vigilance can help mitigate the threat posed by this new exploit a little bit.
Also, AMD users are apparently immune to this attack at the moment. Spoiler affects only Intel’s CPUs and not AMD’s CPUs. All of AMD’s CPUs are safe as of now.
Intel provided the following statement to press about SPOILER:
“Intel received notice of this research, and we expect that software can be protected
against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”