Systemic Weakness CPU Security Vulnerabilities: Speculative Execution Remains a Systemic Security Risk

Related Vendors

ETH Eidgenössische Technische Hochschule Zürich

Wuxi InfiMotion Technology Co., Ltd.

Researchers at ETH Zurich have identified a new attack vector against modern processors, once again within the performance enhancement mechanism of speculative execution. The vulnerability affects all current Intel CPUs and can be specifically exploited in shared environments, such as the cloud.

In September 2024, the Computer Security Group (COMSEC) at the Department of Information Technology and Electrical Engineering at ETH Zurich identified a new type of vulnerability in Intel CPUs that can be exploited in environments with shared hardware, for example in the cloud. All Intel processors from the last six years are affected, from PCs to servers in data centers.

The attack is based on so-called Branch Predictor Race Conditions (BPRC), which make it possible to completely read privileged information from the cache and working memory of other users on the same CPU. The disclosure of a single byte would be negligible. However, the attack can be repeated in rapid succession, meaning that the entire memory contents can be read out over time. "We can continuously trigger the error in a targeted manner and thus achieve a readout speed of over 5,000 bytes per second," explains Sandro Rüegge, co-author of the study.

Focus Again on Speculative Execution

The vulnerability is one of a growing number of attack methods targeting speculative execution. This is an architectural principle that has been used since the 1990s to increase the performance of modern processors. The processor makes predictive assumptions about future program paths used in order to speed up the calculation of the actual action. These predictions can be manipulated. And according to the researchers, security mechanisms can be circumvented in this way.

Spectre and Meltdown, for example, caused quite a stir back in 2017. Spectre uses vulnerabilities in processors with out-of-order execution to read protected memory areas. Meltdown, on the other hand, uses a processor vulnerability to access external memory areas. This was followed in 2022 by another vulnerability, Retbleed, which was discovered by researchers from the same ETH group. Retbleed is a side-channel attack that deliberately manipulates return commands in order to access data from speculative execution. The BPRC vulnerability that has now been identified shows that even improved protection measures can be deliberately circumvented.

Architecture Problem With a System

The gap occurs in those nanoseconds in which the processor is already speculatively processing new commands, although the authorizations for the context change have not yet been correctly assigned. Incorrect authorization assignments can be provoked by specific inputs. This is a circumstance that points to a fundamental design problem.

"The series of newly discovered vulnerabilities in the speculative technologies is an indication of fundamental flaws in the architecture," warns COMSEC head Prof. Kaveh Razavi. Each new vulnerability currently has to be discovered individually and closed with microcode updates. The process is not only time-consuming, but also reactive. Of course, it would be better if preventative measures could be taken.

Intel has since provided countermeasures for the vulnerability, which was discovered in the fall of 2024, in the form of microcode updates that are distributed via BIOS or operating system updates, for example as part of current Windows security updates. Nevertheless, the structural vulnerability remains and is likely to provide scope for new attack vectors in the future.

Integrated protective measures such as the "privilege check", for example, do not appear to work reliably in speculative execution if calculations and authorization checks take place at different times. Attackers can exploit this gap in the time sequence to read other users' memory areas in a targeted manner. (sb)