A computer microchip feature that boosts a processor’s speed also could give away secrets, including passwords, to the right hacker, a University of Virginia engineering school research team has discovered.
Led by Ashish Venkat, an assistant professor of computer science, the researchers found a way to attack modern computer processors that use speculative execution to increase the speed of microchips and processors.
Speculative execution allows the processor to predict which instructions it likely will be asked to execute and prepares by pulling instructive code from memory. The pulling of the information, however, could be manipulated by hackers to access information from the processor and the system.
The vulnerability is in the processor’s micro-op cache, a collection of instructions from which the processor can choose when predicting what the next command will be. The process makes computing quicker.
That flaw, called Spectre, was revealed in 2018 and led to the chip industry and researchers, including Venkat, to develop patches to protect devices from attacks.
But Venkat’s team this year released a paper indicating they discovered a line of attack that breaks all Spectre defenses, including those Venkat helped to develop, by getting past security fences and monitoring the commands as they are pulled off the cache.
“In the case of the previous Spectre attacks, developers have come up with a relatively easy way to prevent any sort of attack without a major performance penalty,” said Logan Moody, a research team member. “The difference with this attack is you take a much greater performance penalty than those previous attacks.”
The new attack tricks the processor into executing instructions along the wrong path. Even though the processor recovers and gets back on track, hackers can snag the secrets while the processor is on the wrong-way street.
“Imagine that at the airport the TSA lets you through without checking your boarding pass because it is fast and efficient and it knows you will be checked for your boarding pass at the gate. A computer processor predicts that a password check will be successful and puts instructions into the pipeline. If the prediction is incorrect, it then throws the instructions out of the pipeline,” Venkat explained.
“But those instructions could leave side effects while waiting in the pipeline that an attacker could later exploit to infer secrets such as a password,” he said. “The difference is Spectre attacks exploit hardware. If you’re running code with secrets in them, they can leak in many different ways.”
Xida Ren, who worked with Venkat on the research, said a computer is based on hardware, much like the basement and structure of a building while the operating system and software would be the floors above.
“Usually when a security issue happens, it comes in through software. It’s like they see your secrets through the window or sneak a peek while walking through the gate,” Ren said. “Spectre is like walking in the front door and before you get to the security desk, you go down to the basement and listen in on all of the secrets.”
The flaw is not a serious threat to the average laptop, desktop or tablet, the researchers say.
“Information that's important, like military information, is something hackers will be willing to go to greater lengths to target and use a process like Spectre. But they’re not going to be targeting your grandma,” said Moody. “Well, at least not now, maybe in 10 years or so. These kinds of attacks are more difficult to execute.”
“11-year-old me is not likely to pull this off, but 23-year-old me would be able to take more time to pull this off,” Ren said. “I wouldn’t use this to get into someone’s bank account, but I could use it to get into a bank’s system and access multiple accounts. That’s where this would be a threat. It’s not a threat to your personal computer, but it is a threat to the business world.”
The team is not planning to exploit its discovery. They’re not going to shut down a gasoline pipeline or wrestle ransom in Bitcoin from unsuspecting governments or corporations. Instead, they want to help big chip makers and those involved in the industry find ways to block the thefts.
The team has published its research, funded by the National Science Foundation and Defense Advanced Research Projects Agency, and works with companies and other researchers to find a patch for the vulnerability. Venkat previously worked on a defense against Spectre, a defense that his team found a way around.
The team also shared its research with major chip manufacturers such as Intel and AMD. Venkat expects computer scientists in academia and industry to work quickly together to fix the problem.
“The [personal computer user] should be focused more on where they’re most vulnerable — and that’s software they download off the internet and running untrusted codes,” Venkat said. “Those are what they should focus their attention on. Spectre is interesting because it’s a hard-to-fix vulnerability and it makes secure code vulnerable.”