Researchers from Google: for the protection of Specter requires a change in processor architecture, software patches will not help

In January 2018, Google researchers publicly disclosed information about a fundamental hardware vulnerability in most modern processors with speculative execution of commands. Specter's vulnerability (and adjacent Meltdown) exploits the branch prediction mechanism in the CPU and allows data to be read through a third-party channel as a common cache hierarchy. In other words, any application on a computer can get read access to arbitrary memory locations, which breaks the isolation of programs, provokes data leakage, denial of service and other troubles.

Worst of all, virtually all modern processors are vulnerable (except for RISC and the Russian Elbrus), because branch prediction has become a fundamental part of the architecture of modern CPUs that cannot be abandoned without significant performance loss.

In fact, the researchers found the vulnerability as early as mid-2017, they simply did not report it to the general public, so that manufacturers of processors and systems had the opportunity to prepare microcode and software updates.

Therefore, immediately after the official announcement in early January, Intel released a microcode update for a large number of current and outdated processor models. The update is available as packages for Red Hat Enterprise Linux, SUSE Linux Enterprise Server, CentOS, Fedora, Ubuntu, Debian, and Chrome OS, allowing you to update the microcode without updating the BIOS. Upgrading the microcode does not eliminate the need to apply KPTI patches to the Linux kernel. True, the first versions of Linus Torvalds called "absolute garbage" , and Intel asked to stop installing them, and then re-released.
')
Updates released by other manufacturers for their products, the corresponding patches were released for most operating systems. Not escaped the adventures of the patch for Windows 10 : Microsoft released it, withdrew, then released again.

But after all these adventures, the story seems to have ended: stable versions of the patches came out and everyone who wanted it installed them. It would seem that you can put an end to this. But no. A year later, on February 14, 2019, a group of researchers from Google published a report with the saying title “Specter will stay with us. Analysis of attacks on third-party channels and speculative execution " . The researchers concluded that only software patches completely close the vulnerability is impossible. This will require "significant processing of processors."

From the report it can be concluded that the vulnerability is indeed fundamental. The authors write that all processors with speculative execution will always be subject to various side channel attacks, despite the methods of partial protection that may be implemented in the future .

The report says: “We believe that with modern equipment, speculative vulnerabilities undermine the confidentiality implemented at the program level. At the same time, there is no comprehensive software protection, since we have discovered that malicious code can create a universal mechanism for reading all memory in the same address space through third-party channels. ”

Intel said it intends to implement some hardware changes in the processors to protect against Specter. But the problem is that Specter is not just a bug. The researchers believe that this is a wide class of vulnerabilities that exploit the branch prediction mechanism. Therefore, simple patches can not do here.

Researchers have proposed several potential solutions, namely:

• complete shutdown of speculative execution;
  
• reduced timer accuracy;
  
• masking of branches (since any security check embedded in the code as a branch can be circumvented by the very nature of branch prediction, the authors suggest not to consider branching in the design of security mechanisms at all).

Researchers make a disappointing conclusion: “Our models, our mental models are erroneous; we sacrificed safety for performance and complexity, and did not know about it. Now the bitter irony is that protection requires the introduction of even greater complexity using software tools, most of which, as we know, are incomplete ... Looks like Specter got a very good name because he was destined to pursue us for a long time. ”