Video: Intel's patches for Spectre variant 4 will slow your CPU
The return of Spectre[1] sounds like the next James Bond movie, but it's really the discovery of two new Spectre-style CPU attacks.
Vladimir Kiriansky, a Ph.D. candidate at MIT, and independent researcher Carl Waldspurger[2] found the latest two security holes. They have since published a MIT paper, Speculative Buffer Overflows: Attacks and Defenses[3], which go over these bugs in great detail. Together, these problems are called "speculative execution side-channel attacks."
These discoveries can't really come as a surprise. Spectre and Meltdown are a new class of security holes[4]. They're deeply embedded in the fundamental design of recent generations of processors. To go faster, modern chips use a combination of pipelining, out-of-order execution, branch prediction, and speculative execution to run the next branch of a program before it's called on. This way, no time is wasted if your application goes down that path. Unfortunately, Spectre and Meltdown has shown the chip makers' implementations used to maximize performance have fundamental security flaws.
Read also: Meltdown-Spectre: Malware is already being tested by attackers[5]
Since the initial Spectre and Meltdown discoveries, there has been many other Spectre-style holes[6] found. In their latest research, Kiriansky and Waldspurger have discovered two new security problems: Spectre 1.1 and Spectre 1.2.
Spectre 1.1 uses speculative data stores to create speculative buffer overflows. Much like classic buffer overflows attacks[7], speculative out-of-bounds stores can change data and code pointers. Worse still, such attacks can bypass some original Spectre mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can, in turn, bypass other software mitigations for previous