A team of Researchers discovered 7 New Meltdown and Spectre Level attacks called a sound and extensible systematization of transient execution which includes 2 new Meltdown Attack variants and 5 variants belong to Spectre attack.
All the 7 attacks are affected the 3 major processor vendors Intel, AMD, ARM that allows an attacker to gain access to vulnerable system data.
Among the 7 Attacks, Meltdown-BR exploiting the meltdown effect x86 bound instruction on Intel and AMD and Meltdown-PK exploiting the Meltdown-type effect on memory protection keys on Intel and other 5 exploiting Spectre-PHT and Spectre-BTB attacks.
Researchers called it as an extensible systematization of transient execution attacks in microarchitectural level in CPU that leads to exploit transient execution and encode secrets.
Transient Execution Attacks does not influence the architectural state during the execution of transient instructions but it affects the microarchitectural state.
So this attacks will transfer the microarchitectural state into an architectural state in order to exploit these microarchitectural state changes to extract sensitive information.
Two Meltdown & Five Spectre Attacks
Original Meltdown breaks the separation between the user accounts and the operating systems, it allows access to the memory where attacker extract secret information from other programs and operating systems.
This new 2 Meltdown Attacks exploits an x86 bound instruction on Intel and AMD and bypasses memory protection keys on Intel CPUs.
Meltdown-BR attack related to bound range exceeded exception that bypass the bound checks in x86 processors that affected Intel processors ship with Memory Protection eXtensions (MPX) for efficient array bounds checking.
Meltdown-PK Attack attack to bypass both read and write isolation guarantees enforced through memory-protection keys and PKU isolation can be bypassed if an attacker has code execution in the containing process.
Original Spectre breaks the isolation between the applications, it allows an attacker to trick legitimate applications into leaking their secrets.
Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary.
In this new 5 Spectre attacks exploiting the Pattern History Table mechanism.
- Spectre PHT-CA-OP – attack exploits the CPU Pattern History Table (Cross-Address-space Out of Place)
- Spectre PHT-CA-IP – attack exploits the CPU Pattern History Table (Same Address-space In Place)
- Spectre PHT-SA-OP – attack exploits the CPU Pattern History Table (Same Address-space Out of Place)
- Spectre BTB-SA-IP – attack exploits the CPU Branch Target Buffer (Same Address-space In Place)
- Spectre BTB-SA-OP – attack exploits the CPU Branch Target Buffer (Same Address-space Out of Place)
All the above attacks that affected Intel, ARM, and AMD. are clearly demonstrated by the group researchers in their Research Paper.
According to the researchers, Defenses that require hardware modifications are only evaluated theoretically. In addition, we discuss which vendors have CPUs vulnerable to what type of Spectre- and Meltdown-type attack but that only ARM and Intel acknowledged their findings.