A function of Intel's processors dealing with speculative execution has another vulnerability that affects all Intel-based computers including Apple's Mac, researchers have revealed, with "Spoiler" potentially allowing an attacker the ability to view the layout of memory, and in
The speculative execution function of Intel's
Dubbed "Spoiler," the technique is able to determine how virtual and physical memory is related to each other, by measuring the timing of speculative load and store operations performed by the processor, reports The Register. By spotting discrepancies in the timing, it is possible for an attacker to determine the memory layout, and in
Speculative execution typically works by using a memory order buffer to track its operations, by copying data from a CPU register to main memory in the order it appears in
If they are wrong, the speculative elements are discarded and a normal non-speculative load of data is performed, allowing the instruction to be carried out, but without the performance boost.
The paper advises the main issue with Spoiler is Intel's performance of memory disambiguation, which tries to prevent computation on data loaded by an incorrect speculation attempt, with its timing behavior being the actual vulnerability.
By filling the store buffer with addresses using similar offsets but different virtual pages, then issuing a memory load with the same offset on a different memory page, the team measures the time of the load. After performing multiple loads across numerous virtual pages, the timing differences provide clues about the memory locations.
"There is no software mitigation that can completely erase this problem," according to the researchers. While the chip architecture could be fixed, it would considerably cut into the chip's performance.
Intel was advised about the vulnerability on December 1, 2018, and was disclosed to the public after a typical 90-day grace period. So far, Intel has not issued a CVE number for the problem, with Moghimi speculating the issue is not easily patchable with microcode in an efficient enough manner, and that a patch for the attack vector may take years to produce.
As it is an issue that affects all Intel Core processors from the first generation onwards to the most recent releases, regardless of operating system, it is almost certain that all Macs are susceptible to attacks that take advantage of the vulnerability. It is unclear if Apple has specifically responded to the issue due to it potentially affecting its macOS-running products.
The researchers note that ARM and AMD processor cores do not exhibit the same behavior, which means iPhones and iPads are safe from such attacks.
The speculative execution function was core to the Spectre vulnerabilities found in January 2018, which affected Intel processors as well as ARM-based versions, including both macOS and iOS devices, something which Apple quickly released mitigations to defend against. While similar in this regard, Spoiler functions quite differently from
"We expect that software can be protected against such issues by employing side channel safe development practices," said Intel regarding Rowhammer-style attacks. "Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research."