New Spectre flaws have been revealed by the former head of Intel’s advanced thread team, Yuriy Bulygin. This is a man who knows what he’s doing, so his opinions and findings are not to be treated as fly-by-night like some others. Through his new security agency, Eclypsium (a neat name, it must be said), Bulygin posts of a new application of speculative execution attacks which hinge on Spectre variant 1 (bounds check bypass), although it’s believed that the same exploit would work with variant 2 (branch target injection), as well.
Ultimately, Bulygin’s exploit leverages the bounds check bypass element of Spectre’s variant 1 to circumvent the system management range register (SMRR) protection of the system management mode (SMM) memory. It’s claimed that this attack allows an unprivileged user to read contents of memory, including memory which should be completely protected by the SMM.
With an attack, if an instruction causes out-of-bands access to memory, it’d still be speculatively executed by the CPU if it’s affixed to the same predicted path behind the indirect conditional branch instruction. The CPU will try to correct this, but in effect bleed information to the CPU caches, allowing the attacker to glean some of what was being stored.
If there’s an upside to these new attack vectors, it’s that Intel claims that mitigating Spectre variant 1 in effect takes care of this added SMM exploit. The sad thing, of course, is that we’re still not done hearing about Spectre, and all we can do is hope that future microprocessors are not going to suffer such a wide-reaching bug. AI could very-well help with this kind of thing, detecting issues long before a human does. We need that backup help sooner than later.