A new variant on the Spectre attacks has been discovered, and it hits CPUs from AMD, ARM, and Intel. The new Variant 4 attack has been disclosed by Microsoft, Google, and Intel itself. The new exploit isn’t thought to be as bad as some of the earlier attacks we’ve discussed, though as always, your exposure to the problem will depend on the type of workloads you run. As we’ve previously discussed, this attack again targets an aspect of speculative execution — in this case, it’s called a Speculative Store Bypass (SSB).
Here’s how Microsoft describes the problem:
SSB arises due to a CPU optimization that can allow a potentially dependent load instruction to be speculatively executed ahead of an older store. Specifically, if a load is predicted as not being dependent on a prior store, then the load can be speculatively executed before the store. If the prediction is incorrect, this can result in the load reading stale data and possibly forwarding that data onto other dependent micro-operations during speculation. This can potentially give rise to a speculative execution side channel and the disclosure of sensitive information.
Table by Microsoft
The overall risk, in this case, is thought to be low. SSB can give an attacker access to data stored at memory locations that they aren’t supposed to know, but it doesn’t allow them to write data, and exploiting the attack requires that the attacker be able to run code on a victim machine. The bad news is, if SSB does represent a risk to your systems, there could be a performance hit associated with it. Test results show that Variant 4 can hit CPU performance by anywhere from 2 percent to 8 percent depending on the test in question. For now, the major vendors are recommending that users leave the fix disabled unless they know they have specific reason to enable it. AMD appears to be following that guidance as well.
In its update, Intel writes:
We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact…
This same update also includes microcode that addresses Variant 3a (Rogue System Register Read), which was previously documented publicly by Arm* in January. We have not observed any meaningful performance impact on client or server benchmarks with the Variant 3a mitigation.3 We’ve bundled these two microcode updates together to streamline the process for our industry partners and customers. This is something you will see us continue, as we recognize that a more predictable and consolidated update process will be helpful to the entire ecosystem.
It’s not clear when we’ll be done with Spectre patches. Because the original attack identified an entire class of methods of attacking CPUs that engage in speculative execution, we could be dealing with this problem for years to come. Intel has promised hardware updates to resolve certain issues with future CPU generations; it’s not clear if AMD will follow suit and introduce mitigations in Ryzen 2 or not.