Latest in Gear

Image credit: BeeBright via Getty Images

Researchers discover new ways to abuse Meltdown and Spectre flaws

And chipmakers' hardware changes won't be enough to protect against them.
BeeBright via Getty Images

Intel has already started looking for other Spectre-like flaws, but it won't be able to move on from the Spectre/Meltdown CPU vulnerabilities anytime soon. A team of security researchers from NVIDIA and Princeton University have discovered new ways to exploit Meltdown and Spectre outside of those idenfitied in the past. The researchers developed a tool to explore how else cyber criminals could take advantage of the CPU flaws and found new techniques that could be used to extract sensitive info like passwords from devices.

These techniques, which they've dubbed MeltdownPrime and SpectrePrime, pit two CPU cores against each other to dupe multi-core systems and get access to their cached data. The team wrote in their report (PDF):

"In the context of Spectre and Meltdown, leveraging coherence invalidations enables a Prime+Probe attack to achieve the same level of precision as a Flush+Reload attack and leak the same type of information. By exploiting cache invalidations, MeltdownPrime and SpectrePrime -- two variants of Meltdown and Spectre, respectively -- can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel.

Where Meltdown and Spectre arise by polluting the cache during speculation, MeltdownPrime and SpectrePrime are caused by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol."

The good news is that the software patches Intel and other chipmakers are rolling out are enough to protect against the newly discovered techniques. Those patches come with their own set of troubles and might slow down systems a bit, but they can at least ensure PCs, phones, servers and anything made vulnerable by the flaws are protected. However, the hardware changes Intel and other chipmakers are planning to make future CPUs Spectre- and Meltdown-proof might not be enough. The researchers said the discovery of these new techniques will "require new considerations" when it comes to any planned "microarchitectural mitigation."

From around the web

ear iconeye icontext filevr