New Spectre variants earn $100,000 bounty from Intel

Researchers found new speculative execution attacks against Intel and ARM chips, and the findings earned them a $100,000 reward under Intel’s bug bounty.

The new methods are themselves variations on Spectre v1 — the bounds check bypass version of Spectre attacks — and are being tracked as Spectre variants 1.1 and 1.2.

The new Spectre 1.1 has also earned a new Common Vulnerabilities and Exposures (CVE) number, CVE-2018-3693, because it “leverages speculative stores to create speculative buffer overflows” according to Vladimir Kiriansky, a doctoral candidate in electrical engineering and computer science at MIT, and Carl Waldspurger of Carl Waldspurger Consulting.

“Much like classic buffer overflows, speculative out-of-bounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming gadgets that can be used to build alternative attack payloads,” Kiriansky and Waldspurger wrote in their research paper. “In a speculative data attack, an attacker can (temporarily) overwrite data used by a subsequent Spectre 1.0 gadget.”

Spectre 1.2 does not have a new CVE because it “relies on lazy enforcement” of read/write protections.

“Spectre 1.2 [is] a minor variant of Spectre v1, which depends on lazy PTE enforcement, similar to Spectre v3,” the researchers wrote. “In a Spectre 1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers and code metadata, including v-tables [virtual tables], GOT/IAT [global offset table/import address table] and control-flow mitigation metadata. As a result, sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective.”

As the research paper from Kiriansky and Waldspurger went live, Intel paid them a $100,000 bug bounty for the new Spectre variants. After the initial announcement of the Spectre and Meltdown vulnerabilities in January 2018, Intel expanded its bug bounty program to include rewards of up to $250,000 for similar side-channel attacks.

I expect that more variants of Spectre and/or Meltdown will continue to be discovered in the future.
Nick BilogorskiyCybersecurity strategist, Juniper Networks

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, also noted that the research into these new Spectre variants was partially funded by Intel.

“When implemented properly, bug bounties help both businesses and the research community, as well as encourage more security specialists to participate in the audit and allow CISOs to optimize their security budgets for wider security coverage,” Bilogorskiy wrote via email. “These bugs are new minor variants of the original Spectre variant one vulnerability and have similar impact. They exploit speculative execution and allow speculative buffer overflows. I expect that more variants of Spectre and/or Meltdown will continue to be discovered in the future.”

ARM and Intel did not respond to requests for comment at the time of this post. ARM did update its FAQ about speculative processor vulnerabilities to reflect the new Spectre variants. And Intel published a white paper regarding bounds check bypass vulnerabilities at the same time as the disclosure of the new Spectre variants. In it, Intel did not mention plans for a new patch but gave guidance to developers to ensure bounds checks are implemented properly in software as a way to mitigate the new issues.

Advanced Micro Devices was not directly mentioned by the researchers in connection with the new Spectre variants, but Spectre v1 did affect AMD chips. AMD has not made a public statement about the new research.