Spectre bugs likely to 'haunt us for a long time' as software alone can't fix all of them, warn Google researchers

Spectre vulnerability affects microprocessors able to carry out branch prediction

Software alone can't fix all Spectre bugs, and the CPU manufacturers need to find new microarchitecture designs to eliminate the risks associated with these vulnerabilities, according to a new study by Google security researchers.

Spectre is a hardware vulnerability affecting modern microprocessors that can potentially be exploited by malware to infiltrate data being processed by the CPU. As the name suggests, the Spectre vulnerability affects only those microprocessors which carry out branch prediction.

Speculative execution is an optimisation technique that involves speculating the future path of a programme and carrying out anticipated calculations in advance. The calculations are retained in the CPU cache and used if the correct path is guessed, which saves the processor time and enables quicker execution of code.

In 2017, researchers found that a malicious programme can exploit Spectre vulnerability to steal confidential data stored in the memory of other programmes being executed.

Spectre is perhaps, too appropriately named, as it seems destined to haunt us for a long time

Spectre breaks the isolation between different applications and enables an attacker to deceive error-free programmes into disclosing their secrets. According to researchers, Spectre can enable a website to read data stored in the browser for another website, or even the browser's memory itself.

In the current study, Google researchers - Ross Mcilroy, Tobias Tebbi, Jaroslav Sevcik, Toon Verwaest, and Ben Titzer - showed that it is possible to create a universal 'gadget' to exploit the speculative-execution bugs present in multiple CPU families, enabling malicious code running in a thread to read the entire memory in the same address space.

Researchers found that despite operating system patches developed to prevent specific Spectre exploits, the underlying threat is always there for an application that interprets attacker-supplied code.

In this case, software defences won't be able to stop Spectre, and it would be essential to implement hardware-based separation using hardware-enforced page tables and individual processes with their individual virtual address spaces.

"We now believe that speculative vulnerabilities on today's hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations, as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels," the researchers wrote in their paper, which was distributed through ArXiv.

The researchers say they could not find any software solution for Variant 4, Speculative Aliasing Confusion. "Variant 4 defeats everything we could think of," they revealed.

The research group also added defences against Spectre into the V8 JavaScript virtual machine within the Chrome browser and found that it only slowed down things, without actually solving the problem.

"Spectre is perhaps, too appropriately named, as it seems destined to haunt us for a long time," researchers think.