安全研究人员Vladimir Kiriansky（麻省理工学院）和Carl Waldspurger（Carl Waldspurger Consulting）发表论文披露Specter安全漏洞的新变种，并称之为Spectre1.1（CVE-2018-3693），该漏洞会产生推测性缓冲区溢出。Spectre 1.1漏洞利用投机商店创造投机缓冲区溢出，也被称为Bounds Check Bypass Store或BCBS。研究人员认为，尽管Spectre1.1是Spectre V1系列的次要版本，但是可以影响数十亿由现代处理器驱动的设备。安全研究人员还引入了一个Spectre1.2缺陷，这是第一个Specter漏洞的另一个小变种，它会影响不强制执行读/写保护并依赖于PTE实施的CPU。研究人员已经验证了针对Intel x86和ARM处理器的Spectre1.1和Spectre1.2攻击，认为使用微码处理器更新可以完全缓解Spectre1.1漏洞。

In their paper, the two security researchers explain the attacks and defenses for the new Spectre variant they discover, which they call Spectre1.1 (CVE-2018-3693), a new variant of the first Spectre security vulnerability unearthed earlier this year and later discovered to have multiple other variants.

The new Spectre flaw leverages speculative stores to create speculative buffer overflows. Similar to the classic buffer overflow security flaws, the new Spectre vulnerability is also known as "Bounds Check Bypass Store" or BCBS to distinguish it from the original speculative execution attack.

Though the researchers consider the new Spectre variant a minor version of the Spectre V1 family due to the fact that it uses the same opening in the speculative execution window, namely conditional branch speculation, Spectre 1.1 affects billions of devices powered by modern processors, including those from Intel and AMD.

According to the researchers, speculative buffer overflows allow local attackers to execute arbitrary untrusted code on the vulnerable system with microprocessors utilizing speculative execution and branch prediction to expose sensitive information via side-channel analysis and speculative buffer overflow.

"Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks," said the researchers.

In addition to the Spectre1.1 vulnerability, the security researchers have also introduced a Spectre1.2 flaw, another minor variant of the first Spectre vulnerability, which appears affect CPUs that don't enforce read/write protections and depends on lazy PTE enforcement.

"In a Spectre1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers, and code metadata, including vtables, GOT/IAT, and control-flow mitigation metadata. As a result, sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective," explain the security researchers.

The researchers have validated the Spectre1.1 and Spectre1.2 attacks on both Intel x86 and ARM processors. For Spectre1.1, they recommend the SLoth family of microarchitectural mitigations, and Spectre1.1 can be mitigated in future processors if chip manufacturers implement a so-called Rogue Data Cache Store protection feature.

As you might expect, Intel and other industry partners are working on patches for the newly discovered Spectre flaws, which presents significant new risks as they allow attackers to perform arbitrary speculative writes, both local and remote, as well as to bypass existing software mitigations for former speculative-execution attacks.

While the researchers believe Spectre1.1 vulnerability can be completely mitigated with microcode processor updates, Intel recommends users to check with their operating system vendors for security patches. As initially believed, industry experts expect a number of new Spectre variants to be disclosed in the foreseeable future.

原文网址：https://news.softpedia.com/news/new-variant-of-spectre-security-flaw-discovered-speculative-buffer-overflows-521915.shtml