A group of Google security researchers have warned that Spectre speculative execution attacks are here to stay without serious changes to the design of modern CPU architectures, such as eliminating speculation execution in order to prevent all related side-channel attacks.
Speculative Execution Considered Harmful
The team of security researchers, including Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer and Toon Verwaest, work on Google Chrome’s V8 JavaScript engine and came to the conclusion that all processors that perform speculative execution will always remain susceptible to various side-channel attacks, regardless of specific mitigations the cybersecurity community might find along the way.
A little more than a year ago, the Spectre and Meltdown bugs affecting most CPUs were disclosed, sending everyone into panic mode. These bugs were different not just because they affected hardware -- meaning they would be difficult to fix -- but because they cast doubt on entire microarchitecture designs.
According to the research report, to truly fix all existing as well as future Spectre bugs, the CPU makers need to come up with new CPU microarchitecture designs and do it without compromising the performance of modern too much, or at all, if possible.
So far, Intel has only made promises about including some hardware fixes for known and specific Spectre bugs in future CPU generations. However, the issue is that Spectre bugs define an entire class of speculative execution bugs that enable side-channel attacks. As long as the microarchitecture designs that allow speculative execution bugs remain in place, bugs from the Spectre family will continue to be found.
As attackers start to focus more on exploiting hardware bugs that affect most of the world’s devices and can bypass the majority of software protections, the need for more secure hardware and processors will only increase.
What Is Speculative Execution?
Speculative execution is an optimization technique that modern processors implement to increase performance. The performance increase is achieved through the processor executing some operations before it knows they are needed by the program. This speculative work saves time compared to waiting until an operation is required from the CPU.
It’s also why CPU manufacturers are still relatively reluctant to completely eliminate speculative execution from their CPUs and would rather try to mitigate the potential damage from side-channel attacks in some other ways.
Potential Mitigations
The Google researchers proposed several mitigation solutions to end or reduce the damage caused by Spectre bugs.
Disabling Speculative Execution
The first one is disabling speculative execution altogether, which would prevent the entire class of bugs related to it from existing. However, they noted that most of the existing CPUs don’t even allow users this option, and when they do it’s quite limited in scope.
The LFENCE instruction from some Intel CPUs can prevent against certain types of Spectre attacks, but using it to prevent all types of Spectre attacks could drastically lower the CPU's performance.
Timer Mitigation
Another potential mitigation is called “timer mitigation.” This would include adjusting the precision timers to a lower resolution or removing them altogether. This was one of the first solutions against Spectre that both Google and Mozilla implemented in their browsers.
However, Google researchers have now concluded that this mitigation faces a few issues. For one, certain resolution timers can be vulnerable to resolution recovery. Timers are also more pervasive than thought, and high resolution timers can be constructed from concurrent shared memory.
Branchless Masking
The Google team noted that using an execution branch as a safety check against speculative execution attacks doesn’t work as it can be bypassed, due to the the nature of branch prediction. As such, the researchers proposed safety checks that don’t rely on branches.
As part of its defensive work for the V8 JavaScript engine, the team of researchers tried to develop various software mitigations against Spectre attacks. However, they noted that none of these solutions are comprehensive enough and come with serious performance penalties.
The researchers also called attention to the fact that programming language security enforced with static and dynamic checks can no longer guarantee confidentiality within the same address space.
The researchers believe that hardware and OS process isolation is now needed more than ever. This is likely why Google also enabled Site Isolation for its browser as a mitigation against Spectre attacks early on and why Mozilla plans to do the same with "Project Fission" in Firefox soon.
Wake-Up Call for CPU Vendors
The security researchers leave us with a wake-up call at the end of the paper, calling into question the entire history of trade-offs of performance over security that CPU makers have been making for decades:
"Our models, our mental models, are wrong; we have been trading security for performance and complexity all along and didn’t know it. It is now a painful irony that today, defense requires even more complexity with software mitigations, most of which we know to be incomplete. And complexity makes these three open problems all that much harder. Spectre is perhaps, too appropriately named, as it seems destined to haunt us for a long time."
