The ghost of Spectre hardware design bugs in processors is yet to be laid to rest, after security researchers found a way of reviving the data leak vulnerability.
Security vendor VUSec has shown by abusing branch history injection, which globally picks selected targets to speculatively execute, it is possible for attackers to get around software fixes such as Retpoline, and hardware mitigations in newer chip designs from Intel and ARM.
VUSec calls its discovery "a revival of cross-privilege Spectre-v2 attacks on modern systems deploying in-hardware defenses".
Speculative execution is a processor hardware optimisation feature that attempts to prepare and run code that might be used, before it is needed by programs.
The go-faster feature has been shown to be exploitable in order to leak sensitive data such as user credentials and digital encryption keys, with vendors struggling to provide fixes that do not slow down their processors.
Extending Spectre V2, BHI circumvents Intel's enhanced indirect branch restricted speculation (eIBRS) and a similar security feature in ARM processors, which VUSec say work as intended, but the CPU designers did not assume correctly how wide the residual attack surface is for the original exploit.
"The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel. However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more 'interesting' kernel targets (ie, gadgets) that leak data", VUSec writes.
Intel has acknowledged the bug, with most of their CPUs bar the Atom family being vulnerable to Spectre-BHI.
Processor designer ARM lists all its parts as being vulnerable, with both vendors releasing software mitigations for the data leak bug.
