silversurfer

Level 47
Content Creator
Trusted
Malware Hunter
Verified
Researchers say Intel won't be able to use a software mitigation to fully address the problem Spoiler exploits.

Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lübeck in north Germany detail the attack in a new paper, 'Spoiler: Speculative load hazards boost Rowhammer and cache attacks'. The paper was released this month and spotted by The Register.

The researchers explain that Spoiler is not a Spectre attack, so it is not affected by Intel's mitigations for it, which otherwise can prevent other Spectre-like attacks such as SplitSpectre.

"The root cause for Spoiler is a weakness in the address speculation of Intel's proprietary implementation of the memory subsystem, which directly leaks timing behavior due to physical address conflicts. Existing Spectre mitigations would therefore not interfere with Spoiler," they write.

They also looked for the same weakness in Arm and AMD processor cores but didn't find the same behavior that is present in Intel chips.

Spoiler depends on "a novel microarchitectural leakage, which reveals critical information about physical page mappings to user space processes".

"The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS, and also works from within virtual machines and sandboxed environments."
 

Spawn

Administrator
Staff member
Verified
We all have to switch to AMD Ryzen now... or will they find the next flaw there?
I feel depressed by all those exploits :mad:
We all care about security and privacy here, but it's not possible anymore :unsure:
You lock your home when away, but if someone is willing to break in, they will. No questions asked.

There's never been any security/privacy on the Internet/Real World, just preventive measures, that's all.
 

Vasudev

Level 28
Verified
I always knew hardware flaws can't be patched with software no matter how much they try eventhough Software is used at every level.
I moved to 19H1 with spectre protections with retpoline. Linus torvalds said user has the option to choose: Get highest performance w/o patches or get max security with max security hit. He also asked users to selectively disable/enable the protection in Linux for demanding tasks.