We are approaching the half-year mark after the public reveal of the Meltdown and Spectre vulnerabilities on almost all modern CPUs, Intel, AMD, and ARM, and yet researchers are still finding new ways to use them. In this latest example, researchers were able to compromise the security of a portion of your memory that is supposed to be reserved for the system to use. Neither the user nor the operating system is supposed to have access to this memory, but the researchers were able to read it on an Intel Core i3-3220 CPU, with all available patches installed.
Meltdown, Spectre variant 1, and Spectre variant 2 all work by exploiting the out-of-order capabilities of modern CPUs, though only Intel CPUs were vulnerable to Meltdown. Today's chips do not just do the work we ask them to do when we ask them to, but they try to predict what we want to do and then start working on those predictions to be ready when we do ask. What was discovered before was that this prediction could be exploited to access information the user normally should not have access to, like the memory for a different virtual machine. Patches protecting against Spectre 1 have been created and released, but these all protect software, not the hardware and this is what the researchers have gone after now.
When your system boots, the BIOS or UEFI firmware will be loaded and part of what it will do is reserve a section of your memory for itself. This section is for system management and is protected at a hardware level, preventing the user or operating system from access it. On Intel CPUs a range register is used as a hardware-level protection for this section of memory, but these processors can also enter System Management Mode (SMM), which is a highly privileged mode. What the researchers did was modify the publicly available proof-of-concept code for Spectre variant 1 and used it to exploit SMM interfaces to then get information out of the system management memory, going around the System Management Range Registers meant to protect it.
While it was Spectre variant 1 code that was used here, the researchers believe Spectre variant 2 could also be modified to attack a system's firmware. For mitigation, Intel, which the researchers have been working with since March, recommends using the same guidance to protect software be applied to SMM as well, which would require updating firmware to apply. There is no mention if AMD CPUs might also be vulnerable.
Back to original news post