React, Flux, GraphQL, Hack, HHVM...? All of this and more!
In January 2018 the world was shaken by Meltdown and Spectre vulnerabilities. Fastforward to midway through to February, and the news have fizzled. Software and Hardware manufacturers have continued mitigating the issues. But now researchers have unveiled new exploits with the "Prime" suffix.
It will be difficult to handle fixes in software alone, but Intel has announced that it's future CPUs will no longer be vulnerable. According to researchers Caroline Trippel, Daniel Lustig, Margaret Martonosi their new class of vulnerabilities, MeltdownPrime and SpectrePrime, might be impossible to defend against in implementations using CPU speculative execution.
Sidechannel attacks were the first wave the of Spectre (variants v1 and v2) utility for exploits. The trio of researches have come up with a new method for exploiting the vulnerabilities using using Invalidation-Based Coherence Protocols. More importantly they seem feasible in real applications as they can be automatically generated.
The security research team behind the Prime series of vulnerabilities have created a tool that is capable generating user specified hardware executions automatically. These low level commands on the CPU level are incomprehensible (written in a domain specific language) to people, which is why they are created automatically.
Successfully created exploits include to class of Flush+Reload attacks as well as one using Prime+Probe timing attacks. The complexity is high, but with automated tooling they can be exploited at scale. These classes can also target multiple CPU cores (two at now) using a shared cache, which was not possible with first Meltdown and Spectre exploits.
The team concludes that mitigation techniques can be largely the same as for the original exploits can be used, but generic hardware level protection can be difficult, maybe impossible, to implement. As working proof the team created an exploit written in the C language that worked 99,95% times out of 100 test runs. An Apple Macbook Pro using macOS Sierra was used for the test.
The complete study can be downloaded from here: http://arxiv.org/pdf/1802.03802.pdfTweet