Researchers find a new class Spectre attack, SplitSpectre

Researchers at Northeastern University and IBM Research have discovered a new variant of the Spectre CPU vulnerability that can be leveraged through browser-based code. An important difference between the new vulnerability known as SplitSpectre and other Spectre variants is that it is easier to exploit.

Image: Mambretti et al.

Researchers explain:

“Although Spectre v1 is powerful and does not rely on SMT (Simultaneous Multithreading), it requires […] a gadget to be present in the victim’s attack surface. Google Project Zero writes in their original blog post on Spectre v1 [46] that they could not identify such a vulnerable code pattern in the kernel, and instead relied on eBPF (extended Berkeley Packet Filter) to place one there themselves.

In this point lies the strength of our new Spectre v1 variant, SplitSpectre. As its name implies, it splits the Spectre v1gadget into two parts.”

The researchers used Firefox’s JavaScript engine, SpiderMonkey 52.7.4, to successfully execute the SplitSpectre attack on Intel’s Haswell and Skylake processors, as well as AMD’s Ryzen processor. 

All things considered, our analyses lead us to conclude that the attack is viable, and that the ability to trigger it in practice depends on the identified microarchitectural properties of individual CPU families,” researchers said.

But users don’t have to worry because the existing Spectre mitigation method can also block SplitSpectre attacks. The research report was published on the IBM Research website.