Software can’t completely fix Spectre vulnerability, Google researchers say

Google researchers warned that it is difficult to avoid Spectre vulnerabilities in the future unless major changes are made to the CPU design. Google Chrome V8 JavaScript engine team developers published papers on the ArXiv website to report their findings. The researchers pointed out that software can’t completely avoid Spectre vulnerability.

They concluded that all processors performing predictive execution are always susceptible to different side-channel attacks, even though mitigation methods may be discovered in the future. Malicious programs can exploit Spectre vulnerabilities to steal sensitive data stored in memory while other programs are executing. To truly address existing and future Spectre vulnerabilities, CPU manufacturers need to come up with new CPU microarchitecture designs.

Researchers wrote,

Our models, our mental models, are wrong; we have been trading security for performance and complexity all along and didn’t know it. It is now a painful irony that today, defence requires even more complexity with software mitigations, most of which we know to be incomplete.

“And complexity makes these three open problems all that much harder. Spectre is, perhaps, too appropriately named as it seems destined to haunt us for a long time.”