Specter (vulnerability)

from Wikipedia, the free encyclopedia

Specter logo

Type hardware
CVE number (s)

CVE-2017-5715 , CVE-2017-5753 , CVE-2017-6289 , CVE-2018-3615 , CVE-2018-3620 , CVE-2018-3639 , CVE-2018-3640 , CVE-2018-3646 , CVE- 2018-3665 , CVE-2018-3693 , CVE-2018-9056

Date of discovery June 1, 2017
Release Date January 3, 2018
Architecture (s)

ARM , MIPS , POWER , PowerPC , x86

Operating systems

regardless of the operating system


AMD , Apple , ARM , Citrix , Huawei , IBM , Intel , Nvidia , NXP , Oracle , Qualcomm



Specter describes attack scenarios in which processes through security holes in microprocessors with out-of-order execution read information from the virtual memory to which they should not have access.

The attackers circumvent security mechanisms such as sandboxing or the separation between program code and code provided by the user (e.g. interpreter vs. script ). During the out-of-order execution of the processor, the content of a memory cell is temporarily read from its own address space, which the calling process would normally not be able to access. The "preliminary readout" leaves a noticeable trace in the cache , even after the result of the speculative execution has been discarded.


Specter was discovered independently by researchers from Google's Project Zero as well as by Paul C. Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom and published on January 3, 2018 in connection with the related security vulnerability Meltdown after the affected Software and hardware manufacturers had already been informed on June 1, 2017. The Specter vulnerability was discovered, together with Meltdown, on the widely used x86 architecture from Intel and AMD , although other architectures are also considered vulnerable.

Processors Affected

Theoretically, all processors that offer speculative execution branch prediction , especially those with indirect branching , are susceptible .

X86 processors before 1995 and those without speculative execution or without out-of-order execution , such as Atom processors before 2013, as well as the Itanium architecture from Intel and HP are not affected by the Specter vulnerability .

On January 4, 2018, AMD confirmed the vulnerability of previous processors to Specter V1, but spoke of a "risk close to zero" for Specter V2, as no successful attack via variant 2 of Specter has yet been proven.

Apple, IBM and Motorola started developing PowerPC processors based on the IBM POWER architecture in 1991 . Since this provides for speculative execution, the majority of all PowerPC and POWER processors are vulnerable. Tests have shown that older processors of the G3 (PPC750) and G4 series (only PPC7400 and 7410) are not susceptible in practice, but later models from PPC7450 - G4 744x and 745x and PowerPC G5 (PPC970) - and the POWER6 are. IBM has confirmed the vulnerability of POWER7 + , POWER8 and POWER9 .

MIPS processors are partially affected, such as the P5600 and P6600 models from 2013.

Oracle processors with the SPARC architecture developed by Sun are also affected by Specter. Fujitsu released updates for servers with the SPARC64 XII and SPARC64 X + processors. Older processor models such as SPARC64 VI also include branch prediction .

ARM architecture processors can be vulnerable, such as B. the SoCs Snapdragon 845 from Qualcomm or some models of the Tegra series from Nvidia . ARM processors produced by Apple , e.g. B. the Apple A11 , are vulnerable. All devices on which iOS runs as the operating system are listed, such as the iPad or Apple TV , in which said ARM processors are installed.
ARM processors with in-order execution will not be affected, or about ARM Cortex-A7 and -A53 designs as such. B. can be used in the Raspberry Pi .

Apple also confirmed the vulnerability of all current Mac models in 2018 (formerly Macintosh ) that use x86 processors from Intel and are therefore also affected by Meltdown. In older Macs, Apple used PowerPC processors from 1994 to 2006, which, as described above, are also partially vulnerable.

GPUs are not affected by Specter. Because of Specter z. For example , updated graphics drivers published by Nvidia should only prevent speculative command execution attacks on x86 processors that are part of the driver software.

Mode of action and effects

Attacks using the Specter vulnerability require, as with the meltdown vulnerability, that the processor supports out-of-order execution . Here the processor executes some instructions speculatively in order to achieve high efficiency. According to the idea of out-of-order execution , the state of the processor is as if the instruction had never been executed, even in the case of incorrect speculation. The Specter attacks take advantage of the fact that the state of the system changes at certain points, although the result of the speculative execution is discarded. These changes, e.g. B. the loading of a memory page into the cache , serve as a hidden channel to extract information from the address space of the attacked process. The receiving process decodes the transmitted information from the changes in the system and can thus read it.

Variants of the original Specter attack not only read out the memory without authorization, but also receive other protected information. With the Lazy FP state restore variant from the Specter-NG record, floating point registers can be read out. This is explosive because some encryption programs store private keys in these registers.

In the event of an attack, certain commands introduced by the attacker can be executed speculatively, e.g. B. by return oriented programming using a buffer overflow or with a program provided by the attacker and executed by the user (e.g. in an interpreted script language such as JavaScript ). The Specter gap can be used to extract information from the address space of the executing interpreter, such as the web browser . An attacker can read passwords from the password memory of the web browser using a malicious JavaScript loaded from a web server.

The authors demonstrated a scenario in which a program outputs the content of a character string or any memory location in its own address space without accessing the character string directly via the pointer . The trigger for the speculative execution was a jump prediction that was deliberately made incorrectly. Indirect jumps, in which cache misses lead to the speculative execution of code that would otherwise not be executed, also enable the attack.

The demonstrated attack (Specter V1) using a faulty branch prediction works as follows:

Commented sample code:

 1 #define PAGESIZE 4096
 2 unsigned int array1_size = 16;
 3 uint8_t array1[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 };
 4 uint8_t array2[256 * PAGESIZE];
 5 uint8_t temp;
 6 void victim_function(size_t x) {
 7    if (x < array1_size) {                    // Dieser Vergleich wird für die fehlerhafte Sprungvorhersage ausgenutzt
 8        temp &= array2[array1[x] * PAGESIZE]; // Der Zugriff auf array2[] lädt eine Seite in den Cache, deren Adresse
 9                                              // vom Inhalt von array1[x] abhängt. Das ist der verdeckte Kanal.
10    }
11 }
  1. First, the attacker selects a storage location pand calculates its offset x_mwith respect to the array under his control array1.
  2. Then it trains the branch prediction of the processor for the branch in line 7so that the processor assumes that the condition preferably applies by calling victim_functionvery often with values ​​from the interval 0...15.
  3. The attacker then influences the system's cache in such a way that the value of is array1_sizenot present in the cache, while the content of the memory location to be read is present in the cache.
  4. Now he executes the code x=x_m. The condition in line 7will therefore not apply. Since it is array1_sizenot in the cache, the processor will speculatively execute the following code while it is being array1_sizeloaded from memory, because the branch prediction learned previously assumes a true condition.
  5. array1[x_m]now shows p. Its content is speculatively loaded, converted to a page address and the corresponding page is array2flagged for loading into the cache.
  6. array1_sizehas been loaded from memory and the processor determines that the speculatively executed instructions should be discarded. A single page remains in the cache array2depending on the content of the memory plocation.
  7. The attacker then analyzes which pages array2were loaded into the cache and uses this information to determine the content of the memory location p.


CVE no. Surname Exploited mechanism attack Microcode
CVE-2017-5715 Specter V2 Branch Target Injection (BTI) Speculative jump prediction for indirect jumps Yes
CVE-2017-5753 Specter V1 Bounds Check Bypass Speculative read access with indirect addressing
CVE-2018-3693 Specter V1.1 Bounds Check Bypass Store Speculative read accesses before writes are confirmed Yes
n / A. Specter V1.2 Read-only protection bypass
Specter NG
CVE-2018-3640 Specter V3a Rogue System Register Read (RSRE) Speculative read access to system registers Yes
CVE-2018-3639 Specter V4 Speculative Store Bypass (SSB) Speculative write access out of range
CVE-2018-3665 n / A. Lazy FP state restore Speculative access to floating point registers
CVE-2018-3615 n / A. Foreshadow (L1 Terminal Fault - SGX) Yes
CVE-2018-3620 n / A. L1 Terminal Fault - OS Kernel, SMM Yes
CVE-2018-3646 n / A. L1 Terminal Fault - Virtual Machines Yes
Variants via return stack buffer (RSB)
n / A. Specter V5 ret2spec
n / A. n / A. SpectreRSB Return mispredict
further variants
CVE-2018-9056 n / A. Branch scope
n / A. n / A. SGXPectre
n / A. n / A. NetSpectre


Since the Bounds Check Bypass gap could (also) be exploited via web browsers using malicious JavaScript program code, manufacturers reacted with program updates. Mozilla Firefox released an update in version 57.0.4 on January 4, 2018, which may include: a. reduces the accuracy of the time resolution, as the mechanism revealed by Specter requires an accurate time measurement. The accuracy of the affected function was reduced from 5 to 20 µs. Similar measures for Windows operating systems were published on January 3, 2018 for the Internet Explorer 11 and Edge web browsers from Microsoft . Apple reduced the accuracy in WebKit to 1 ms with a January 8, 2018 update of iOS 11.2 and macOS High Sierra for Safari 11.0.2. An update for Google Chrome from January 24, 2018 should make the attack more difficult. Up until then, attacks via Chrome installations could be made more difficult by activating the "website isolation", which, however, requires more memory and causes problems when printing and developing cross-website iFrames . This setting can also be made in the updated version of the Chromium -based Opera web browser . By browser extensions ( eg. As NoScript , ad blockers ) to active content such as JavaScript, Flash and Java applets blocked or restricted in order to prevent malicious code execution in the Web browser. performance.now()

Against branch target injection , Intel processors without a revised processor architecture require a software update and a microcode update in order to reduce susceptibility. Intel published updated microcodes for processor generations from 2013 , which, however, must be made available by the computer and hardware manufacturers. AMD also announced microcode updates. Because of the difficult exploitability of the vulnerability claimed by AMD, these are classified as optional. For systems with Windows 10 , Microsoft has also been offering operating system updates since March 2018, which contain Intel's microcode improvements for their newer processors.

Intel announced that it would be shipping processors in the second half of 2018 that provide further shielding between running applications and between processes with different access rights in order to ward off branch target injection attacks.

Performance degradation

Even the measures against branch target injection at the operating system level reduce the computing power. Microsoft announced “noticeable loss of performance”.

New CPU design gaps

At the beginning of May 2018, eight further security vulnerabilities in Intel processors became known as Specter Next Generation (Specter-NG), two of which were published. While one vulnerability modifies Meltdown , the other is based on a side-channel attack comparable to Specter (described in 1996) and is listed under CVE number CVE-2018-3639 ( Speculative Store Bypass ). This vulnerability was rated as medium risk by Intel. In addition to Intel, processors from AMD, ARM and IBM are also affected.

As with the Bounds Check Bypass , measures in the operating system or in the application can make it difficult to circumvent it using Speculative Store Bypass . According to a statement from Intel on May 22, 2018, manufacturers of PC systems received microcode updates to close the security gaps. Since performance degradation of 2 to 8 percent occurs, Intel leaves it up to the manufacturers to activate the countermeasure in their updates. IBM released updates for POWER systems on May 22, 2018 . Microsoft provided updates for Windows operating systems on June 12, 2018, but the measures against the speculative store bypass can only be activated by the user.

In July 2018, the CPU gaps ret2spec, SpectreRSB and NetSpectre were announced. In contrast to all previous security holes, NetSpectre can be used over networks without local access, is based on Specter (V1) and uses the AVX2 - SIMD extension of x86 processors. Operating systems that already have protective measures against the exploitation of the Specre V1 vulnerability make NetSpectre attacks more difficult. In practice, an attack scenario is very cumbersome because it is a side-channel attack and only a few bytes per hour can be read out even with a fast network connection. Precise time measurements are also required, which are more difficult with slow network connections and slow systems, and the exact details of the hardware and software (operating system, drivers, programs) of the target system must be known, which considerably limits the attack. Such attacks are difficult to detect, however.

Microarchitectural data sampling

In May 2019, details on the CPU gaps ZombieLoad and Store-to-Leak Forwarding were published. Troubleshooting the ZombieLoad attacks tends to require halving performance. All Intel processors manufactured after 2012 that have Hyper-Threading are affected . The TAA variant of the ZombieLoad attacks is aimed against Intel's Cascade Lake processors, which have been manufactured since 2019.

Other MDS attacks are known as RIDL (Rogue In-Flight Data Load) and Fallout.

Web links

Individual evidence

  1. a b Meltdown and Specter. Graz University of Technology , 2018, accessed on January 3, 2018 .
  2. Cade Metz, Nicole Perlroth: Researchers Discover Two Major Flaws in the World's computer . In: The New York Times . January 3, 2018, ISSN  0362-4331 (American English, nytimes.com [accessed January 3, 2018]).
  3. Tom Warren: Intel's processors have a security bug and the fix could slow down PCs. In: The Verge . January 3, 2018, accessed January 3, 2018 .
  4. Meltdown and Specter: 'worst ever' CPU bugs affect virtually all computers. In: theguardian.com , January 4, 2018
  5. More about Specter and the PowerPC (or why you may want to dust that G3 off). In: TenFourFox Development Blog. January 5, 2018, accessed January 6, 2018 .
  6. To Update on AMD Processor Security. In: AMD Corporate. January 4, 2018, accessed March 18, 2018 .
  7. Is PowerPC susceptible to Specter? Yep In: TenFourFox Development Blog. January 4, 2018, accessed January 6, 2018 .
  8. Actual field testing of Specter on various Power Macs (spoiler alert: G3 and 7400 survive!). In: TenFourFox Development Blog. January 7, 2018, accessed January 10, 2018 .
  9. a b Christof Windeck: Specter gaps: MIPS P5600 and IBM POWER6 also affected, Intel explains IBC. In: Heise online . 29th January 2018 . Retrieved June 29, 2019.
  10. Potential Impact on Processors in the POWER family. In: IBM PSIRT Blog. IBM, January 4, 2018, accessed on January 6, 2018 (English): "On Wednesday, January 3, researchers from Google announced a security vulnerability impacting all microprocessors, including processors in the IBM POWER family."
  11. Christof Windeck: Specter gap: Servers with IBM POWER, Fujitsu SPARC and ARMv8 also affected. In: Heise online . January 11, 2018 . Retrieved January 12, 2018.
  12. Rudolf Opitz: Processor gap: Qualcomm CPUs are also susceptible. In: Heise online . January 6, 2018 . Retrieved January 6, 2018.
  13. http://nvidia.custhelp.com/app/answers/detail/a_id/4616
  14. http://nvidia.custhelp.com/app/answers/detail/a_id/4614
  15. http://nvidia.custhelp.com/app/answers/detail/a_id/4613
  16. http://nvidia.custhelp.com/app/answers/detail/a_id/4617
  17. a b Ben Schwan: Meltdown and Specter: All Macs and iOS devices affected. In: Heise online . January 5, 2018 (Update: Apple Watch not affected.). Retrieved January 6, 2018.
  18. Eben Upton: Why Raspberry Pi isn't vulnerable to Specter or Meltdown. In: official Raspberry Pi blog. January 5, 2018, accessed January 6, 2018 .
  19. Security Bulletin: NVIDIA Driver Security Updates for CPU Speculative Side Channel Vulnerabilities. Nvidia, January 12, 2018, accessed on January 12, 2018 (English): "We believe our GPU hardware is immune to the reported security issue."
  20. a b Martin Fischer: AMD is rowing back: Processors affected by Specter 2, microcode updates for Ryzen and Epyc coming soon. In: Heise online . January 12, 2018 . Retrieved January 12, 2018.
  21. Martin Fischer: Patch against Specter: Updated Nvidia graphics drivers for GeForce and Quadro, Tesla drivers later. In: Heise online . January 9, 2018 . Retrieved January 12, 2018.
  22. ^ A b Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom: Specter Attacks: Exploiting Speculative Execution. (PDF) Retrieved January 4, 2018 (English).
  23. a b Christof Windeck: Specter-NG: "Foreshadow" endangers Intel processors. In: heise Security. August 14, 2018. Retrieved August 17, 2018 .
  24. Christof Windeck: Attack on the Cloud heise.de, ct edition 19/2018, on August 31, 2018
  25. a b Christof Windeck: CPU gaps ret2spec and SpectreRSB discovered. In: heise Security. July 24, 2018, accessed August 17, 2018 .
  26. G. Maisuradze, C. Rossow: ret2spec: Speculative Execution Using Return Stack Buffers . 2018 ( christian-rossow.de [PDF; accessed on August 17, 2018]).
  27. EM Koruyeh, K. Khasawneh, C. Song and N. Abu-Ghazaleh: Specter Returns! Speculation Attacks using the Return Stack Buffe . July 20, 2018 ( arxiv.org [PDF; accessed August 17, 2018]).
  28. Dennis Schirrmacher: Specter attacks also possible on the Intel SGX security function. In: heise.de. March 1, 2018, accessed August 17, 2018 .
  29. Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, Ten H. Lai: SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution . June 3, 2018 ( arxiv.org [PDF; accessed August 17, 2018]).
  30. a b c Christof Windeck: NetSpectre reads RAM via the network. In: Heise online . July 27, 2018 . Accessed August 31, 2018.
  31. M. Schwarz, M. Lipp, M. Schwarzl, D. Gruss: NetSpectre: Read Arbitrary Memory over Network . July 2018 ( misc0110.net [PDF; accessed August 17, 2018]).
  32. Processor bug: Browser manufacturers react to Meltdown and Specter. In: Heise.de , January 4, 2018
  33. ^ Opera, Mozilla, Vivaldi and more rush to patch Specter and Meltdown security holes. In: The Inquirer. Retrieved January 9, 2018 .
  34. https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/
  35. https://support.apple.com/en-us/HT208397
  36. https://support.apple.com/en-us/HT208401
  37. Changeset 226495 - WebKit. Retrieved January 9, 2018 .
  38. https://support.google.com/chrome/answer/7623121?hl=de
  39. http://blogs.opera.com/security/2018/01/opera-mitigates-critical-cpu-vulnerabilities/
  40. FAQ on Meltdown and Specter: What happened, am I affected, how can I protect myself? In: heise online. Retrieved January 10, 2018 .
  41. Oliver Nickel: 90 percent of the current Intel CPUs are patched. In: golem.de. January 5, 2018, accessed January 20, 2018 .
  42. ^ Reading Privileged Memory with a Side Channel. In: Lenovo Security Advisor. January 3, 2018, accessed January 6, 2018 .
  43. Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products. In: Dell Knowledge Base. Retrieved January 6, 2018 .
  44. ASUS Motherboards Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method. In: Asus. January 5, 2018, accessed January 8, 2018 .
  45. https://heise.de/-3985133
  46. https://support.microsoft.com/de-de/help/4090007/intel-microcode-updates
  47. https://support.microsoft.com/de-de/help/4091663/kb4091663-intel-microcode-updates
  48. https://support.microsoft.com/de-de/help/4091664/kb4091664-intel-microcode-updates
  49. https://support.microsoft.com/de-de/help/4091666/kb4091666-intel-microcode-updates
  50. https://support.microsoft.com/de-de/help/4465065/kb4465065-intel-microcode-updates
  51. heise Security: Specter and Meltdown: Intel processors with full hardware protection as early as 2018. Accessed on March 16, 2018 (German).
  52. Microsoft on Meltdown & Specter: Details on patches and performance degradation. In: heise online. Retrieved January 10, 2018 .
  53. Understanding the performance impact of Specter and Meltdown mitigations on Windows Systems. In: microsoft.com. Retrieved January 10, 2018 .
  54. Specter Next Generation: New security holes discovered in Intel chips. Spon, May 3, 2018.
  55. CVE-2018-3639 ( English ) cve.mitre.org. Retrieved November 3, 2019.
  56. Q2 2018 Speculative Execution Side Channel Update
  57. https://developer.amd.com/wp-content/resources/124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
  58. https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
  59. https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family
  60. https://www.computerbase.de/2018-05/spectre-3a-4-details-patches/
  61. https://newsroom.intel.com/editorials/addressing-new-research-for-side-channel-analysis
  62. http://www-01.ibm.com/support/docview.wss?uid=isg3T1027700
  63. https://support.microsoft.com/de-de/help/4284835
  64. https://support.microsoft.com/en-us/help/4284826
  65. https://support.microsoft.com/en-us/help/4073119
  66. https://support.microsoft.com/en-us/help/4072698
  67. Christof Windeck: CPU gaps ret2spec and SpectreRSB discovered. In: Heise online . July 24, 2018 . Retrieved June 29, 2019.
  68. NetSpectre: not much of a PowerPC threat either. In: TenFourFox Development Blog. July 26, 2018, accessed June 19, 2019 .
  69. ZombieLoad , May 14, 2019
  70. ^ Daniel Gruss, Moritz Lipp, Michael Schwarz, Claudio Canella, Lukas Giner et al .: Store-to-Leak Forwarding. May 14, 2019, accessed May 14, 2019 .
  71. Barbara Wimmer: ZombieLoad: Intel processors endangered again. November 12, 2019, accessed November 12, 2019 .
  72. ZombieLoad: New vulnerabilities in Intel processors heise.de, on May 14, 2019