At the beginning of the year, everyone was talking about processor vulnerabilities called "Meltdown" and "Spectre" that potentially exposed data in everything from servers and desktops to tablets and smartphones. The flaws, which impacted the chips in many popular devices, allowed hackers to inconspicuously manipulate a common efficiency technique used to speed data processing. As a result, chip manufacturers and software makers scrambled to issue patches and work out the performance sluggishness that came along with blocking the risky optimizations.
At the same time, though, a larger concern was also looming: Spectre and Meltdown represented a whole new class of attack, and researchers anticipated they would eventually discover other, similar flaws. Now, one has arrived.
Microsoft says that the risk to users from this bug is "low," and Intel notes that there is no evidence that the flaw is already being used by hackers. Some systems, particularly browsers, already have some protection against Speculative Store Bypass attacks just from the initial Meltdown and Spectre patches. But as was the case before, chip manufacturers and software developers are now working to release tailored fixes—and SSB raises the same types of performance problems that emerged before.
"We know that new categories of security exploits often follow a predictable lifecycle, which can include new derivatives of the original exploit," Leslie Culbertson, Intel's executive vice president and general manager of product assurance and security, wrote in a statement on Monday. She explains that once they are generally available, some SSB protections will be off by default, requiring users to opt into protection. "If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks."
Modern processors use a technique called "speculative execution" to make educated guesses about what data to work with as they complete tasks instead of waiting to have perfect information about what to do. Meltdown, Spectre, and Speculative Store Bypass flaws are all part of a category of "speculative execution side channels" in which attackers can potentially take advantage of flaws in how processors protect data during this speculative processing to grab information that leaks out in various ways. Systems can rein this in through relatively simple software and firmware (lower level coordinating software) patches. But some updates need to be changes to a processor's "microcode" that tweak the fundamental behavior of how a chip operates, and most software developers will be depending on chip manufacturers to first release microcode updates.
Once companies push all the various types of updates, though, users will decide case by case whether to install them, since bypassing processing efficiencies to neuter potential attacks can also slow systems down. Some Meltdown and Spectre updates caused real problems for businesses and consumers. For SSB—which seems like it may be a less dangerous bug—some users may consider the pros and cons of patching rather than immediately moving forward.
Microsoft says it began researching SSB in November, after Spectre and Meltdown were already being researched, but before the flaws were publicly disclosed in January. In March, Microsoft also began offering a $250,000 reward for information about new variants of "speculative execution" attacks. Google's Project Zero, Intel, and numerous other security researchers in the industry have all also been working to understand and discover other similar attacks since last year. Given how complicated it is to distribute fixes for these types of flaws, and how much of that process hinges on what manufacturers release, analysts say that the work that went into pushing patches for Meltdown and Spectre will make things a bit more streamlined when addressing the new SSB flaw.
"We all just started digging in and saying 'that uses speculation, that uses speculation, what could be wrong there?'" says Jon Masters, chief ARM architect at the open source enterprise IT services group Red Hat, which had early access to the SSB research findings as part of industry defense collaboration. "Unfortunately but also fortunately there was a last time this happened, so as a result of Meltdown and Spectre lots of effort was put in to make sure the update process would be easier."
Researchers also say that more time to investigate this general type of attack means there's more confidence now that other speculative execution flaws won't crop up all the time. And observers are relieved that today's SSB revelation isn't related to a more dire attack. But the danger in this class of bugs is the sheer number of devices they impact and how persistent they will be over time. Full protection can only come from replacing vulnerable equipment with new devices that contain fundamentally more secure chips. This replacement process will take years, and in the meantime lots of devices will remain exposed to these niche, but potentially effective attacks.