The impact of Specter V2 is severe because it violates some of the most basic security layers in the operating system and other systems: for example, the separation of memory access between user-mode processes and kernel processes, the separation of Hypervisor memory and guest virtual machines, the separation of OS memory and secure CPU execution environments such as Intel sgx. Many ghost variants followed after their first publication include spectre-ng, sgxpectre, spectre-pht, spectre-pht-pht-ca-op, spectre-pht-pht-ca-ip, spectre-pht-sa-op, spectre-btb-sa-ip, spectre-btb-sa-ip, spectre-btb-sa-ip, spectre-btb-sa-op, spectre-btb-sa-op and spectre-bhi.
Mitigation measures for speculative execution attacks introduced by Intel in the new CPUs are called enhanced indirect branch restrictive speculation (EIBRS) and indirect branch prediction barriers (IBPB). These are designed to perform branch prediction through different security domains at the hardware level, meaning that processes from one domain cannot inject branch targets into predictor variables for different domains. Meanwhile, IBPB can be used to disable all indirect branch prediction.
“Although Eibrs appears to correctly limit the predictions of the security domains they are associated with, this association can be manipulated,” Zurich ETH researchers wrote in a description of their new attack. “When the privileged switch occurs, the branch predictor update is associated with the new security domain rather than the previous one. In addition, we found that when the indirect branch predictor invalid (IBPB) is invalid, the updated update is not flushed.
