Spoiler (security vulnerability)

Spoiler is a security vulnerability on modern computer central processing units that use speculative execution. It exploits side-effects of speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel Core CPUs are vulnerable to the attack as of 2019^[update].^[1][2] AMD has stated that its processors are not vulnerable.^[3][4]

Spoiler

CVE identifier	CVE-2019-0162
Date discovered	November 2018; 7 years ago (2018-11)
Discoverer	Worcester Polytechnic Institute University of Lübeck
Affected hardware	Modern Intel microprocessors

Spoiler was issued a Common Vulnerabilities and Exposures ID of CVE-2019-0162.

Discovery

Spoiler was discovered by a team from Worcester Polytechnic Institute and the University of Lübeck. Their preprint, titled "Spoiler: Speculative Load Hazards Boost Rowhammer and Cache Attacks", was published in March 2019 and describes a previously undocumented leakage in the dependency resolution logic used for speculative loads on Intel processors.^[5] The authors reported that the leakage could be observed on all tested Intel Core processors starting with the first generation, while the AMD and ARM processors they evaluated did not show the same behaviour.^[5]

The disclosure attracted attention from technology media. Coverage in outlets such as AppleInsider, ZDNet and The Register emphasised that Spoiler is distinct from the earlier Spectre and Meltdown vulnerabilities, but can make some existing cache and Rowhammer attacks more practical and faster to execute.^[6][7]

Intel assigned Spoiler the advisory ID INTEL-SA-00238 and described it as a "microprocessor memory mapping" issue that may allow an authenticated local user to gain information disclosure through virtual memory access patterns.^[8] The National Vulnerability Database catalogued the same weakness as CVE-2019-0162 with a CVSS v3 base score of 3.8 (low severity).^[9]

Technical overview

Spoiler targets the way Intel CPUs perform speculative memory loads in the presence of preceding stores. To improve performance, these processors can execute a load before earlier stores have completed, using a memory order buffer and store forwarding logic to resolve dependencies once the full physical addresses are known. Because the dependency prediction logic uses only partial address information, certain combinations of virtual addresses create false dependencies and stall hazards whose timing can be measured by an attacker.^[5]

The researchers showed that, in addition to the well-known 4 KB aliasing effects, Intel's implementation exhibits a distinctive timing behaviour when speculative loads encounter 1 MB-aligned aliases in the store buffer. By filling the store buffer with stores to a window of pages that share the same page offset and then issuing a speculative load to another page, an unprivileged process can detect high-latency peaks whenever the load and some of the stores share the same lower 20 bits of their physical addresses. Repeating this procedure across many pages allows the attacker to infer partial virtual-to-physical address mappings purely from timing observations.^[5]

The Spoiler paper reports speed-ups in eviction set construction by factors of up to 4,096 compared with previous JavaScript-based techniques, and demonstrates that the leakage also works in virtual machines and other sandboxed environments that lack access to privileged interfaces such as /proc/pagemap or hardware prefetch instructions.^[5]

The same leakage can be used to detect contiguous physical memory pages and to reverse engineer the mapping between physical addresses and DRAM banks. This enables more efficient single-sided and double-sided Rowhammer attacks, in which repeatedly accessing selected rows in a DRAM bank induces bit flips in neighbouring rows. Using Spoiler as a primitive, the researchers performed double-sided Rowhammer from user space without special privileges, achieving deterministic row conflicts with a high probability.^[5]

See also

• Transient execution CPU vulnerability
• Hardware security bug
• Rowhammer
• Cache side-channel attack
• Spectre (security vulnerability)
• Meltdown (security vulnerability)