Spectre and Meltdown are still fresh in our mind, but already researchers from Microsoft and Google have found a new vulnerability, named Speculative Store Bypass (SSB), that could allow for malicious software to indirectly read from memory. Some Intel and AMD processors are vulnerable, but of greater Android-related concern is the susceptibility of 5 ARM reference designs going back to 2011's Cortex-A15 and including the latest A75.

How it works

The particulars of the exploit were first revealed this Monday, the 21st, and they were classified as Spectre and Meltdown Side-Channel vulnerability variants 3a and 4. For a detailed explanation of the inner workings behind the new vulnerability, I recommend Peter Bright's excellent coverage at Ars Technica.

The short and greatly oversimplified version is that it's similar to how previous Spectre and Meltdown vulnerabilities worked. At an architectural level, some processors may try to "guess" memory addresses for requests before they're fully identified, in an attempt to speed things up. If they guess incorrectly, they'll ignore the data which was pulled and wait until the address is provided to find the correct data, but the earlier operation can still have an effect on other parts of the CPU.

The SSB exploit takes advantage of storing a value to memory "slowly," and then requesting a read "quickly," faster than the storing operation takes to complete. This takes advantage of the fact that, at some level, the architecture believes that the data is already being held at that location in memory, due to the previous "guessing" system in place.

The processor figures out that it loaded the wrong values, and that guessed data is eventually discarded. But, at a certain level, the influence of those values on the processor (presumably, how it affects cache) can still be measured by malicious programs, giving it the means to surreptitiously determine those values.

How it affects Android

According to a statement by ARM, the majority of its products aren't vulnerable to the SSB exploit, but the following CPU reference designs are vulnerable to Variants 3a and 4:

  • Cortex-A15
  • Cortex-A57
  • Cortex-A72
  • Cortex-A73
  • Cortex-A75

Qualcomm hasn't made any statement if its products or Kryo architecture may be susceptible to the two new variants, but ARM's affected reference designs are present in many recent SoCs. So at a minimum, some current non-Snapdragon-powered phones like Huawei's P20 and P20 Pro and Qualcomm's A57-powered Snapdragon 810 and 808 (found in the Nexus 6P and 5X) may be affected.

Currently, Microsoft isn't aware of any live exploits taking advantage of SSB, and Google has included a manual kernel patch for Linux in its own announcement of the vulnerability. Instructions for mitigation are also provided by ARM, based on a category of vulnerability variants. We should see updates to fix the new exploit hit Android sometime soon.

Source: Ars Technica, ARM