Speculative execution bugs in modern CPUs popped up out of nowhere, and the nightmare is still with us. While Spectre-style attacks will be with us forever, a variety of mitigations have been implemented to protect us against Intel CPU vulnerabilities such as Meltdown and Foreshadow. Intel even have silicon fixes in their latest CPUs.
We destroyed these mitigations by taking a skeptical look at their assumptions. Now we know that unprivileged userspace applications can steal data by simply ignoring security boundaries -- after all, what do address spaces and privilege levels mean to Intel's CPU pipeline? Using our RIDL attacks (and related vulnerabilities) as examples, we'll discuss how seemingly irrelevant issues in CPU designs continue to break security domain isolations and threat models, and despair about our speculatively executed future.
Alyssa and Stephan are PhD students in the VUSec group at the Vrije Universiteit Amsterdam. Stephan has a history of finding ways to break CPUs from software - such as his previous work on using MMUs to do indirect cache attacks. Alyssa, on the other hand, just enjoys breaking everything - whether it's using fault injection, side channel analysis, or just silly CPU bugs.