The paper is here: https://www.cs.virginia.edu/venkat/papers/isca2021a.pdf
It's actually a more efficient way of doing Spectre. And lfence instructions wont STOP it as like I said it uses fetch and jumping to the target instead of indirect reading.
The key is how they precisely determine the micro op cache lines and monitor them. It's much more powerful than the old technique that trains the branch predictor and fools stride prediction and such with sequential reads and writes. This is next level attack, gets really into the more general details of how the processor architecture achieves good performance.
I suspect mitigation will involve isolating kernel or secured memory in a more general stronger manner. I dont think there are many tricks left now besides killing processor performance. But such isolation might require hardware changes and not micro code updates or software mitigation.
|