The impact of Spectre v2 is serious, because it violates some of the most fundamental security layers in operating systems and other systems: for example, the memory access separation between user-mode processes and kernel processes, the separation between hypervisor memory and guest virtual machines, the separation between OS memory and the memory of secure CPU execution environments like Intel SGX, and more. Many variants of Spectre followed after the initial publication, including Spectre-NG, SgxPectre, Spectre-PHT, Spectre-PHT-CA-OP, Spectre-PHT-CA-IP, Spectre-PHT-SA-OP, Spectre-BTB-SA-IP, Spectre-BTB-SA-OP, and Spectre-BHI.
The mitigations for speculative execution attacks like Spectre v2 that Intel introduced in new CPUs are called enhanced Indirect Branch Restricted Speculation (eIBRS) and the Indirect Branch Prediction Barrier (IBPB). These aim to separate branch prediction by different security domains at the hardware level, which means that processes from one domain cannot inject branch targets into the predictor for a different domain. Meanwhile IBPB can be used to disable all indirect branch predictions.
“While eIBRS appears to correctly restrict predictions to the security domain they are associated with, this association can be manipulated,” the ETH Zurich researchers wrote when describing their new attack. “Branch predictor updates that are in-flight while a privilege switch occurs are associated with the new security domain instead of the previous one. Furthermore, we have found that updates that are in-flight when the indirect branch predictor is invalidated (IBPB) are not flushed. As a result, these updates are stored in the branch predictor despite invalidating it.”