IBM and the University of Amsterdam have discovered a new flaw in speculative execution in processors: GhostRace. Like other variants, this bug threatens an entire category of CPUs and a solution is not obvious.

Researchers from Vrije Universiteit Amsterdam and IBM have discovered a new flaw in modern CPU architecture. They named the leak Ghost Race. As the name suggests, the bug belongs to the same category as Specter. GhostRace, like Specter (and Meltdown), involves so-called speculative execution.

In this case, GhostRace exploits a lack of synchronization in speculative execution, leading to race conditions. Specifically, a fraudulent command may compete with a legitimate command for access to a shared resource that would not normally be available. An attacker can use this opportunity, for example, to access confidential information from the system memory.

Speculative execution

GhostRace abuses speculative execution. In a previous article we explained in detail what exactly this is and why this speculative implementation continues to lead to dangerous errors. In summary, it is a technique in which a CPU conditionally executes instructions while waiting for the result of a previous instruction to hopefully build a lead. Modern CPUs are pretty good at guessing what the result of instruction A will be, so a correct instruction B will be preemptively loaded. This way a CPU is never idle. Technology is largely responsible for the speed of modern CPUs. Unfortunately, this speculative order execution does not appear to be sufficiently secured.

Speculative execution is embedded in all modern CPU architectures. Both x86 processors from Intel and AMD as well as ARM CPUs from Apple, for example, use it. GhostRace affects all of these systems.

Not a convenient solution

Before the flaw was discovered, researchers notified major hardware and software vendors. However, there are no clear solutions. The problem with Specter-like bugs like this is that sometimes the fix has a bigger impact than the bug. Speculative execution is hardwired into the processors. All attempts to disarm GhostRace through software or firmware noticeably reduce CPU performance.