Subscribe To Our Daily Enewsletter:

Spoiler Side-Channel Attack Mitigated by SonicWall RTDMI

Spoiler is the latest side-channel attack threatening Intel processors.

Research from the Worcester Polytechnic Institute in Worcester, Mass., and the University of Lübeck in Germany, identifies a new Spectre-like attack. The group’s paper, “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks,” proposes the new side-channel Spoiler attack, which could exploit a “previously unknown microarchitectural leakage stemming from the false dependency hazards during speculative load operations.”

Author: SonicWall’s Brook Chelmo

As a result, Spoiler also enhances the effectiveness of other side-channel attacks, namely Rowhammer, and other cache-based attacks. The report notes that Spoiler only affects Intel Core processors and not current AMD and ARM processors.

“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices,” an Intel spokesperson told TechRadar. “This includes avoiding control flows that are dependent on the data of interest.”

The research group was quick to point out that while Spoiler is similar to Spectre, they aren’t the same and have very different ramifications, namely with how previous attacks take advantage of vulnerabilities in the speculative branch prediction unit and memory leaks in protected environments.

“Spoiler is not a Spectre attack,” the researchers published in their 17-page report. “The root cause for Spoiler is a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem, which directly leaks timing behavior due to physical address conflicts. Existing Spectre mitigations would therefore not interfere with Spoiler.”

Note: SonicWall customers with active Capture Advanced Threat Protection (ATP) cloud sandbox subscriptions are protected from Spoiler exploits by SonicWall Real-Time Deep Memory Inspection.

Stop Spoiler Side-Channel Attacks with RTDMI

But SonicWall Real-Time Deep Memory InspectionTM isn’t a common mitigation solution. Like it does with Spectre, Meltdown, Foreshadow and PortSmash, SonicWall RTDMI can mitigate Spoiler attacks.

RTDMI provides CPU-level instruction detection granularity (unlike typical behavior-based systems, which have only API/system call-level granularity) to detect malware variants that contain exploit code targeting processor vulnerabilities, including Spoiler.

To discover packed malware code that has been compressed to avoid detection, the RTDMI engine allows the malware to reveal itself by unpacking its compressed code in memory in a secure sandbox environment. It sees what code sequences are found within and compares it to what it has already seen.

Identifying malicious code in memory is more precise than trying to differentiate between malware system behavior and clean program system behavior, which is an approach used by some other analysis techniques.

Besides being highly accurate, RTDMI also improves sample analysis time. Since it can detect malicious code or data in memory in real-time during execution, no malicious system behavior is necessary for detection. The presence of malicious code can be identified prior to any malicious behavior taking place, thereby rendering a quicker verdict.

RTDMI protection from Spoiler and other processor and side-channels attacks is included as a part of the SonicWall Capture Advanced Threat Protection (ATP) sandbox service. Current Capture ATP customers are protected from Spoiler exploits.


Related Video: SONICWALL RTDMI™ VS. SIDE-CHANNEL ATTACKS

SonicWall President and CEO Bill Conner hosts CTO John Gmuender as they walk you through how SonicWall Real-Time Deep Memory Inspection (RTDMITM) technology mitigates today’s most dangerous chip-based and side-channel cyberattacks.


Author Brook Chelmo is senior product marketing manager at SonicWall. Read more SonicWall blogs here.

Return Home

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *