New Spectre Variants Discovered By Exploiting Micro-op Caches

Written by Michael Larabel in Linux Security on 1 May 2021 at 06:13 AM EDT. 39 Comments
University of Virginia and University of California San Diego researchers have discovered multiple new variants of Spectre attacks that are not protected by existing Spectre mitigations and could yield both Intel and AMD CPUs leaking data via micro-op caches.

This week the Virginia and California academic researchers went public with their discoveries on exploiting the micro-op cache of modern Intel and AMD processors for beating existing Spectre defenses. Both Intel and AMD were informed in advance of these two variants (or their whitepaper lays it out as three) that allow speculatively stealing information from the system.

The researchers believe this new attack by way of the micro-op cache will be harder to mitigate. Needless to say, at this point there is no kernel patches or microcode updates to pass along. The researchers also believe that any mitigation will come with "much greater performance penalty" than what was found by previous attacks. Among the potential mitigations would involve flushing the micro-op cache at domain crossings and/or privilege level-based partitioning of the caches.
This paper describes three attacks – (1) a same thread cross-domain attack that leaks secrets across the user-kernel boundary, (2) a cross-SMT thread attack that transmits secrets across two SMT threads via the micro-op cache, and (3) transient execution attacks that have the ability to leak an unauthorized secret accessed along a misspeculated path, even before the transient instruction is dispatched to execution, breaking several existing invisible speculation and fencing-based solutions that mitigate Spectre.

The researchers will be presenting at ISCA next month on their findings while there is the whitepaper for those interested in the research. Stay tuned!

Update (3 May 2021): Intel has provided us with the following statement on the matter, "Intel reviewed the report and informed researchers that existing mitigations were not being bypassed and that this scenario is addressed in our secure coding guidance. Software following our guidance already have protections against incidental channels, including the uop cache incidental channel. No new mitigations or guidance are needed."
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week