The, IMHO, novel part here is the formalism.
(i'm not trying to denigrate the work mind you, it's definitely hard work and they did a great job. i'm just pointing out for those who don't know that this is not a surprising new result, but instead an expected new result)
Otherwise, pretty much anyone who had basic architectural knowledge realized this was possible the second spectre and meltdown came out:
(there are more, i'm too lazy to find everyone who pointed it out, sorry)
I can't speak for gpderetta, but like, if i can predict this problem, I expect pretty much anyone can :)
"New Spectre/Meltdown Variants"
While the original link didn't provide much extra, what I found particularly interesting there were the comments from the person who is running a patched system, yet finding that one of the spectre PoC code examples was still working.
Would be interesting to know if anyone else is experiencing anything similar.
It seems that, while not a silver bullet, FV tools of this sort would be the most reliable way of discovering (and preventing) these sort of issues in microarchitecture.
MeltdownPrime and SpectrePrime are the two new variant names.
From the Tom's Hardware article:
"Princeton and Nvidia researchers teamed up to produce a testing method that can generate code that represents the essence of an attack. More precisely, their method is CPU architecture-aware, so it emulates exactly what a software attack would translate into on the hardware level. According the the researchers, their tool can be used to quickly generate a set of 'security litmus tests' for a class of security exploits."
"In the process of their testing, they discovered that the speculative execution methods that are exploited by the Meltdown and Spectre vulnerabilities leave a trail that might not be observable in only a CPU's shared cache, but in its cores' individual caches as well."
"What the researchers discovered is that, because certain caches might be partially mirrored across cores, the effects of speculative execution occurring on one core can be detectable on another core. Test cases exploiting this principle created by the researchers were able to recover hidden data at 99.95% accuracy. By comparison, their test cases of a traditional Spectre exploit only reached 97.9% accuracy."
"[...] the researchers said that current software-based Meltdown/Spectre mitigations seem successful in blocking their new exploits. However, these exploits will likely need their own distinct fix, different from those for traditional Spectre, if they are to be mitigated in hardware."