Meltdown (security vulnerability)

Last updated

Meltdown
Meltdown with text.svg
The logo used by the team that discovered the vulnerability
CVE identifier(s) CVE- 2017-5754
Date discoveredJanuary 2018;6 years ago (2018-01)
Affected hardware Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors
Website meltdownattack.com

Meltdown is one of the two original transient execution CPU vulnerabilities (the other being Spectre). Meltdown affects Intel x86 microprocessors, IBM POWER processors, [1] and some ARM-based microprocessors. [2] [3] [4] It allows a rogue process to read all memory, even when it is not authorized to do so.

Contents

Meltdown affects a wide range of systems. At the time of disclosure (2018), this included all devices running any but the most recent and patched versions of iOS, [5] Linux, [6] [7] macOS, [5] or Windows. Accordingly, many servers and cloud services were impacted, [8] as well as a potential majority of smart devices and embedded devices using ARM-based processors (mobile devices, smart TVs, printers and others), including a wide range of networking equipment. A purely software workaround to Meltdown has been assessed as slowing computers between 5 and 30 percent in certain specialized workloads, [9] although companies responsible for software correction of the exploit reported minimal impact from general benchmark testing. [10]

Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE - 2017-5754, also known as Rogue Data Cache Load (RDCL), [3] in January 2018. It was disclosed in conjunction with another exploit, Spectre, with which it shares some characteristics. The Meltdown and Spectre vulnerabilities are considered "catastrophic" by security analysts. [11] [12] [13] The vulnerabilities are so severe that security researchers initially believed the reports to be false. [14]

Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published. [15] [16] [17] [18] Meltdown patches may produce performance loss. [19] [20] [21] Spectre patches have been reported to significantly reduce performance, especially on older computers; on the then-newest (2017) eighth-generation Core platforms, benchmark performance drops of 2–14 percent have been measured. [22] On 18 January 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported. [23] Nonetheless, according to Dell: "No 'real-world' exploits of these vulnerabilities [i.e., Meltdown and Spectre] have been reported to date [26 January 2018], though researchers have produced proof-of-concepts." [24] [25] Dell further recommended: "promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources ... following secure password protocols ... [using] security software to help protect against malware (advanced threat prevention software or anti-virus)." [24] [25]

On 15 March 2018, Intel reported that it would redesign its CPUs to help protect against the Meltdown and related Spectre vulnerabilities (especially, Meltdown and Spectre-V2, but not Spectre-V1), and expected to release the newly redesigned processors later in 2018. [26] [27] [28] [29] On 8 October 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors. [30]

Overview

Meltdown exploits a race condition, inherent in the design of many modern CPUs. This occurs between memory access and privilege checking during instruction processing. Additionally, combined with a cache side-channel attack, this vulnerability allows a process to bypass the normal privilege checks that isolate the exploit process from accessing data belonging to the operating system and other running processes. The vulnerability allows an unauthorized process to read data from any address that is mapped to the current process's memory space. Since instruction pipelining is in the affected processors, the data from an unauthorized address will almost always be temporarily loaded into the CPU's cache during out-of-order execution – from which the data can be recovered. This can occur even if the original read instruction fails due to privilege checking, or if it never produces a readable result.[ citation needed ]

Since many operating systems map physical memory, kernel processes, and other running user space processes into the address space of every process, Meltdown effectively makes it possible for a rogue process to read any physical, kernel or other processes' mapped memory – regardless of whether it should be able to do so. Defenses against Meltdown would require avoiding the use of memory mapping in a manner vulnerable to such exploits (i.e. a software-based solution) or avoidance of the underlying race condition (i.e. a modification to the CPUs' microcode or execution path).[ citation needed ]

The vulnerability is viable on any operating system in which privileged data is mapped into virtual memory for unprivileged processes – which includes many present-day operating systems. Meltdown could potentially impact a wider range of computers than presently identified, as there is little to no variation in the microprocessor families used by these computers.[ citation needed ]

A Meltdown attack cannot be detected if it is carried out, as it does not leave any traces in traditional log files. [31] [32]

History

On 8 May 1995, a paper called "The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems" published at the 1995 IEEE Symposium on Security and Privacy warned against a covert timing channel in the CPU cache and translation lookaside buffer (TLB). [33] This analysis was performed under the auspices of the National Security Agency's Trusted Products Evaluation Program (TPEP).

In July 2012, Apple's XNU kernel (used in macOS, iOS and tvOS, among others) adopted kernel address space layout randomization (KASLR) with the release of OS X Mountain Lion 10.8. In essence, the base of the system, including its kernel extensions (kexts) and memory zones, is randomly relocated during the boot process in an effort to reduce the operating system's vulnerability to attacks. [34]

In March 2014, the Linux kernel adopted KASLR to mitigate address leaks. [35]

On 8 August 2016, Anders Fogh and Daniel Gruss presented "Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process" at the Black Hat 2016 conference. [36]

On 10 August 2016, Moritz Lipp et al. of TU Graz published "ARMageddon: Cache Attacks on Mobile Devices" in the proceedings of the 25th USENIX security symposium. Even though focused on ARM, it laid the groundwork for the attack vector. [37]

On 27 December 2016, at 33C3, Clémentine Maurice and Moritz Lipp of TU Graz presented their talk "What could possibly go wrong with <insert x86 instruction here>? Side effects include side-channel attacks and bypassing kernel ASLR" which outlined already what was coming. [38]

On 1 February 2017, the CVE numbers 2017-5715, 2017-5753 and 2017-5754 were assigned to Intel.

On 27 February 2017, Bosman et al. of Vrije Universiteit Amsterdam published their findings of how address space layout randomization (ASLR) could be abused on cache-based architectures at the NDSS Symposium. [39]

On 27 March 2017, researchers at Graz University of Technology in Austria developed a proof-of-concept that could grab RSA keys from Intel SGX enclaves running on the same system within five minutes by using certain CPU instructions in lieu of a fine-grained timer to exploit cache DRAM side-channels. [40]

In June 2017, KASLR was found to have a large class of new vulnerabilities. [41] Research at Graz University of Technology showed how to solve these vulnerabilities by preventing all access to unauthorized pages. [42] A presentation on the resulting KAISER technique was submitted for the Black Hat congress in July 2017, but was rejected by the organizers. [43] Nevertheless, this work led to kernel page-table isolation (KPTI, originally known as KAISER) in 2017, which was confirmed to eliminate a large class of security bugs, including some limited protection against the not-yet-discovered Meltdown – a fact confirmed by the Meltdown authors. [44]

In July 2017, research made public on the CyberWTF website by security researcher Anders Fogh outlined the use of a cache timing attack to read kernel space data by observing the results of speculative operations conditioned on data fetched with invalid privileges. [45]

Meltdown was discovered independently by Jann Horn from Google's Project Zero, Werner Haas and Thomas Prescher from Cyberus Technology, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology. [46] The same research teams that discovered Meltdown also discovered Spectre.

In October 2017, Kernel ASLR support on amd64 was added to NetBSD-current, making NetBSD the first totally open-source BSD system to support kernel address space layout randomization (KASLR). [47] However, the partially open-source [48] Apple Darwin, which forms the foundation of macOS and iOS (among others), is based on FreeBSD; KASLR was added to its XNU kernel in 2012 as noted above.

On 14 November 2017, security researcher Alex Ionescu publicly mentioned changes in the new version of Windows 10 that would cause some speed degradation without explaining the necessity for the changes, just referring to similar changes in Linux. [49]

After affected hardware and software vendors had been made aware of the issue on 28 July 2017, [50] the two vulnerabilities were made public jointly, on 3 January 2018, several days ahead of the coordinated release date of 9 January 2018 as news sites started reporting about commits to the Linux kernel and mails to its mailing list. [9] As a result, patches were not available for some platforms, such as Ubuntu, [51] when the vulnerabilities were disclosed.

On 28 January 2018, Intel was reported to have shared news of the Meltdown and Spectre security vulnerabilities with Chinese technology companies before notifying the U.S. government of the flaws. [52]

The security vulnerability was called Meltdown because "the vulnerability basically melts security boundaries which are normally enforced by the hardware". [31]

On 8 October 2018, Intel was reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors. [30]

In November 2018, two new variants of the attacks were revealed. Researchers attempted to compromise CPU protection mechanisms using code to exploit weaknesses in memory protection and the BOUND instruction. They also attempted but failed to exploit CPU operations for memory alignment, division by zero, supervisor modes, segment limits, invalid opcodes, and non-executable code. [53]

Mechanism

Meltdown [44] relies on a CPU race condition that can arise between instruction execution and privilege checking. Put briefly, the instruction execution leaves side effects that constitute information not hidden to the process by the privilege check. The process carrying out Meltdown then uses these side effects to infer the values of memory mapped data, bypassing the privilege check. The following provides an overview of the exploit, and the memory mapping that is its target. The attack is described in terms of an Intel processor running Microsoft Windows or Linux, the main test targets used in the original paper, but it also affects other processors and operating systems, including macOS (aka OS X), iOS, and Android. [44]

Background – modern CPU design

Modern computer processors use a variety of techniques to gain high levels of efficiency. Four widely used features are particularly relevant to Meltdown:

Meltdown exploit

Ordinarily, the mechanisms described above are considered secure. They provide the basis for most modern operating systems and processors. Meltdown exploits the way these features interact to bypass the CPU's fundamental privilege controls and access privileged and sensitive data from the operating system and other processes. To understand Meltdown, consider the data that is mapped in virtual memory (much of which the process is not supposed to be able to access) and how the CPU responds when a process attempts to access unauthorized memory. The process is running on a vulnerable version of Windows, Linux, or macOS, on a 64-bit processor of a vulnerable type. [44] This is a very common combination across almost all desktop computers, notebooks, laptops, servers and mobile devices.

  1. The CPU encounters an instruction accessing the value, A, at an address forbidden to the process by the virtual memory system and the privilege check. Because of speculative execution, the instruction is scheduled and dispatched to an execution unit. This execution unit then schedules both the privilege check and the memory access.
  2. The CPU encounters an instruction accessing address Base+A, with Base chosen by the attacker. This instruction is also scheduled and dispatched to an execution unit.
  3. The privilege check informs the execution unit that the address of the value, A, involved in the access is forbidden to the process (per the information stored by the virtual memory system), and thus the instruction should fail and subsequent instructions should have no effect. Because these instructions were speculatively executed, however, the data at Base+A may have been cached before the privilege check – and may not have been undone by the execution unit (or any other part of the CPU). If this is indeed the case, the mere act of caching constitutes a leak of information in and of itself. At this point, Meltdown intervenes. [44]
  4. The process executes a timing attack by executing instructions referencing memory operands directly. To be effective, the operands of these instructions must be at addresses which cover the possible address, Base+A, of the rejected instruction's operand. Because the data at the address referred to by the rejected instruction, Base+A, was cached nevertheless, an instruction referencing the same address directly will execute faster. The process can detect this timing difference and determine the address, Base+A, that was calculated for the rejected instruction – and thus determine the value A at the forbidden memory address.

Meltdown uses this technique in sequence to read every address of interest at high speed, and depending on other running processes, the result may contain passwords, encryption data, and any other sensitive information, from any address of any process that exists in its memory map. In practice, because cache side-channel attacks are slow, it is faster to extract data one bit at a time (only 2 × 8 = 16 cache attacks needed to read a byte, rather than 256 steps if it tried to read all 8 bits at once).

Impact

The impact of Meltdown depends on the design of the CPU, the design of the operating system (specifically how it uses memory paging), and the ability of a malicious party to get any code run on that system, as well as the value of any data it could read if able to execute.

The specific impact depends on the implementation of the address translation mechanism in the OS and the underlying hardware architecture. The attack can reveal the content of any memory that is mapped into a user address space, even if otherwise protected. For example, before kernel page-table isolation was introduced, most versions of Linux mapped all physical memory into the address space of every user-space process; the mapped addresses are (mostly) protected, making them unreadable from user-space and accessible only when transitioned into the kernel. The existence of these mappings makes transitioning to and from the kernel faster, but is unsafe in the presence of the Meltdown vulnerability, as the contents of all physical memory (which may contain sensitive information such as passwords belonging to other processes or the kernel) can then be obtained via the above method by any unprivileged process from user-space.

According to researchers, "every Intel processor that implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium, and Intel Atom before 2013)." [46] Intel responded to the reported security vulnerabilities with an official statement. [57]

The vulnerability is expected to impact major cloud providers, such as Amazon Web Services (AWS) [58] and Google Cloud Platform. Cloud providers allow users to execute programs on the same physical servers where sensitive data might be stored, and rely on safeguards provided by the CPU to prevent unauthorized access to the privileged memory locations where that data is stored, a feature that the Meltdown exploit circumvents.

The original paper reports that paravirtualization (Xen) and containers such as Docker, LXC, and OpenVZ, are affected. [54] [44] They report that the attack on a fully virtualized machine allows the guest user space to read from the guest kernel memory, but not read from the host kernel space.

Affected hardware

The Meltdown vulnerability primarily affects Intel microprocessors, [59] but the ARM Cortex-A75 [60] and IBM's Power [1] microprocessors are also affected. The vulnerability does not affect AMD microprocessors. [20] [61] [62] [63] When the effect of Meltdown was first made public, Intel countered that the flaws affect all processors, [64] but AMD denied this, saying "we believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture". [65]

Researchers have indicated that the Meltdown vulnerability is exclusive to Intel processors, while the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors. [66] [67] [68] [69] However, ARM announced that some of their processors were vulnerable to Meltdown. [60] Google has reported that any Intel processor since 1995 with out-of-order execution is potentially vulnerable to the Meltdown vulnerability (this excludes Itanium and pre-2013 Intel Atom CPUs). [70] Intel introduced speculative execution to their processors with Intel's P6 family microarchitecture with the Pentium Pro IA-32 microprocessor in 1995. [71]

ARM has reported that the majority of their processors are not vulnerable, and published a list of the specific processors that are affected. The ARM Cortex-A75 core is affected directly by both Meltdown and Spectre vulnerabilities, and Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72 and Cortex-A73 cores are affected only by the Spectre vulnerability. [60] This contradicts some early statements made about the Meltdown vulnerability as being Intel-only. [72]

A large portion of the then-current mid-range Android handsets use the Cortex-A53 or Cortex-A55 in an octa-core arrangement and are not affected by either the Meltdown or Spectre vulnerability as they do not perform out-of-order execution. This includes devices with the Qualcomm Snapdragon 630, Snapdragon 626, Snapdragon 625, and all Snapdragon 4xx processors based on A53 or A55 cores. [73] Also, no Raspberry Pi computers are vulnerable to either Meltdown or Spectre, except the newly-released Raspberry Pi 4, which uses the ARM Cortex-A72 CPU. [74]

IBM has also confirmed that its Power CPUs are affected by both CPU attacks. [1] Red Hat has publicly announced that the exploits are also for IBM System Z, POWER8, and POWER9 systems. [75]

Oracle has stated that V9-based SPARC systems (T5, M5, M6, S7, M7, M8, M10, M12 processors) are not affected by Meltdown, though older SPARC processors that are no longer supported may be impacted. [76]

Mitigation

Mitigation of the vulnerability requires changes to operating system kernel code, including increased isolation of kernel memory from user-mode processes. [4] Linux kernel developers have referred to this measure as kernel page-table isolation (KPTI). KPTI patches have been developed for Linux kernel 4.15, and have been released as a backport in kernels 4.14.11, 4.9.75. [77] [78] [79] [80] Red Hat released kernel updates to their Red Hat Enterprise Linux distributions version 6 [81] and version 7. [82] CentOS also already released their kernel updates to CentOS 6 [83] and CentOS 7. [84]

Apple included mitigations in macOS 10.13.2, iOS 11.2, and tvOS 11.2. These were released a month before the vulnerabilities were made public. [85] [86] [87] [88] Apple has stated that watchOS and the Apple Watch are not affected. [89] Additional mitigations were included in a Safari update as well a supplemental update to macOS 10.13, and iOS 11.2.2. [90] [91] [92] [93] [94]

Microsoft released an emergency update to Windows 10, 8.1, and 7 SP1 to address the vulnerability on 3 January 2018, [95] [96] [97] as well as Windows Server (including Server 2008 R2, Server 2012 R2, and Server 2016) and Windows Embedded Industry. [98] These patches are incompatible with third-party antivirus software that use unsupported kernel calls; systems running incompatible antivirus software will not receive this or any future Windows security updates until it is patched, and the software adds a special registry key affirming its compatibility. [99] [100] [101] The update was found to have caused issues on systems running certain AMD CPUs, with some users reporting that their Windows installations did not boot at all after installation. On 9 January 2018, Microsoft paused the distribution of the update to systems with affected CPUs while it investigated and addressed this bug. [99]

It was reported that implementation of KPTI may lead to a reduction in CPU performance, with some researchers claiming up to 30% loss in performance, depending on usage, though Intel considered this to be an exaggeration. [19] It was reported that Intel processor generations that support process-context identifiers (PCID), a feature introduced with Westmere [102] and available on all chips from the Haswell architecture onward, were not as susceptible to performance losses under KPTI as older generations that lack it. [103] [104] This is because the selective translation lookaside buffer (TLB) flushing enabled by PCID (also called address space number or ASN under the Alpha architecture) enables the shared TLB behavior crucial to the exploit to be isolated across processes, without constantly flushing the entire cache – the primary reason for the cost of mitigation.

A statement by Intel said that "any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time". [21] [20] Phoronix benchmarked several popular PC games on a Linux system with Intel's Coffee Lake Core i7-8700K CPU and KPTI patches installed, and found that any performance impact was small to non-existent. [62] In other tests, including synthetic I/O benchmarks and databases such as PostgreSQL and Redis, an impact in performance was found, accounting even to tens of percent for some workloads. [105] More recently, related tests, involving AMD's FX and Intel's Sandybridge and Ivybridge CPUs, have been reported. [106]

Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published. [15] [16] [17] [18] Meltdown patches may produce performance loss. [19] [20] [21] On 18 January 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported. [23] According to Dell: "No 'real-world' exploits of these vulnerabilities [ie, Meltdown and Spectre] have been reported to date [26 January 2018], though researchers have produced proof-of-concepts." [24] [25] Further, recommended preventions include: "promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources ... following secure password protocols ... [using] security software to help protect against malware (advanced threat prevention software or anti-virus)." [24] [25]

On 25 January 2018, the current status and possible future considerations in solving the Meltdown and Spectre vulnerabilities were presented. [107] In March 2018, Intel announced that it had designed hardware fixes for future processors for Meltdown and Spectre-V2 only, but not Spectre-V1. The vulnerabilities were mitigated by a new partitioning system that improves process and privilege-level separation. The company also announced it had developed Intel Microcode workarounds for processors dating back to 2013, and that it had plans to develop them for most processors dating back to 2007 including the Core 2 Duo; [28] [29] however, a month later in April 2018, it announced it was backing off that plan for a number of processor families and that no processor earlier than 2008 would have a patch available. [108]

On 8 October 2018, Intel was reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors. [30]

Summary of mitigations on Microsoft Windows [109]
VulnerabilityCVEExploit namePublic vulnerability nameWindows changesFirmware changes
(Spectre)2017-5753Variant 1Bounds Check Bypass (BCB)
  • Recompiling with a new compiler
  • Hardened browser to prevent exploit from JavaScript
No
(Spectre)2017-5715Variant 2Branch Target Injection (BTI)New CPU instructions eliminating branch speculationYes
Meltdown2017-5754Variant 3Rogue Data Cache Load (RDCL) Isolate kernel and user mode page tables No

See also

Related Research Articles

<span class="mw-page-title-main">Hyper-threading</span> Proprietary simultaneous multithreading implementation by Intel

Hyper-threading is Intel's proprietary simultaneous multithreading (SMT) implementation used to improve parallelization of computations performed on x86 microprocessors. It was introduced on Xeon server processors in February 2002 and on Pentium 4 desktop processors in November 2002. Since then, Intel has included this technology in Itanium, Atom, and Core 'i' Series CPUs, among others.

Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably redirecting code execution to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.

The Pentium F00F bug is a design flaw in the majority of Intel Pentium, Pentium MMX, and Pentium OverDrive processors. Discovered in 1997, it can result in the processor ceasing to function until the computer is physically rebooted. The bug has been circumvented through operating system updates.

System Management Mode is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer's firmware, or a hardware-assisted debugger, is then executed with high privileges.

<span class="mw-page-title-main">Protection ring</span> Layer of protection in computer systems

In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults and malicious behavior.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

In computer security, virtual machine escape is the process of a program breaking out of the virtual machine on which it is running and interacting with the host operating system. A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". In 2008, a vulnerability in VMware discovered by Core Security Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4. A fully working exploit labeled Cloudburst was developed by Immunity Inc. for Immunity CANVAS. Cloudburst was presented in Black Hat USA 2009.

<span class="mw-page-title-main">Intel Management Engine</span> Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

<span class="mw-page-title-main">Kernel page-table isolation</span>

Kernel page-table isolation is a Linux kernel feature that mitigates the Meltdown security vulnerability and improves kernel hardening against attempts to bypass kernel address space layout randomization (KASLR). It works by better isolating user space and kernel space memory. KPTI was merged into Linux kernel version 4.15, and backported to Linux kernels 4.14.11, 4.9.75, and 4.4.110. Windows and macOS released similar updates. KPTI does not address the related Spectre vulnerability.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".

Lazy FPU state leak, also referred to as Lazy FP State Restore or LazyFP, is a security vulnerability affecting Intel Core CPUs. The vulnerability is caused by a combination of flaws in the speculative execution technology present within the affected CPUs and how certain operating systems handle context switching on the floating point unit (FPU). By exploiting this vulnerability, a local process can leak the content of the FPU registers that belong to another process. This vulnerability is related to the Spectre and Meltdown vulnerabilities that were publicly disclosed in January 2018.

<span class="mw-page-title-main">Foreshadow</span> Hardware vulnerability for Intel processors

Foreshadow, known as L1 Terminal Fault (L1TF) by Intel, is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.

In digital computing, hardware security bugs are hardware bugs or flaws that create vulnerabilities affecting computer central processing units (CPUs), or other devices which incorporate programmable processors or logic and have direct memory access, which allow data to be read by a rogue process when such reading is not authorized. Such vulnerabilities are considered "catastrophic" by security analysts.

<span class="mw-page-title-main">Microarchitectural Data Sampling</span> CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The archetype is Spectre, and transient execution attacks like Spectre belong to the cache-attack category, one of several categories of side-channel attacks. Since January 2018 many different cache-attack vulnerabilities have been identified.

SWAPGS, also known as Spectre variant 1, is a computer security vulnerability that utilizes the branch prediction used in modern microprocessors. Most processors use a form of speculative execution, this feature allows the processors to make educated guesses about the instructions that will most likely need to be executed in the near future. This speculation can leave traces in the cache, which attackers use to extract data using a timing attack, similar to side-channel exploitation of Spectre.

Retbleed is a speculative execution attack on x86-64 and ARM processors, including some recent Intel and AMD chips. First made public in 2022, it is a variant of the Spectre vulnerability which exploits retpoline, which was a mitigation for speculative execution attacks.

References

  1. 1 2 3 "Potential Impact on Processors in the POWER Family – IBM PSIRT Blog". IBM.com. 2018-01-25. Retrieved 2018-01-30.
  2. "About speculative execution vulnerabilities in ARM-based and Intel CPUs".
  3. 1 2 Arm Ltd. "Arm Processor Security Update". ARM Developer.
  4. 1 2 Bright, Peter (2018-01-05). "Meltdown and Spectre: Here's what Intel, Apple, Microsoft, others are doing about it". Ars Technica . Retrieved 2018-01-06.
  5. 1 2 "Apple Confirms 'Meltdown' and 'Spectre' Vulnerabilities Impact All Macs and iOS Devices, Some Fixes Already Released". 2018-01-04.
  6. Vaughan-Nichols, Steven J. (2018-01-11). "Major Linux distros have Meltdown patches, but that's only part of the fix". ZDNet . Retrieved 2018-01-16.
  7. "CVE-2017-5754". Security-Tracker.Debian.org. Retrieved 2018-01-16.
  8. "CERT: "Meltdown and Spectre" CPU Security Flaw Can Only Be Fixed by Hardware Replacement – WinBuzzer". 2018-01-04.
  9. 1 2 "Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign". The Register.
  10. "Industry Testing Shows Recently Released Security Updates Not Impacting Performance in Real-World Deployments". Intel newsroom. 2018-01-04. Retrieved 2018-01-05.
  11. Schneier, Bruce. "Spectre and Meltdown Attacks Against Microprocessors – Schneier on Security". Schneier.com. Retrieved 2018-01-09.
  12. "This Week in Security: Internet Meltdown Over Spectre of CPU Bug". Cylance.com. 2018-01-05. Retrieved 2018-01-30.
  13. "Meltdown, Spectre: here's what you should know". Rudebaguette.com. 2018-01-08. Retrieved 2018-01-30.
  14. King, Ian; Kahn, Jeremy; Webb, Alex; Turner, Giles (2018-01-08). "'It Can't Be True.' Inside the Semiconductor Industry's Meltdown". Bloomberg Technology . Archived from the original on 2018-01-10. Retrieved 2018-01-10.
  15. 1 2 Metz, Cade; Chen, Brian X. (2018-01-04). "What You Need to Do Because of Flaws in Computer Chips". The New York Times . Retrieved 2018-01-05.
  16. 1 2 Pressman, Aaron (2018-01-05). "Why Your Web Browser May Be Most Vulnerable to Spectre and What to Do About It". Fortune . Retrieved 2018-01-05.
  17. 1 2 Chacos, Brad (2018-01-04). "How to protect your PC from the major Meltdown and Spectre CPU flaws". PC World . Retrieved 2018-01-04.
  18. 1 2 Elliot, Matt (2018-01-04). "Security – How to protect your PC against the Intel chip flaw – Here are the steps to take to keep your Windows laptop or PC safe from Meltdown and Spectre". CNET . Retrieved 2018-01-04.
  19. 1 2 3 "Computer chip scare: What you need to know". BBC News . 2018-01-04. Retrieved 2018-01-04.
  20. 1 2 3 4 Metz, Cade; Perlroth, Nicole (2018-01-03). "Researchers Discover Two Major Flaws in the World's Computers". The New York Times. ISSN   0362-4331 . Retrieved 2018-01-03.
  21. 1 2 3 "Intel says processor bug isn't unique to its chips and performance issues are 'workload-dependent'". The Verge. Retrieved 2018-01-04.
  22. Hachman, Mark (2018-01-09). "Microsoft tests show Spectre patches drag down performance on older PCs". PC World . Retrieved 2018-01-09.
  23. 1 2 Tung, Liam (2018-01-18). "Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch – Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs". ZDNet . Retrieved 2018-01-18.
  24. 1 2 3 4 Staff (2018-01-26). "Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products". Dell . Retrieved 2018-01-26.
  25. 1 2 3 4 Staff (2018-01-26). "Meltdown and Spectre Vulnerabilities". Dell . Archived from the original on 2018-03-05. Retrieved 2018-01-26.
  26. Warren, Tom (2018-03-15). "Intel processors are being redesigned to protect against Spectre – New hardware coming later this year". The Verge . Retrieved 2018-03-20.
  27. Shankland, Stephen (2018-03-15). "Intel will block Spectre attacks with new chips this year – Cascade Lake processors for servers, coming this year, will fight back against a new class of vulnerabilities, says CEO Brian Krzanich". CNET . Retrieved 2018-03-20.
  28. 1 2 Smith, Ryan (2018-03-15). "Intel Publishes Spectre & Meltdown Hardware Plans: Fixed Gear Later This Year". AnandTech . Retrieved 2018-03-20.
  29. 1 2 Coldewey, Devin (2018-03-15). "Intel announces hardware fixes for Spectre and Meltdown on upcoming chips". TechCrunch . Retrieved 2018-03-28.
  30. 1 2 3 Shilov, Anton (2018-10-08). "Intel's New Core and Xeon W-3175X Processors: Spectre and Meltdown Security Update". AnandTech . Retrieved 2018-10-09.
  31. 1 2 "Meltdown and Spectre". SpectreAttack.com. Retrieved 2018-01-30.
  32. "What Are the Spectre and Meltdown CPU Vulnerabilities".
  33. Sibert, Olin; Porras, Philip A.; Lindell, Robert (1995-05-08). "The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems" (PDF). doi:10.1109/SECPRI.1995.398934. S2CID   923198. Archived from the original (PDF) on 2018-01-07. Retrieved 2018-01-09.{{cite journal}}: Cite journal requires |journal= (help)
  34. "OS X Mountain Lion Core Technologies Overview" (PDF). June 2012. Retrieved 2012-07-25.
  35. "Linux_3.14". kernelnewbies.org. 2017-12-30. Retrieved 2018-01-18.
  36. Fogh, Anders; Gruss, Daniel. "Blackhat USA 2016, Using Undocumented CPU Behavior to See into Kernel Mode and Break KASLR in the Process".
  37. Lipp, Moritz; Gruss, Daniel; Spreitzer, Raphael; Maurice, Clémentine; Mangard, Stefan (2016-08-10). "ARMageddon: Cache Attacks on Mobile Devices" (PDF). Retrieved 2018-01-09.
  38. Maurice, Clémentine; Lipp, Moritz (2016-12-27). "What could possibly go wrong with <insert x86 instruction here>?".
  39. Gras, Ben; Razavi, Kaveh; Bosman, Erik; Box, Herbert; Giuffrida, Cristiano (2017-02-27). "ASLR on the Line: Practical Cache Attacks on the MMU" . Retrieved 2018-01-09.
  40. Intel SGX Prime+Probe attack
  41. "KASLR is Dead: Long Live KASLR" (PDF).
  42. Gruss, Daniel; Lipp, Moritz; Schwarz, Michael; Fellner, Richard; Maurice, Clémentine; Mangard, Stefan (2017). "KASLR is Dead: Long Live KASLR". Engineering Secure Software and Systems. Lecture Notes in Computer Science. Vol. 10379. pp. 161–176. doi:10.1007/978-3-319-62105-0_11. ISBN   978-3-319-62104-3.
  43. Gruss, Daniel (2018-01-03). "#FunFact: We submitted #KAISER to #bhusa17 and got it rejected". Archived from the original on 2018-01-08. Retrieved 2018-01-08 via Twitter.
  44. 1 2 3 4 5 6 Lipp, Moritz; Schwarz, Michael; Gruss, Daniel; Prescher, Thomas; Haas, Werner; Fogh, Anders; Horn, Jann; Mangard, Stefan; Kocher, Paul; Genkin, Daniel; Yarom, Yuval; Hamburg, Mike. "Meltdown: Reading Kernel Memory from User Space" (PDF). MeltdownAttack.com. Retrieved 2019-02-25.
  45. "Negative Result Reading Kernel Memory from user Mode". 2017-07-28.
  46. 1 2 "Meltdown and Spectre: Which systems are affected by Meltdown?". meltdownattack.com. Retrieved 2018-01-03.
  47. "Kernel ASLR on amd64". 2017. Retrieved 2017-10-16.
  48. "Apple Open Source". 2017.
  49. Ionescu, Alex (2017-11-14). "Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER)". Twitter . Archived from the original on 2018-01-06. Retrieved 2018-01-06.
  50. Gibbs, Samuel (2018-01-04). "Meltdown and Spectre: 'worst ever' CPU bugs affect virtually all computers". The Guardian. Archived from the original on 2018-01-06. Retrieved 2018-01-06.
  51. "Information Leak via speculative execution side channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 aka Spectre and Meltdown)". Ubuntu Wiki. Retrieved 2018-01-04.
  52. Lynley, Matthew (2018-01-28). "Intel reportedly notified Chinese companies of chip security flaw before the U.S. government". TechCrunch . Retrieved 2018-01-28.
  53. Catalin Cimpanu (2018-11-14). "Researchers discover seven new Meltdown and Spectre attacks". ZDNet . Retrieved 2018-11-17.
  54. 1 2 Galowicz, Jacek (2018-01-03). "Cyberus Technology Blog – Meltdown". blog.cyberus-technology.de.
  55. Wheeler, Eric (2018-01-04). "Meltdown BUG: What about KVM/Xen/Docker/OpenVZ/LXC/PV-Xen/HyperV?". www.linuxglobal.com.
  56. Bhat, Akshay (2018-01-17). "Meltdown and Spectre vulnerabilities". timesys.com. Retrieved 2018-01-23. unless your product allows running 3rd party or WEB applications, we believe the device is not exposed to exploits
  57. Staff (2018-01-03). "Intel Responds To Security Research Findings". Intel . Retrieved 2018-01-04.
  58. "Processor Speculative Execution Research Disclosure". Amazon Web Services, Inc. Retrieved 2018-01-03.
  59. "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. 2018-01-03.
  60. 1 2 3 "Arm Processor Security Update". ARM Developer. ARM Ltd. 2018-01-03. Retrieved 2018-01-05.
  61. "Intel's processors have a security bug and the fix could slow down PCs". The Verge . Retrieved 2018-01-03.
  62. 1 2 "Linux Gaming Performance Doesn't Appear Affected By The x86 PTI Work". Phoronix.com. Retrieved 2018-01-03.
  63. Lendacky, Tom. "[tip:x86/pti] x86/cpu, x86/pti: Do not enable PTI on AMD processors". LKML.org. Retrieved 2018-01-03.
  64. "Patches arrive for Intel's 'Meltdown' flaw — here's how to protect your device". 2018-01-04.
  65. "An Update on AMD Processor Security".
  66. "Who's affected by computer chip security flaw". Archived from the original on 2018-01-04. Retrieved 2018-01-04.
  67. "Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign". The Register .
  68. Staff (2018). "Meltdown and Spectre-faq-systems-spectre". Graz University of Technology . Retrieved 2018-01-03.
  69. Busvine, Douglas; Nellis, Stephen (2018-01-03). "Security flaws put virtually all phones, computers at risk". Reuters. Thomson-Reuters. Retrieved 2018-01-08.
  70. "Google: Almost All CPUs since 1995 Vulnerable to "Meltdown" and "Spectre" Flaws".
  71. "P6 family microarchitecture". www.jaist.ac.jp.
  72. "Understanding Those Alarming Computer Chip Security Holes: 'Meltdown' and 'Spectre'".
  73. "'Spectre' and 'Meltdown': New CPU vulnerabilities affect most smartphones and computers". 2018-01-04.
  74. "Why Raspberry Pi Isn't Vulnerable to Spectre or Meltdown". Raspberry Pi. 2018-01-05. Retrieved 2018-01-30.
  75. Tung, Liam (2018-01-10). "Meltdown-Spectre: IBM preps firmware and OS fixes for vulnerable Power CPUs". ZDNet. Retrieved 2018-01-30.
  76. "Solaris+SPARC is Meltdown (CVE-2017-5754) free – Tales from the Datacenter". Tales from the Datacenter. 2018-01-22. Retrieved 2018-01-23.
  77. Kroah-Hartman, Greg (2018-01-02). "Linux 4.14.11 Changelog". kernel.org.
  78. Kroah-Hartman, Greg (2018-01-05). "Linux 4.9.75 Changelog". kernel.org.
  79. Corbet, Jonathon (2017-11-15). "KAISER: hiding the kernel from user space". LWN. Retrieved 2018-01-03.
  80. Corbet, Jonathon (2017-12-20). "The current state of kernel page-table isolation". LWN. Retrieved 2018-01-03.
  81. "RHSA-2018:0008 – Security Advisory". RedHat announcements.
  82. "RHSA-2018:0007 – Security Advisory". RedHat announcements.
  83. "[CentOS-announce] CESA-2018:0008 Important CentOS 6 kernel Security Update". CentOS announcements. 2018-01-04. Retrieved 2018-01-05.
  84. "[CentOS-announce] CESA-2018:0007 Important CentOS 7 kernel Security Update". CentOS announcements. 2018-01-04. Retrieved 2018-01-05.
  85. "Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign". The Register . Retrieved 2018-01-03.
  86. "About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan". Apple Support. Retrieved 2018-01-18.
  87. "About the security content of iOS 11.2". Apple Support. Retrieved 2018-01-18.
  88. "About the security content of tvOS 11.2". Apple Support. Retrieved 2018-01-18.
  89. "About speculative execution vulnerabilities in ARM-based and Intel CPUs". Apple Support. Retrieved 2018-01-18.
  90. "Apple Releases macOS High Sierra 10.13.2 Supplemental Update With Spectre Fix" . Retrieved 2018-01-18.
  91. "Apple Releases iOS 11.2.2 With Security Fixes to Address Spectre Vulnerability" . Retrieved 2018-01-18.
  92. "About the security content of Safari 11.0.2". Apple Support. Retrieved 2018-01-18.
  93. "About the security content of macOS High Sierra 10.13.2 Supplemental Update". Apple Support. Retrieved 2018-01-18.
  94. "About the security content of iOS 11.2.2". Apple Support. Retrieved 2018-01-18.
  95. Warren, Tom (2018-01-03). "Microsoft issues emergency Windows update for processor security bugs". The Verge. Vox Media, Inc. Retrieved 2018-01-03.
  96. Thorp-Lancaster, Dan (2018-01-03). "Microsoft pushing out emergency fix for newly disclosed processor exploit". Windows Central. Retrieved 2018-01-04.
  97. "Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities". support.microsoft.com. Retrieved 2018-01-04.
  98. "Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities". Microsoft Support.
  99. 1 2 Ranger, Steve. "Windows Meltdown and Spectre patches: Now Microsoft blocks security updates for some AMD based PCs". ZDNet. Retrieved 2018-01-09.
  100. Tung, Liam. "Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus". ZDNet. Retrieved 2018-01-04.
  101. "Important information regarding the Windows security updates released on 3 January 2018 and anti-virus software". Microsoft . Retrieved 2018-01-04.
  102. "Westmere Arrives". www.realworldtech.com.
  103. "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired . Retrieved 2018-01-04.
  104. "Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and Macs". PCWorld. Retrieved 2018-01-04.
  105. "Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes". Phoronix. Retrieved 2018-01-04.
  106. Larabel, Michael (2019-05-24). "Benchmarking AMD FX vs. Intel Sandy/Ivy Bridge CPUs Following Spectre, Meltdown, L1TF, Zombieload". Phoronix . Retrieved 2019-05-25.
  107. Hachman, Mark (2018-01-25). "Intel's plan to fix Meltdown in silicon raises more questions than answers – But what silicon?!! Be sure and read the questions Wall Street should have asked". PC World . Retrieved 2018-01-26.
  108. Bright, Peter (2018-04-04). "Intel drops plans to develop Spectre microcode for ancient chips". ArsTechnica.com. Retrieved 2020-11-03.
  109. "Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems". Microsoft. 2018-01-09.