Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The archetype is Spectre, and transient execution attacks like Spectre belong to the cache-attack category, one of several categories of side-channel attacks. Since January 2018 many different cache-attack vulnerabilities have been identified.
Modern computers are highly parallel devices, composed of components with very different performance characteristics. If an operation (such as a branch) cannot yet be performed because some earlier slow operation (such as a memory read) has not yet completed, a microprocessor may attempt to predict the result of the earlier operation and execute the later operation speculatively, acting as if the prediction was correct. The prediction may be based on recent behavior of the system. When the earlier, slower operation completes, the microprocessor determines whether prediction was correct or incorrect. If it was correct then execution proceeds uninterrupted; if it was incorrect then the microprocessor rolls back the speculatively executed operations and repeats the original instruction with the real result of the slow operation. Specifically, a transient instruction [1] refers to an instruction processed by error by the processor (incriminating the branch predictor in the case of Spectre) which can affect the micro-architectural state of the processor, leaving the architectural state without any trace of its execution.
In terms of the directly visible behavior of the computer it is as if the speculatively executed code "never happened". However, this speculative execution may affect the state of certain components of the microprocessor, such as the cache, and this effect may be discovered by careful monitoring of the timing of subsequent operations.
If an attacker can arrange that the speculatively executed code (which may be directly written by the attacker, or may be a suitable gadget that they have found in the targeted system) operates on secret data that they are unauthorized to access, and has a different effect on the cache for different values of the secret data, they may be able to discover the value of the secret data.
Starting in 2017, multiple examples of such vulnerabilities were identified, with publication starting in early 2018.
In March 2021 AMD security researchers discovered that the Predictive Store Forwarding algorithm in Zen 3 CPUs could be used by malicious applications to access data it shouldn't be accessing. [2] According to Phoronix there's little performance impact in disabling the feature. [3]
In June 2021, two new vulnerabilities, Speculative Code Store Bypass (SCSB, CVE-2021-0086) and Floating Point Value Injection (FPVI, CVE-2021-0089), affecting all modern x86-64 CPUs both from Intel and AMD were discovered. [4] In order to mitigate them software has to be rewritten and recompiled. ARM CPUs are not affected by SCSB but some certain ARM architectures are affected by FPVI. [5]
In August 2021 a vulnerability called "Transient Execution of Non-canonical Accesses" affecting certain AMD CPUs was disclosed. [6] [7] [8] It requires the same mitigations as the MDS vulnerability affecting certain Intel CPUs. [9] It was assigned CVE-2020-12965. Since most x86 software is already patched against MDS and this vulnerability has the exact same mitigations, software vendors don't have to address this vulnerability.
In October 2021 for the first time ever a vulnerability similar to Meltdown was disclosed [10] [11] to be affecting all AMD CPUs however the company doesn't think any new mitigations have to be applied and the existing ones are already sufficient. [12]
In March 2022, a new variant of the Spectre vulnerability called Branch History Injection was disclosed. [13] [14] It affects certain ARM64 CPUs [15] and the following Intel CPU families: Cascade Lake, Ice Lake, Tiger Lake and Alder Lake. According to Linux kernel developers AMD CPUs are also affected. [16]
In March 2022, a vulnerability affecting a wide range of AMD CPUs was disclosed under CVE-2021-26341. [17] [18]
In June 2022, multiple MMIO Intel CPUs vulnerabilities related to execution in virtual environments were announced. [19] The following CVEs were designated: CVE-2022-21123, CVE-2022-21125, CVE-2022-21166.
In July 2022, the Retbleed vulnerability was disclosed affecting Intel Core 6 to 8th generation CPUs and AMD Zen 1, 1+ and 2 generation CPUs. Newer Intel microarchitectures as well as AMD starting with Zen 3 are not affected. The mitigations for the vulnerability decrease the performance of the affected Intel CPUs by up to 39%, while AMD CPUs lose up to 14%.
In August 2022, the SQUIP vulnerability was disclosed affecting Ryzen 2000–5000 series CPUs. [20] According to AMD the existing mitigations are enough to protect from it. [21]
According to a Phoronix review released in October, 2022 Zen 4/Ryzen 7000 CPUs are not slowed down by mitigations, in fact disabling them leads to a performance loss. [22] [23]
In February 2023 a vulnerability affecting a wide range of AMD CPU architectures called "Cross-Thread Return Address Predictions" was disclosed. [24] [25] [26]
In July 2023 a critical vulnerability in the Zen 2 AMD microarchitecture called Zenbleed was made public. [27] AMD released a microcode update to fix it. [28]
In August 2023 a vulnerability in AMD's Zen 1, Zen 2, Zen 3, and Zen 4 microarchitectures called INCEPTION [29] [30] was revealed and assigned CVE-2023-20569. According to AMD it is not practical but the company will release a microcode update for the affected products.
Also in August 2023 a new vulnerability called Downfall or Gather Data Sampling was disclosed, [31] [32] [33] affecting Intel CPU Skylake, Cascade Lake, Cooper Lake, Ice Lake, Tiger Lake, Amber Lake, Kaby Lake, Coffee Lake, Whiskey Lake, Comet Lake & Rocket Lake CPU families. Intel will release a microcode update for affected products.
In March 2024, a variant of Spectre-V1 attack called GhostRace was published. [34] It was claimed it affected all the major microarchitectures and vendors, including Intel, AMD and ARM. It was assigned CVE-2024-2193. AMD dismissed the vulnerability (calling it "Speculative Race Conditions (SRCs)") claiming that existing mitigations were enough. [35] Linux kernel developers chose not to add mitigations citing performance concerns. [36] The Xen hypervisor project released patches to mitigate the vulnerability but it's not enabled by default. [37]
Also in March 2024, a vulnerability in Intel Atom processors called Register File Data Sampling (RFDS) was revealed. [38] It was assigned CVE-2023-28746. Its mitigations incur a slight performance degradation. [39]
In April 2024, it was revealed that the BHI vulnerability in certain Intel CPU families could be still exploited in Linux entirely in user space without using any kernel features or root access despite existing mitigations. [40] [41] [42] Intel recommended "additional software hardening". [43] The attack was assigned a new CVE-2024-2201.
Spectre class vulnerabilities will remain unfixed because otherwise CPU designers will have to disable speculative execution which will entail a massive performance loss.[ citation needed ] Despite this, AMD has managed to design Zen 4 such a way its performance is not affected by mitigations. [22] [23]
Mitigation Type | Comprehensiveness | Effectiveness | Performance Impact |
---|---|---|---|
Hardware | Full | Full | None...Small |
Microcode | Partial | Partial...Full | None...Large |
OS/VMM | Partial | Partial...Full | Small...Large |
Software Recompilation | Poor | Partial...Full | Medium...Large |
Hardware mitigations require change to the CPU design and thus a new iteration of hardware, but impose close to zero performance loss. Microcode updates alter the software that the CPU runs on, requiring patches to be released and integrated into every operating system and for each CPU. OS/VMM mitigations are applied at the operating system or virtual machine level and (depending on workload) often incur quite a significant performance loss. Software recompilation requires recompiling every piece of software and usually incurs a severe performance hit.
Vulnerability Name (aliases) | CVE | Affected CPU architectures and mitigations | ||||||
---|---|---|---|---|---|---|---|---|
Intel [44] | AMD [45] | |||||||
Ice Lake [46] | Cascade Lake, Comet Lake | Whiskey Lake, Amber Lake | Coffee Lake (9th gen) [47] | Coffee Lake (8th gen)* | Zen 1 / Zen 1+ | Zen 2 [48] | ||
Spectre v1 Bounds Check Bypass | 2017-5753 | Software Recompilation | Software Recompilation [49] | |||||
Spectre v2 Branch Target Injection | 2017-5715 | Hardware + OS | Microcode + OS | Microcode + OS | Microcode + OS/VMM | Hardware + OS/VMM | ||
SpectreRSB [50] /ret2spec [51] Return Mispredict | 2018-15572 | OS [52] | ||||||
Meltdown Rogue Data Cache Load | 2017-5754 | Not affected | Microcode | Not affected | ||||
Spectre-NG v3a | 2018-3640 | Not affected [53] | Microcode | |||||
Spectre-NG v4 Speculative Store Bypass | 2018-3639 | Hardware + OS/VMM [53] | Microcode + OS | OS/VMM | Hardware + OS/VMM | |||
Foreshadow L1 Terminal Fault (L1TF) | 2018-3615 | Not affected | Microcode | Not affected | ||||
Spectre-NG Lazy FP State Restore | 2018-3665 | OS/VMM [54] | ||||||
Spectre-NG v1.1 Bounds Check Bypass Store | 2018-3693 | OS/VMM [55] | ||||||
Foreshadow-OS L1 Terminal Fault (L1TF) | 2018-3620 | Not affected | Microcode + OS | Not affected | ||||
Foreshadow-VMM L1 Terminal Fault (L1TF) | 2018-3646 | |||||||
RIDL/ZombieLoad Microarchitectural Fill Buffer Data Sampling (MFBDS) | 2018-12130 | |||||||
RIDL Microarchitectural Load Port Data Sampling (MLPDS) | 2018-12127 | Not affected | Not affected | Not affected | Microcode + OS [56] | |||
RIDL Microarchitectural Data Sampling Uncacheable Memory (MDSUM) | 2019-11091 | Not affected | Microcode + OS | |||||
Fallout Microarchitectural Store Buffer Data Sampling (MSBDS) | 2018-12126 | Microcode [57] [58] | Not affected | Not affected | Microcode + OS | |||
Spectre SWAPGS [59] [60] [61] | 2019-1125 | Same as Spectre 1 | ||||||
RIDL/ZombieLoad v2 Transactional Asynchronous Abort (TAA) [62] [63] [64] | 2019-11135 | Not Affected [65] | Microcode + OS | |||||
RIDL/CacheOut/ZombieLoad L1D Eviction Sampling (L1DES) [66] [67] [68] | 2020-0549 | Not Affected | ||||||
RIDL Vector Register Sampling (VRS) [66] [67] | 2020-0548 | |||||||
Load Value Injection (LVI) [69] [70] [71] [72] | 2020-0551 | Software recompilation | ||||||
CROSSTalk Special Register Buffer Data Sampling (SRBDS) [73] [74] [75] | 2020-0543 | Not affected | Microcode | Not affected | ||||
Branch History Injection (BHI) | 2022-0001 2022-0002 2024-2201 | Microcode + Software Recompilation | Not affected | |||||
Retbleed [76] [77] [78] [79] [80] | 2022-29900 2022-29901 | Not affected | Software recompilation | |||||
Cross-Thread Return Address Predictions [25] [24] | 2022-27672 | Not affected | Software recompilation | |||||
Zenbleed [81] [82] [83] | 2023-20593 | Not affected | Microcode | |||||
INCEPTION [29] [84] [85] Speculative Return Stack Overflow (SRSO) | 2023-20569 | Not affected | Microcode + OS | |||||
Downfall [31] [32] [33] Gather Data Sampling (GDS) | 2022-40982 | Microcode + OS | Not affected | |||||
SLAM [86] [87] [88] [89] Spectre based on Linear Address Masking | TBA | ? |
The 8th generation Coffee Lake architecture in this table also applies to a wide range of previously released Intel CPUs, not limited to the architectures based on Intel Core, Pentium 4 and Intel Atom starting with Silvermont. [90] [91] Various CPU microarchitectures not included above are also affected, among them are IBM Power, ARM, MIPS and others. [92] [93] [94] [95]
Intel CPUs past Ice Lake, e.g. Rocket Lake and Tiger Lake are not affected by Fallout/MSBDS.
Intel Core is a line of multi-core central processing units (CPUs) for midrange, embedded, workstation, high-end and enthusiast computer markets marketed by Intel Corporation. These processors displaced the existing mid- to high-end Pentium processors at the time of their introduction, moving the Pentium to the entry level. Identical or more capable versions of Core processors are also sold as Xeon processors for the server and workstation markets.
RDRAND
is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source. Intel introduced the feature around 2012, and AMD added support for the instruction in June 2015.
The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.
Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.
Zen is the codename for the first iteration in a family of computer processor microarchitectures of the same name from AMD. It was first used with their Ryzen series of CPUs in February 2017. The first Zen-based preview system was demonstrated at E3 2016, and first substantially detailed at an event hosted a block away from the Intel Developer Forum 2016. The first Zen-based CPUs, codenamed "Summit Ridge", reached the market in early March 2017, Zen-derived Epyc server processors launched in June 2017 and Zen-based APUs arrived in November 2017.
Zen 2 is a computer processor microarchitecture by AMD. It is the successor of AMD's Zen and Zen+ microarchitectures, and is fabricated on the 7 nm MOSFET node from TSMC. The microarchitecture powers the third generation of Ryzen processors, known as Ryzen 3000 for the mainstream desktop chips, Ryzen 4000U/H and Ryzen 5000U for mobile applications, as Threadripper 3000 for high-end desktop systems, and as Ryzen 4000G for accelerated processing units (APUs). The Ryzen 3000 series CPUs were released on 7 July 2019, while the Zen 2-based Epyc server CPUs were released on 7 August 2019. An additional chip, the Ryzen 9 3950X, was released in November 2019.
Ryzen is a brand of multi-core x86-64 microprocessors designed and marketed by Advanced Micro Devices (AMD) for desktop, mobile, server, and embedded platforms based on the Zen microarchitecture. It consists of central processing units (CPUs) marketed for mainstream, enthusiast, server, and workstation segments and accelerated processing units (APUs) marketed for mainstream and entry-level segments and embedded systems applications.
Kernel page-table isolation is a Linux kernel feature that mitigates the Meltdown security vulnerability and improves kernel hardening against attempts to bypass kernel address space layout randomization (KASLR). It works by better isolating user space and kernel space memory. KPTI was merged into Linux kernel version 4.15, and backported to Linux kernels 4.14.11, 4.9.75, and 4.4.110. Windows and macOS released similar updates. KPTI does not address the related Spectre vulnerability.
Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.
Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.
Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".
Lazy FPU state leak, also referred to as Lazy FP State Restore or LazyFP, is a security vulnerability affecting Intel Core CPUs. The vulnerability is caused by a combination of flaws in the speculative execution technology present within the affected CPUs and how certain operating systems handle context switching on the floating point unit (FPU). By exploiting this vulnerability, a local process can leak the content of the FPU registers that belong to another process. This vulnerability is related to the Spectre and Meltdown vulnerabilities that were publicly disclosed in January 2018.
Foreshadow, known as L1 Terminal Fault (L1TF) by Intel, is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.
Spoiler is a security vulnerability on modern computer central processing units that use speculative execution. It exploits side-effects of speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel Core CPUs are vulnerable to the attack as of 2019. AMD has stated that its processors are not vulnerable.
The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.
SWAPGS, also known as Spectre variant 1, is a computer security vulnerability that utilizes the branch prediction used in modern microprocessors. Most processors use a form of speculative execution, this feature allows the processors to make educated guesses about the instructions that will most likely need to be executed in the near future. This speculation can leave traces in the cache, which attackers use to extract data using a timing attack, similar to side-channel exploitation of Spectre.
Hertzbleed is a hardware security attack which describes exploiting dynamic frequency scaling to reveal secret data. The attack is a kind of timing attack, bearing similarity to previous power analysis vulnerabilities. Hertzbleed is more dangerous than power analysis, as it can be exploited by a remote attacker. Disclosure of cryptographic keys is the main concern regarding the exploit but other uses of the attack have been demonstrated since its initial discovery.
Retbleed is a speculative execution attack on x86-64 and ARM processors, including some recent Intel and AMD chips. First made public in 2022, it is a variant of the Spectre vulnerability which exploits retpoline, which was a mitigation for speculative execution attacks.
Downfall, known as Gather Data Sampling (GDS) by Intel, is a computer security vulnerability found in 6th through 11th generations of consumer and 1st through 4th generations of Xeon Intel x86-64 microprocessors. It is a transient execution CPU vulnerability which relies on speculative execution of Advanced Vector Extensions (AVX) instructions to reveal the content of vector registers.
{{cite web}}
: CS1 maint: numeric names: authors list (link){{cite web}}
: CS1 maint: numeric names: authors list (link)