Speculative Store Bypass

Last updated

Speculative Store Bypass (SSB) (CVE - 2018-3639) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. [1] It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). [2] After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG , [3] [4] [5] [6] it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a". [7] [1]

Contents

Details

Speculative execution exploit Variant 4, [8] is referred to as Speculative Store Bypass (SSB), [1] [9] and has been assigned CVE - 2018-3639. [7] SSB is named Variant 4, but it is the fifth variant in the Spectre-Meltdown class of vulnerabilities. [7]

Steps involved in exploit: [1]

  1. "Slowly" store a value at a memory location
  2. "Quickly" load that value from that memory location
  3. Utilize the value that was just read to disrupt the cache in a detectable way

Impact and mitigation

Intel claims that web browsers that are already patched to mitigate Spectre Variants 1 and 2 are partially protected against Variant 4. [7] Intel said in a statement that the likelihood of end users being affected was "low" and that not all protections would be on by default due to some impact on performance. [10] The Chrome JavaScript team confirmed that effective mitigation of Variant 4 in software is infeasible, in part due to performance impact. [11]

Intel is planning to address Variant 4 by releasing a microcode patch that creates a new hardware flag named Speculative Store Bypass Disable (SSBD). [7] [2] [12] A stable microcode patch is yet to be delivered, with Intel suggesting that the patch will be ready "in the coming weeks"[ needs update ]. [7] Many operating system vendors will be releasing software updates to assist with mitigating Variant 4; [13] [2] [14] however, microcode/firmware updates are required for the software updates to have an effect. [13]

Speculative execution exploit variants

Summary of speculative execution variants [15] [7] [16] [17]
VulnerabilityCVEExploit namePublic vulnerability nameCVSS v2.0CVSS v3.0
Spectre 2017-5753Variant 1 Bounds Check Bypass (BCB)4.75.6
Spectre2017-5715Variant 2 Branch Target Injection (BTI)4.75.6
Meltdown 2017-5754Variant 3 Rogue Data Cache Load (RDCL)4.75.6
Spectre-NG2018-3640Variant 3a Rogue System Register Read (RSRR [18] )4.75.6
Spectre-NG2018-3639Variant 4Speculative Store Bypass (SSB)4.95.5
Spectre-NG2018-3665 Lazy FP State Restore 4.75.6
Spectre-NG2018-3693 Bounds Check Bypass Store (BCBS)4.75.6
Foreshadow 2018-3615Variant 5 L1 Terminal Fault (L1TF)5.46.4
Foreshadow-NG2018-36204.75.6
Foreshadow-NG2018-36464.75.6

Related Research Articles

A control store is the part of a CPU's control unit that stores the CPU's microprogram. It is usually accessed by a microsequencer. A control store implementation whose contents are unalterable is known as a Read Only Memory (ROM) or Read Only Storage (ROS); one whose contents are alterable is known as a Writable Control Store (WCS).

In processor design, microcode is a technique that interposes a layer of computer organization between the central processing unit (CPU) hardware and the programmer-visible instruction set architecture of a computer. Microcode is a layer of hardware-level instructions that implement higher-level machine code instructions or internal finite-state machine sequencing in many digital processing elements. Microcode is used in general-purpose central processing units, although in current desktop CPUs, it is only a fallback path for cases that the faster hardwired control unit cannot handle.

Intel Active Management Technology Out-of-band management platform

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a separate microprocessor not exposed to the user, in order to monitor, maintain, update, upgrade, and repair them. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

Pwnie Awards Information security awards

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. The awards are presented yearly at the Black Hat Security Conference.

Intel Core Line of CPUs by Intel

Intel Core is a line of streamlined midrange consumer, workstation and enthusiast computer central processing units (CPUs) marketed by Intel Corporation. These processors displaced the existing mid- to high-end Pentium processors at the time of their introduction, moving the Pentium to the entry level. Identical or more capable versions of Core processors are also sold as Xeon processors for the server and workstation markets.

In computer security, virtual machine escape is the process of a program breaking out of the virtual machine on which it is running and interacting with the host operating system. A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". In 2008, a vulnerability in VMware discovered by Core Security Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4. A fully working exploit labeled Cloudburst was developed by Immunity Inc. for Immunity CANVAS. Cloudburst was presented in Black Hat USA 2009.

Intel Management Engine Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

Intel Software Guard Extensions (SGX) is a set of security-related instruction codes that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define private regions of memory, called enclaves, whose contents is inaccessible from the outside. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

Kernel page-table isolation

Kernel page-table isolation is a Linux kernel feature that mitigates the Meltdown security vulnerability and improves kernel hardening against attempts to bypass kernel address space layout randomization (KASLR). It works by better isolating user space and kernel space memory. KPTI was merged into Linux kernel version 4.15, and backported to Linux kernels 4.14.11, 4.9.75, and 4.4.110. Windows and macOS released similar updates. KPTI does not address the related Spectre vulnerability.

Meltdown (security vulnerability) Microprocessor security vulnerability

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

Spectre (security vulnerability) Processor security vulnerability

Spectre is a subset of security vulnerabilities within the class of vulnerabilities known as microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

Intel microcode is microcode that runs inside x86 processors made by Intel. Since the P6 microarchitecture introduced in the mid-1990s, the microcode programs can be patched by the operating system or BIOS firmware to work around bugs found in the CPU after release. Intel had originally designed microcode updates for processor debugging under its design for testing (DFT) initiative.

Lazy FPU state leak, also referred to as Lazy FP State Restore or LazyFP, is a security vulnerability affecting Intel Core CPUs. The vulnerability is caused by a combination of flaws in the speculative execution technology present within the affected CPUs and how certain operating systems handle context switching on the floating point unit (FPU). By exploiting this vulnerability, a local process can leak the content of the FPU registers that belong to another process. This vulnerability is related to the Spectre and Meltdown vulnerabilities that were publicly disclosed in January 2018.

Foreshadow Hardware vulnerability for Intel processors

Foreshadow, known as L1 Terminal Fault (L1TF) by Intel, is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.

In digital computing, hardware security bugs are hardware bugs or flaws that create vulnerabilities affecting computer central processing units (CPUs), or other devices which incorporate programmable processors or logic and have direct memory access, which allow data to be read by a rogue process when such reading is not authorized. Such vulnerabilities are considered "catastrophic" by security analysts.

Spoiler is a security vulnerability on modern computer central processing units that use speculative execution. It exploits side-effects of speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel Core CPUs are vulnerable to the attack as of 2019. AMD has stated that its processors are not vulnerable.

Microarchitectural Data Sampling CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The classic example is Spectre that gave its name to this kind of side-channel attack, but since January 2018 many different vulnerabilities have been identified.

SWAPGS, also known as Spectre variant 1 (swapgs), is a computer security vulnerability that utilizes the branch prediction used in modern microprocessors. Most processors use a form of speculative execution, this feature allows the processors to make educated guesses about the instructions that will most likely need to be executed in the near future. This speculation can leave traces in the cache, which attackers use to extract data using a timing attack, similar to side-channel exploitation of Spectre.

Load value injection Microprocessor security vulnerability

Load value injection (LVI) is an attack on Intel microprocessors that can be used to attack Intel's Software Guard Extensions (SGX) technology. It is a development of the previously known Meltdown security vulnerability. Unlike Meltdown, which can only read hidden data, LVI can inject data values, and is resistant to the countermeasures so far used to mitigate the Meltdown vulnerability.

References

  1. 1 2 3 4 Bright, Peter (2018-05-22). "Predictable problems - New speculative-execution vulnerability strikes AMD, ARM, and Intel". Ars Technica. Archived from the original on 2018-05-26. Retrieved 2018-05-25.
  2. 1 2 3 Ubuntu Community (2018-05-21). "Variant4". Archived from the original on 2018-05-22. Retrieved 2018-05-21.
  3. Schmidt, Jürgen (2018-05-03). "Super-GAU für Intel: Weitere Spectre-Lücken im Anflug". c't - magazin für computertechnik (in German). Heise Online. Archived from the original on 2018-05-05. Retrieved 2018-05-03.Schmidt, Jürgen (2018-05-03). "Exclusive: Spectre-NG - Multiple new Intel CPU flaws revealed, several serious". c't - magazin für computertechnik . Heise Online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.
  4. Fischer, Martin (2018-05-03). "Spectre-NG: Intel-Prozessoren von neuen hochriskanten Sicherheitslücken betroffen, erste Reaktionen von AMD und Intel". c't - magazin für computertechnik (in German). Heise Online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.
  5. Tung, Liam (2018-05-04). "Are 8 new 'Spectre-class' flaws about to be exposed? Intel confirms it's readying fixes". ZDNet . Archived from the original on 2018-05-22. Retrieved 2018-03-04.
  6. Kumar, Mohit (2018-05-04). "8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs". The Hacker News. Archived from the original on 2018-05-05. Retrieved 2018-05-05.
  7. 1 2 3 4 5 6 7 "Q2 2018 Speculative Execution Side Channel Update". Intel. 2018-05-21. Archived from the original on 2018-05-22. Retrieved 2018-05-21.
  8. Warren, Tom (2018-05-21). "Google and Microsoft disclose new CPU flaw, and the fix can slow machines down - New firmware updates are on the way". The Verge . Archived from the original on 2018-05-26. Retrieved 2018-05-22.
  9. Martindale, Jon (2018-05-22). "New Spectre-like bug could mean more performance-degrading patches". Digital Trends . Archived from the original on 2018-05-26. Retrieved 2018-05-22.
  10. Newman, Lily Hay (2018-05-21). "After Meltdown and Spectre, Another Scary Chip Flaw Emerges". Wired . Archived from the original on 2018-05-26. Retrieved 2018-05-26.
  11. "A year with Spectre: a V8 perspective". 2019-04-23. Retrieved 2019-04-23.
  12. "Speculative Execution Side Channel Mitigations" (PDF). Revision 2.0. Intel. May 2018 [January 2018]. Document Number: 336996-002. Retrieved 2018-05-26.
  13. 1 2 "Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639". RedHat. 2018-05-21. Resolve tab. Archived from the original on 2018-05-22. Retrieved 2018-05-22.
  14. Miller, Matt. "Analysis and mitigation of speculative store bypass (CVE-2018-3639)". Microsoft Security Response Center. Speculative store bypass disable (SSBD) section. Archived from the original on 2018-05-22. Retrieved 2018-05-21.
  15. "Vulnerability Note VU#180049 - CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks". CERT. 2018-05-24 [2018-05-21]. Archived from the original on 2018-05-26. Retrieved 2018-05-26.
  16. Windeck, Christof (2018-05-21). "CPU-Sicherheitslücken Spectre-NG: Updates rollen an Update". Heise Security (in German). Archived from the original on 2018-05-21. Retrieved 2018-05-21.
  17. "NVD - Cve-2017-5753".
  18. Sometimes misspelled "RSRE"

See also

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.