Speculative execution side-channel vulnerabilities [Updated]
Update: Added notes about libgo improvements landing in GCC 10 Git.
It’s been over a year since speculative execution side-channel vulnerabilities are making the headlines. Understanding and knowledge of them are essential to protect against attacks that use them. This post tries to gather information about them. I will update it as new ones are discovered.
Get to know them
We can group them in the following sub-families:
|CVE-2017-5753||bounds check bypass||‘Spectre Variant 1’|
|CVE-2017-5715||branch target injection||‘Spectre Variant 2’|
|CVE-2017-5754||rogue data cache load||‘Meltdown’ or ‘Variant 3’|
|CVE-2018-3640||rogue system register read||‘Variant 3a’|
|CVE-2018-3639||speculative store bypass||‘Variant 4’|
|CVE-2018-3615||L1 Terminal Fault||‘Foreshadow (SGX)’|
|CVE-2018-3620||L1 Terminal Fault||‘Foreshadow-NG (OS)’|
|CVE-2018-3646||L1 Terminal Fault||‘Foreshadow-NG (VMM)’|
|CVE-2018-12126||microarchitectural store buffer
data sampling (MSBDS)
|CVE-2018-12130||microarchitectural fill buffer
data sampling (MFBDS)
|CVE-2018-12127||microarchitectural load port
data sampling (MLPDS)
|CVE-2019-11091||microarchitectural data sampling
uncacheable memory (MDSUM)
While Spectre variants affect almost all chips featuring out-of-order execution, Intel chips are vulnerable to all speculative execution side-channel attacks.
I’ve gathered information in resources linked below:
It is worth to also check Intel security software guidance.
Check for mitigations to be installed and enabled:
There are two ways to do so:
via this awesome script (Windows, Solaris and macOS are not supported):
$ curl -L https://meltdown.ovh -o spectre-meltdown-checker.sh $ chmod +x spectre-meltdown-checker.sh $ sudo ./spectre-meltdown-checker.sh
or, on Linux, you can do it in a less-fancy way but without the need to download and execute a script (your kernel may need to be updated to support these):
$ ls -1 /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/l1tf /sys/devices/system/cpu/vulnerabilities/mds /sys/devices/system/cpu/vulnerabilities/meltdown /sys/devices/system/cpu/vulnerabilities/spec_store_bypass /sys/devices/system/cpu/vulnerabilities/spectre_v1 /sys/devices/system/cpu/vulnerabilities/spectre_v2 $ cat /sys/devices/system/cpu/vulnerabilities/* Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled Mitigation: PTI Vulnerable Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
Phoronix has written an interesting post with a comparison of 2nd and 3rd gen Intel CPU performances, with and without mitigations applied. Check it out.
On May 31 2019, GCC developers have pushed code for libgo runtime library aimed at improving context switch speed of golang code running on Linux machines with a x86_64 CPU. More details are available here.
Speculative execution side-channel vulnerabilities make a relatively new topic in InfoSec and more are likely to be found down the road. I will update this post and the linked Google Spreadsheet as new vulnerabilities are discovered.
Thanks for reading.
Got some words you want to share? Tell me!