Speculative Store Bypass

From HandWiki
Short description: Processor security vulnerability

Speculative Store Bypass (SSB) (CVE-2018-3639) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities.[1] It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ).[2] After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG,[3][4][5][6] it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".[7][1]

Details

Speculative execution exploit Variant 4,[8] is referred to as Speculative Store Bypass (SSB),[1][9] and has been assigned CVE-2018-3639.[7] SSB is named Variant 4, but it is the fifth variant in the Spectre-Meltdown class of vulnerabilities.[7]

Steps involved in exploit:[1]

  1. "Slowly" store a value at a memory location
  2. "Quickly" load that value from that memory location
  3. Utilize the value that was just read to disrupt the cache in a detectable way

Impact and mitigation

Intel claims that web browsers that are already patched to mitigate Spectre Variants 1 and 2 are partially protected against Variant 4.[7] Intel said in a statement that the likelihood of end users being affected was "low" and that not all protections would be on by default due to some impact on performance.[10] The Chrome JavaScript team confirmed that effective mitigation of Variant 4 in software is infeasible, in part due to performance impact.[11]

Intel is planning to address Variant 4 by releasing a microcode patch that creates a new hardware flag named Speculative Store Bypass Disable (SSBD).[7][2][12] A stable microcode patch is yet to be delivered, with Intel suggesting that the patch will be ready "in the coming weeks"[needs update].[7] Many operating system vendors will be releasing software updates to assist with mitigating Variant 4;[13][2][14] however, microcode/firmware updates are required for the software updates to have an effect.[13]

Speculative execution exploit variants

Summary of speculative execution variants[15][7][16][17]
Vulnerability CVE Exploit name Public vulnerability name CVSS v2.0 CVSS v3.0
Spectre 2017-5753 Variant 1 Bounds Check Bypass (BCB) 4.7 5.6
Spectre 2017-5715 Variant 2 Branch Target Injection (BTI) 4.7 5.6
Meltdown 2017-5754 Variant 3 Rogue Data Cache Load (RDCL) 4.7 5.6
Spectre-NG 2018-3640 Variant 3a Rogue System Register Read (RSRR[18]) 4.7 5.6
Spectre-NG 2018-3639 Variant 4 Speculative Store Bypass (SSB) 4.9 5.5
Spectre-NG 2018-3665 Lazy FP State Restore 4.7 5.6
Spectre-NG 2018-3693 Bounds Check Bypass Store (BCBS) 4.7 5.6
Foreshadow 2018-3615 Variant 5 L1 Terminal Fault (L1TF) 5.4 6.4
Foreshadow-NG 2018-3620 4.7 5.6
Foreshadow-NG 2018-3646 4.7 5.6

References

  1. 1.0 1.1 1.2 1.3 "Predictable problems - New speculative-execution vulnerability strikes AMD, ARM, and Intel". Ars Technica. 2018-05-22. https://arstechnica.com/gadgets/2018/05/new-speculative-execution-vulnerability-strikes-amd-arm-and-intel/. 
  2. 2.0 2.1 2.2 Ubuntu Community (2018-05-21). "Variant4". https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4. 
  3. "Super-GAU für Intel: Weitere Spectre-Lücken im Anflug" (in German). c't - magazin für computertechnik (Heise Online). 2018-05-03. https://www.heise.de/ct/artikel/Super-GAU-fuer-Intel-Weitere-Spectre-Luecken-im-Anflug-4039134.html. Retrieved 2018-05-03.  "Exclusive: Spectre-NG - Multiple new Intel CPU flaws revealed, several serious". c't - magazin für computertechnik (Heise Online). 2018-05-03. https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html. Retrieved 2018-05-04. 
  4. "Spectre-NG: Intel-Prozessoren von neuen hochriskanten Sicherheitslücken betroffen, erste Reaktionen von AMD und Intel" (in German). c't - magazin für computertechnik (Heise Online). 2018-05-03. https://www.heise.de/security/meldung/Spectre-NG-Intel-Prozessoren-von-neuen-hochriskanten-Sicherheitsluecken-betroffen-4039302.html. Retrieved 2018-05-04. 
  5. "Are 8 new 'Spectre-class' flaws about to be exposed? Intel confirms it's readying fixes". 2018-05-04. https://www.zdnet.com/article/are-8-new-spectre-class-flaws-about-to-be-exposed-intel-confirms-its-readying-fixes/. 
  6. "8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs". The Hacker News. 2018-05-04. https://thehackernews.com/2018/05/intel-spectre-vulnerability.html. 
  7. 7.0 7.1 7.2 7.3 7.4 7.5 7.6 "Q2 2018 Speculative Execution Side Channel Update". Intel. 2018-05-21. https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html. 
  8. "Google and Microsoft disclose new CPU flaw, and the fix can slow machines down - New firmware updates are on the way". The Verge. 2018-05-21. https://www.theverge.com/2018/5/21/17377994/google-microsoft-cpu-vulnerability-speculative-store-bypass-variant-4. 
  9. "New Spectre-like bug could mean more performance-degrading patches". Digital Trends. 2018-05-22. https://www.digitaltrends.com/computing/intel-spectre-like-bug-firmware/. 
  10. "After Meltdown and Spectre, Another Scary Chip Flaw Emerges". Wired. 2018-05-21. https://www.wired.com/story/speculative-store-bypass-spectre-meltdown-vulnerability/. Retrieved 2018-05-26. 
  11. "A year with Spectre: a V8 perspective". 2019-04-23. https://v8.dev/blog/spectre. 
  12. "Speculative Execution Side Channel Mitigations". Intel. May 2018. https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf. 
  13. 13.0 13.1 "Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639". RedHat. 2018-05-21. Resolve tab. https://access.redhat.com/security/vulnerabilities/ssbd. 
  14. "Analysis and mitigation of speculative store bypass (CVE-2018-3639)". Microsoft Security Response Center. Speculative store bypass disable (SSBD) section. https://blogs.technet.microsoft.com/srd/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/. 
  15. "Vulnerability Note VU#180049 - CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks". CERT. 2018-05-24. https://www.kb.cert.org/vuls/id/180049. 
  16. "CPU-Sicherheitslücken Spectre-NG: Updates rollen an Update" (in German). Heise Security. 2018-05-21. https://www.heise.de/security/meldung/CPU-Sicherheitsluecken-Spectre-NG-Updates-rollen-an-4051900.html. 
  17. "NVD - Cve-2017-5753". https://nvd.nist.gov/vuln/detail/CVE-2017-5753#. 
  18. Sometimes misspelled "RSRE"

See also

External links



Retrieved from "https://handwiki.org/wiki/index.php?title=Speculative_Store_Bypass&oldid=77402"