Transient execution CPU vulnerabilities

From HandWiki

Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The classic example is Spectre but since January 2018 many different vulnerabilities have been identified.

Overview

Modern computers are highly parallel devices, composed of components with very different performance characteristics. If an operation (such as a branch) cannot yet be performed because some earlier slow operation (such as a memory read) has not yet completed, a microprocessor may attempt to predict the result of the earlier operation and execute the later operation speculatively, acting as if the prediction was correct. The prediction may be based on recent behavior of the system. When the earlier, slower operation completes, the microprocessor determines whether prediction was correct or incorrect. If it was correct then execution proceeds uninterrupted; if it was incorrect then the microprocessor rolls back the speculatively executed operations and repeats the original instruction with the real result of the slow operation.

In terms of the directly visible behavior of the computer it is as if the speculatively executed code "never happened". However, this speculative execution may affect the state of certain components of the microprocessor, such as the cache, and this effect may be discovered by careful monitoring of the timing of subsequent operations.

If an attacker can arrange that the speculatively executed code (which may be directly written by the attacker, or may be a suitable gadget that they have found in the targeted system) operates on secret data that they are unauthorized to access, and has a different effect on the cache for different values of the secret data, they may be able to discover the value of the secret data.

Starting in 2017, multiple examples of such vulnerabilities were identified, with publication starting in early 2018.

Summary of Vulnerabilities

Hardware mitigations impose close to zero performance loss, while microcode and/or OS mitigations might incur quite a significant performance loss (depending on workload).

Various CPU microarchitectures not included in this table are also affected, among them are IBM Power, ARM, MIPS and others.[1][2][3][4]

Vulnerability N CVE Public Vulnerability Name

(codename)

Affected CPU architectures and mitigations
Intel[5] AMD[6]
Ice Lake[7] Cascade Lake,

Comet Lake

Whiskey Lake,

Amber Lake

Coffee Lake (9th gen)[8] Coffee Lake (8th gen)* Zen 1 / Zen 1+ Zen 2[9]
Spectre 1 2017-5753 Bounds Check Bypass OS/VMM Microcode + OS/VMM Hardware + OS/VMM
Spectre 2 2017-5715 Branch Target Injection Hardware + OS Microcode + OS Microcode + OS
SpectreRSB[10]/ret2spec[11] 2 2018-15572 Return Mispredict
Meltdown 3 2017-5754 Rogue Data Cache Load Not affected Microcode Not affected
Spectre-NG 3a 2018-3640 Rogue System Register Read Not affected[12] Microcode
Spectre-NG 4 2018-3639 Speculative Store Bypass Hardware + OS/VMM[12] Microcode + OS OS/VMM Hardware + OS/VMM
Foreshadow 5 2018-3615 L1 Terminal Fault (L1TF) Not affected Microcode Not affected
Spectre-NG 2018-3665 Lazy FP State Restore OS/VMM[13]
Spectre-NG 1.1 2018-3693 Bounds Check Bypass Store OS/VMM[14]
Spectre-NG 1.2 Read-only Protection Bypass (RPB)
Foreshadow-OS 2018-3620 L1 Terminal Fault (L1TF) Not affected Microcode + OS Not affected
Foreshadow-VMM 2018-3646 L1 Terminal Fault (L1TF)
RIDL/ZombieLoad 2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS)
RIDL 2018-12127 Microarchitectural Load Port Data Sampling (MLPDS) Not affected Not affected [1] Not affected Microcode + OS [15]
RIDL 2019-11091

Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

Not affected Microcode + OS
Fallout 2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS) Not affected Not affected [2] Not affected Microcode + OS
Spectre SWAPGS 1 2019-1125 None yet[16][17][18] Same as Spectre 1
RIDL/ZombieLoad v2 2019-11135 Transactional Asynchronous Abort (TAA)[19][20][21] Not Affected[22] Microcode + OS

The 8th generation Coffee Lake architecture in this table also applies to a wide range of previously released Intel CPUs, not limited to the architectures based on Intel Core, Pentium 4 and Intel Atom starting with Silvermont.[23][24]

Notes

1.^ Stepping 5 of the 2nd Generation Intel® Xeon® Scalable Processors based on Cascade Lake microarchitecture is affected by both MSBDS and MLPDS.

References

  1. "Meltdown and Spectre Status Page". https://wiki.netbsd.org/security/meltdown_spectre/. 
  2. Ltd, Arm. "Speculative Processor Vulnerability | Cache Speculation Issues Update" (in en). https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/cache-speculation-issues-update. 
  3. "About speculative execution vulnerabilities in ARM-based and Intel CPUs" (in en). https://support.apple.com/en-us/HT208394. 
  4. "Potential Impact on Processors in the POWER Family" (in en-US). 2019-05-14. https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/. 
  5. "Engineering New Protections Into Hardware" (in en). https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html. 
  6. "AMD Product Security | AMD". 2019-08-10. https://www.amd.com/en/corporate/product-security. 
  7. Cutress, Dr Ian. "The Ice Lake Benchmark Preview: Inside Intel's 10nm". https://www.anandtech.com/show/14664/testing-intel-ice-lake-10nm/3. 
  8. online, heise. "Intel Core i9-9900K mit 8 Kernen und 5 GHz für Gamer" (in de-DE). https://www.heise.de/newsticker/meldung/Intel-Core-i9-9900K-mit-8-Kernen-und-5-GHz-fuer-Gamer-4183783.html. 
  9. Cutress, Ian. "AMD Zen 2 Microarchitecture Analysis: Ryzen 3000 and EPYC Rome". https://www.anandtech.com/show/14525/amd-zen-2-microarchitecture-analysis-ryzen-3000-and-epyc-rome. 
  10. "Spectre Returns! Speculation Attacks using the Return Stack Buffer" (PDF). https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf. 
  11. "ret2spec: Speculative Execution Using Return Stack Buffers" (PDF). 2018. https://arxiv.org/pdf/1807.10364.pdf. 
  12. 12.0 12.1 "Engineering New Protections Into Hardware" (in en). https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html. 
  13. "INTEL-SA-00145". https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html. 
  14. "Bounds Check Bypass Store (BCBS) Vulnerability (INTEL-OSS-10002)". https://www.intel.com/content/www/us/en/support/articles/000029382/processors.html. 
  15. "Intel Deep Dive CPUID Enumeration and Architectural MSRs". https://software.intel.com/security-software-guidance/insights/deep-dive-cpuid-enumeration-and-architectural-msrs. 
  16. "Bitdefender SWAPGS Attack Mitigation Solutions". https://www.bitdefender.com/business/swapgs-attack.html. 
  17. "Documentation/admin-guide/hw-vuln/spectre.rst - chromiumos/third_party/kernel - Git at Google". https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/tags/v4.19.65/Documentation/admin-guide/hw-vuln/spectre.rst. 
  18. Winder, Davey (6 August 2019). "Microsoft Confirms New Windows CPU Attack Vulnerability, Advises All Users To Update Now". Forbes. https://www.forbes.com/sites/daveywinder/2019/08/06/microsoft-confirms-new-windows-cpu-attack-vulnerability--advises-all-users-to-update-now/. Retrieved 7 August 2019. 
  19. "Cyberus Technology: TSX Asynchronous Abort" (in en). https://www.cyberus-technology.de/. 
  20. at 18:02, Shaun Nichols in San Francisco 12 Nov 2019. "True to its name, Intel CPU flaw ZombieLoad comes shuffling back with new variant" (in en). https://www.theregister.co.uk/2019/11/12/zombieload_cpu_attack/. 
  21. Cimpanu, Catalin. "Intel's Cascade Lake CPUs impacted by new Zombieload v2 attack" (in en). https://www.zdnet.com/article/intels-cascade-lake-cpus-impacted-by-new-zombieload-v2-attack/. 
  22. "Intel Deep Dive TSX Asynchronous Abort" (in en). https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort. 
  23. "INTEL-SA-00088" (in en). https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00088.html. 
  24. "INTEL-SA-00115" (in en). https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html. 

External Links

  1. Vulnerabilities associated with CPU speculative execution
  2. A systematic evaluation of transient execution attacks and defenses
  3. A dynamic tree of transient execution vulnerabilities for Intel, AMD and ARM CPUs
  4. Transient Execution Attacks by Daniel Gruss, June 20, 2019
  5. CPU Bugs