Transient execution CPU vulnerabilities
Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The classic example is Spectre but since January 2018 many different vulnerabilities have been identified.
Overview
Modern computers are highly parallel devices, composed of components with very different performance characteristics. If an operation (such as a branch) cannot yet be performed because some earlier slow operation (such as a memory read) has not yet completed, a microprocessor may attempt to predict the result of the earlier operation and execute the later operation speculatively, acting as if the prediction was correct. The prediction may be based on recent behavior of the system. When the earlier, slower operation completes, the microprocessor determines whether prediction was correct or incorrect. If it was correct then execution proceeds uninterrupted; if it was incorrect then the microprocessor rolls back the speculatively executed operations and repeats the original instruction with the real result of the slow operation.
In terms of the directly visible behavior of the computer it is as if the speculatively executed code "never happened". However, this speculative execution may affect the state of certain components of the microprocessor, such as the cache, and this effect may be discovered by careful monitoring of the timing of subsequent operations.
If an attacker can arrange that the speculatively executed code (which may be directly written by the attacker, or may be a suitable gadget that they have found in the targeted system) operates on secret data that they are unauthorized to access, and has a different effect on the cache for different values of the secret data, they may be able to discover the value of the secret data.
Starting in 2017, multiple examples of such vulnerabilities were identified, with publication starting in early 2018.
Summary of Vulnerabilities
Hardware mitigations impose close to zero performance loss, while microcode and/or OS mitigations might incur quite a significant performance loss (depending on workload).
Various CPU microarchitectures not included in this table are also affected, among them are IBM Power, ARM, MIPS and others.[1][2][3][4]
Vulnerability | N | CVE | Public Vulnerability Name
(codename) |
Affected CPU architectures and mitigations | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Intel[5] | AMD[6] | |||||||||
Ice Lake[7] | Cascade Lake, | Whiskey Lake,
Amber Lake |
Coffee Lake (9th gen)[8] | Coffee Lake (8th gen)* | Zen 1 / Zen 1+ | Zen 2[9] | ||||
Spectre | 1 | 2017-5753 | Bounds Check Bypass | OS/VMM | Microcode + OS/VMM | Hardware + OS/VMM | ||||
Spectre | 2 | 2017-5715 | Branch Target Injection | Hardware + OS | Microcode + OS | Microcode + OS | ||||
SpectreRSB[10]/ret2spec[11] | 2 | 2018-15572 | Return Mispredict | |||||||
Meltdown | 3 | 2017-5754 | Rogue Data Cache Load | Not affected | Microcode | Not affected | ||||
Spectre-NG | 3a | 2018-3640 | Rogue System Register Read | Not affected[12] | Microcode | |||||
Spectre-NG | 4 | 2018-3639 | Speculative Store Bypass | Hardware + OS/VMM[12] | Microcode + OS | OS/VMM | Hardware + OS/VMM | |||
Foreshadow | 5 | 2018-3615 | L1 Terminal Fault (L1TF) | Not affected | Microcode | Not affected | ||||
Spectre-NG | 2018-3665 | Lazy FP State Restore | OS/VMM[13] | |||||||
Spectre-NG | 1.1 | 2018-3693 | Bounds Check Bypass Store | OS/VMM[14] | ||||||
Spectre-NG | 1.2 | Read-only Protection Bypass (RPB) | ||||||||
Foreshadow-OS | 2018-3620 | L1 Terminal Fault (L1TF) | Not affected | Microcode + OS | Not affected | |||||
Foreshadow-VMM | 2018-3646 | L1 Terminal Fault (L1TF) | ||||||||
RIDL/ZombieLoad | 2018-12130 | Microarchitectural Fill Buffer Data Sampling (MFBDS) | ||||||||
RIDL | 2018-12127 | Microarchitectural Load Port Data Sampling (MLPDS) | Not affected | Not affected [1] | Not affected | Microcode + OS [15] | ||||
RIDL | 2019-11091 | Not affected | Microcode + OS | |||||||
Fallout | 2018-12126 | Microarchitectural Store Buffer Data Sampling (MSBDS) | Not affected | Not affected [2] | Not affected | Microcode + OS | ||||
Spectre SWAPGS | 1 | 2019-1125 | None yet[16][17][18] | Same as Spectre 1 | ||||||
RIDL/ZombieLoad v2 | 2019-11135 | Transactional Asynchronous Abort (TAA)[19][20][21] | Not Affected[22] | Microcode + OS |
The 8th generation Coffee Lake architecture in this table also applies to a wide range of previously released Intel CPUs, not limited to the architectures based on Intel Core, Pentium 4 and Intel Atom starting with Silvermont.[23][24]
Notes
- 1.^ Stepping 5 of the 2nd Generation Intel® Xeon® Scalable Processors based on Cascade Lake microarchitecture is affected by both MSBDS and MLPDS.
References
- ↑ "Meltdown and Spectre Status Page". https://wiki.netbsd.org/security/meltdown_spectre/.
- ↑ Ltd, Arm. "Speculative Processor Vulnerability | Cache Speculation Issues Update" (in en). https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/cache-speculation-issues-update.
- ↑ "About speculative execution vulnerabilities in ARM-based and Intel CPUs" (in en). https://support.apple.com/en-us/HT208394.
- ↑ "Potential Impact on Processors in the POWER Family" (in en-US). 2019-05-14. https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/.
- ↑ "Engineering New Protections Into Hardware" (in en). https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html.
- ↑ "AMD Product Security | AMD". 2019-08-10. https://www.amd.com/en/corporate/product-security.
- ↑ Cutress, Dr Ian. "The Ice Lake Benchmark Preview: Inside Intel's 10nm". https://www.anandtech.com/show/14664/testing-intel-ice-lake-10nm/3.
- ↑ online, heise. "Intel Core i9-9900K mit 8 Kernen und 5 GHz für Gamer" (in de-DE). https://www.heise.de/newsticker/meldung/Intel-Core-i9-9900K-mit-8-Kernen-und-5-GHz-fuer-Gamer-4183783.html.
- ↑ Cutress, Ian. "AMD Zen 2 Microarchitecture Analysis: Ryzen 3000 and EPYC Rome". https://www.anandtech.com/show/14525/amd-zen-2-microarchitecture-analysis-ryzen-3000-and-epyc-rome.
- ↑ "Spectre Returns! Speculation Attacks using the Return Stack Buffer" (PDF). https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf.
- ↑ "ret2spec: Speculative Execution Using Return Stack Buffers" (PDF). 2018. https://arxiv.org/pdf/1807.10364.pdf.
- ↑ 12.0 12.1 "Engineering New Protections Into Hardware" (in en). https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html.
- ↑ "INTEL-SA-00145". https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html.
- ↑ "Bounds Check Bypass Store (BCBS) Vulnerability (INTEL-OSS-10002)". https://www.intel.com/content/www/us/en/support/articles/000029382/processors.html.
- ↑ "Intel Deep Dive CPUID Enumeration and Architectural MSRs". https://software.intel.com/security-software-guidance/insights/deep-dive-cpuid-enumeration-and-architectural-msrs.
- ↑ "Bitdefender SWAPGS Attack Mitigation Solutions". https://www.bitdefender.com/business/swapgs-attack.html.
- ↑ "Documentation/admin-guide/hw-vuln/spectre.rst - chromiumos/third_party/kernel - Git at Google". https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/tags/v4.19.65/Documentation/admin-guide/hw-vuln/spectre.rst.
- ↑ Winder, Davey (6 August 2019). "Microsoft Confirms New Windows CPU Attack Vulnerability, Advises All Users To Update Now". Forbes. https://www.forbes.com/sites/daveywinder/2019/08/06/microsoft-confirms-new-windows-cpu-attack-vulnerability--advises-all-users-to-update-now/. Retrieved 7 August 2019.
- ↑ "Cyberus Technology: TSX Asynchronous Abort" (in en). https://www.cyberus-technology.de/.
- ↑ at 18:02, Shaun Nichols in San Francisco 12 Nov 2019. "True to its name, Intel CPU flaw ZombieLoad comes shuffling back with new variant" (in en). https://www.theregister.co.uk/2019/11/12/zombieload_cpu_attack/.
- ↑ Cimpanu, Catalin. "Intel's Cascade Lake CPUs impacted by new Zombieload v2 attack" (in en). https://www.zdnet.com/article/intels-cascade-lake-cpus-impacted-by-new-zombieload-v2-attack/.
- ↑ "Intel Deep Dive TSX Asynchronous Abort" (in en). https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort.
- ↑ "INTEL-SA-00088" (in en). https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00088.html.
- ↑ "INTEL-SA-00115" (in en). https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html.
External Links
- Vulnerabilities associated with CPU speculative execution
- A systematic evaluation of transient execution attacks and defenses
- A dynamic tree of transient execution vulnerabilities for Intel, AMD and ARM CPUs
- Transient Execution Attacks by Daniel Gruss, June 20, 2019
- CPU Bugs