├── LICENSE
└── README.md
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Legal Code
2 |
3 | CC0 1.0 Universal
4 |
5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
12 | HEREUNDER.
13 |
14 | Statement of Purpose
15 |
16 | The laws of most jurisdictions throughout the world automatically confer
17 | exclusive Copyright and Related Rights (defined below) upon the creator
18 | and subsequent owner(s) (each and all, an "owner") of an original work of
19 | authorship and/or a database (each, a "Work").
20 |
21 | Certain owners wish to permanently relinquish those rights to a Work for
22 | the purpose of contributing to a commons of creative, cultural and
23 | scientific works ("Commons") that the public can reliably and without fear
24 | of later claims of infringement build upon, modify, incorporate in other
25 | works, reuse and redistribute as freely as possible in any form whatsoever
26 | and for any purposes, including without limitation commercial purposes.
27 | These owners may contribute to the Commons to promote the ideal of a free
28 | culture and the further production of creative, cultural and scientific
29 | works, or to gain reputation or greater distribution for their Work in
30 | part through the use and efforts of others.
31 |
32 | For these and/or other purposes and motivations, and without any
33 | expectation of additional consideration or compensation, the person
34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
35 | is an owner of Copyright and Related Rights in the Work, voluntarily
36 | elects to apply CC0 to the Work and publicly distribute the Work under its
37 | terms, with knowledge of his or her Copyright and Related Rights in the
38 | Work and the meaning and intended legal effect of CC0 on those rights.
39 |
40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
41 | protected by copyright and related or neighboring rights ("Copyright and
42 | Related Rights"). Copyright and Related Rights include, but are not
43 | limited to, the following:
44 |
45 | i. the right to reproduce, adapt, distribute, perform, display,
46 | communicate, and translate a Work;
47 | ii. moral rights retained by the original author(s) and/or performer(s);
48 | iii. publicity and privacy rights pertaining to a person's image or
49 | likeness depicted in a Work;
50 | iv. rights protecting against unfair competition in regards to a Work,
51 | subject to the limitations in paragraph 4(a), below;
52 | v. rights protecting the extraction, dissemination, use and reuse of data
53 | in a Work;
54 | vi. database rights (such as those arising under Directive 96/9/EC of the
55 | European Parliament and of the Council of 11 March 1996 on the legal
56 | protection of databases, and under any national implementation
57 | thereof, including any amended or successor version of such
58 | directive); and
59 | vii. other similar, equivalent or corresponding rights throughout the
60 | world based on applicable law or treaty, and any national
61 | implementations thereof.
62 |
63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
65 | irrevocably and unconditionally waives, abandons, and surrenders all of
66 | Affirmer's Copyright and Related Rights and associated claims and causes
67 | of action, whether now known or unknown (including existing as well as
68 | future claims and causes of action), in the Work (i) in all territories
69 | worldwide, (ii) for the maximum duration provided by applicable law or
70 | treaty (including future time extensions), (iii) in any current or future
71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
72 | including without limitation commercial, advertising or promotional
73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
74 | member of the public at large and to the detriment of Affirmer's heirs and
75 | successors, fully intending that such Waiver shall not be subject to
76 | revocation, rescission, cancellation, termination, or any other legal or
77 | equitable action to disrupt the quiet enjoyment of the Work by the public
78 | as contemplated by Affirmer's express Statement of Purpose.
79 |
80 | 3. Public License Fallback. Should any part of the Waiver for any reason
81 | be judged legally invalid or ineffective under applicable law, then the
82 | Waiver shall be preserved to the maximum extent permitted taking into
83 | account Affirmer's express Statement of Purpose. In addition, to the
84 | extent the Waiver is so judged Affirmer hereby grants to each affected
85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
88 | maximum duration provided by applicable law or treaty (including future
89 | time extensions), (iii) in any current or future medium and for any number
90 | of copies, and (iv) for any purpose whatsoever, including without
91 | limitation commercial, advertising or promotional purposes (the
92 | "License"). The License shall be deemed effective as of the date CC0 was
93 | applied by Affirmer to the Work. Should any part of the License for any
94 | reason be judged legally invalid or ineffective under applicable law, such
95 | partial invalidity or ineffectiveness shall not invalidate the remainder
96 | of the License, and in such case Affirmer hereby affirms that he or she
97 | will not (i) exercise any of his or her remaining Copyright and Related
98 | Rights in the Work or (ii) assert any associated claims and causes of
99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 |
102 | 4. Limitations and Disclaimers.
103 |
104 | a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 | surrendered, licensed or otherwise affected by this document.
106 | b. Affirmer offers the Work as-is and makes no representations or
107 | warranties of any kind concerning the Work, express, implied,
108 | statutory or otherwise, including without limitation warranties of
109 | title, merchantability, fitness for a particular purpose, non
110 | infringement, or the absence of latent or other defects, accuracy, or
111 | the present or absence of errors, whether or not discoverable, all to
112 | the greatest extent permissible under applicable law.
113 | c. Affirmer disclaims responsibility for clearing rights of other persons
114 | that may apply to the Work or any use thereof, including without
115 | limitation any person's Copyright and Related Rights in the Work.
116 | Further, Affirmer disclaims responsibility for obtaining any necessary
117 | consents, permissions or other rights required for any use of the
118 | Work.
119 | d. Affirmer understands and acknowledges that Creative Commons is not a
120 | party to this document and has no duty or obligation with respect to
121 | this CC0 or use of the Work.
122 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CPU security bugs caused by speculative execution
2 |
3 | This repo is an attempt to collect information on the class of information
4 | disclosure vulnerabilities caused by CPU speculative execution that were
5 | disclosed on January 3rd, 2018.
6 |
7 | Existing nomenclature is inconsistent and there is no agreed-upon name for the
8 | entire class of bugs, but the names Spectre and Meltdown have been used for
9 | subclasses of attacks.
10 |
11 | This is a combination of publicly available information and educated guesses/
12 | speculation based on the nature of the attacks. Pull requests with corrections
13 | or discussion are welcome.
14 |
15 | Table of Contents
16 | =================
17 |
18 | * [Common attack characteristics](#common-attack-characteristics)
19 | * [Attacks](#attacks)
20 | * [[MISPREDICT] Branch mis-prediction leaks subsequent data](#mispredict-branch-mis-prediction-leaks-subsequent-data)
21 | * [[BTI] Branch Target Injection](#bti-branch-target-injection)
22 | * [[PRIV-LOAD] Privileged data reads from unprivileged code](#priv-load-privileged-data-reads-from-unprivileged-code))
23 | * [[PRIV-REG] Privileged register reads from unprivileged code](#priv-reg-privileged-register-reads-from-unprivileged-code)
24 | * [Alternate side channels](#alternate-side-channels)
25 | * [Impacted CPU matrix](#impacted-cpu-matrix)
26 | * [PoCs](#pocs)
27 | * [Deployed or in-development mitigations](#deployed-or-in-development-mitigations)
28 | * [[PRIV-LOAD] Linux: KPTI](#priv-load-linux-kpti)
29 | * [[BTI] Linux/GCC/LLVM: retpolines](#bti-linuxgccllvm-retpolines)
30 | * [[BTI] Linux/QEMU: IBRS patches](#bti-linuxqemu-ibrs-patches)
31 | * [[PRIV-LOAD + BTI] Windows: KB4056892 (OS Build 16299.192)](#priv-load-bti-windows-kb4056892-os-build-16299192)
32 | * [CPU Vendor response](#cpu-vendor-response)
33 | * [Software/Service Vendor response](#softwareservice-vendor-response)
34 | * [Future Speculation](#future-speculation)
35 | * [References](#references)
36 |
37 | ## Common attack characteristics
38 |
39 | All of the attacks cause information disclosure from higher-privileged or
40 | isolated same-privilege contexts, leaked via an architectural side channel,
41 | typically the CPU data cache. The basic premise is that CPU speculative
42 | execution is not clean and can persistently alter such microarchitectural state,
43 | even when the speculated instructions are rolled back and should never have run.
44 | Malicious software can trigger these "impossible" instruction sequences and then
45 | observe the result through a side channel, leaking information.
46 |
47 | This is a CPU bug that violates the isolation guarantees of the architecture.
48 | Future CPUs are likely to include partial hardware solutions as well as require
49 | OS cooperation (i.e. an architecture definition change adding requirements to
50 | system software). Pure software- or hardware- based solutions are unlikely to
51 | be comprehensive or have acceptable performance.
52 |
53 | The specific exploits involve various ways of exploiting speculative execution.
54 | Different CPUs from various vendors are affected in different ways, and
55 | software mitigations also vary.
56 |
57 | So far, all exploits rely on exfiltrating data via the data cache. A value is
58 | speculatively obtained, then an indirect load is performed that can bring in
59 | data into the cache from a different address depending on one or more bits of
60 | the value to be leaked.
61 |
62 | ## Attacks
63 |
64 | ### [MISPREDICT] Branch mis-prediction leaks subsequent data
65 |
66 | Google name: **Variant 1: Bounds check bypass**\
67 | Research name: **Spectre**\
68 | CVE: **CVE-2017-5753**
69 |
70 | The CPU mispredicts a branch and speculatively executes code which leaks
71 | sensitive data into a data cache load.
72 |
73 | Sample code:
74 |
75 | ```C
76 | unsigned long untrusted_offset_from_caller = ...;
77 | if (untrusted_offset_from_caller < arr1->length) {
78 | unsigned char value = arr1->data[untrusted_offset_from_caller];
79 | unsigned long index2 = ((value&1)*0x100)+0x200;
80 | if (index2 < arr2->length) {
81 | unsigned char value2 = arr2->data[index2];
82 | }
83 | }
84 | ```
85 |
86 | If `untrusted_offset_from_caller` is out of bounds, the CPU may speculatively
87 | read `value` and then cause a cache load from `arr2` that depends on it. The
88 | attacker can then profile loads from `arr2` (directly or by invoking other code)
89 | to determine which cache line was loaded, and thus one bit of `value`.
90 |
91 | The attacker need not necessarily control `arr2` directly. Cache loads can be
92 | detected indirectly, e.g. because they caused some other data to be evicted.
93 | This can potentially work from an entirely different process.
94 |
95 | #### Attack scenarios
96 |
97 | * JITs/interpreters: Easy. Sandbox escape (same-context leak). Shared
98 | memory/threads make it easier.
99 | * Same-CPU cross-process: Medium. Attacker needs to trigger the vulnerable code
100 | in the vulnerable process, then get a signal from the cache directly (e.g. by
101 | timing accesses to memory which has colliding cache tags on the same CPU core
102 | or sharing a level of cache). This includes attacks on the kernel and on
103 | hypervisors.
104 | * Remote/service: Hard. Attacker needs some way of triggering the vulnerable
105 | code, then getting a timing signal back from the relevant cache lines. Probably
106 | not practical in most circumstances.
107 |
108 | #### Mitigations
109 |
110 | A serialization instruction can be inserted between the condition check and the
111 | read from `arr2` in order to force the speculation to be resolved. This may be
112 | microarchitecture-specific in order to make the right guarantees.
113 |
114 | A complete fix without manual involvement (e.g. marking security-critical code)
115 | seems impractical, short of disallowing all speculative memory accesses
116 | entirely. Heuristics such as disallowing speculative memory accesses whose
117 | address depends on previously speculatively fetched data will probably fix most
118 | (but not all) practical cases.
119 |
120 | Compilers may be able to make a better judgement on which code patterns are
121 | likely to be dangerous and insert the appropriate serialization instructions.
122 |
123 | ### [BTI] Branch Target Injection
124 |
125 | Google name: **Variant 2: Branch target injection**\
126 | Research name: **Spectre**\
127 | CVE: **CVE-2017-5715**
128 |
129 | The CPU indirect branch predictor can be "trained" to mis-predict an indirect
130 | branch into an attacker-controlled destination. This can then leak data via the
131 | cache. Chaining multiple gadgets ending in indirect branches, ROP-style, is
132 | possible.
133 |
134 | This attack requires intimate knowledge of the inner workings of the CPU branch
135 | prediction implementation. This does not mitigate the attack, but does make
136 | exploitation more difficult (and makes cross-platform attacks much harder).
137 |
138 | #### Attack scenarios
139 | * JIT: Tricky, but probably possible with careful instruction massaging?
140 | * Same-cpu cross-process: Possible. Includes attacks on the kernel/hypervisor.
141 | * Remote/server: Not possible.
142 |
143 | #### Mitigations
144 |
145 | Disable indirect branch prediction entirely by using an alternative instruction
146 | sequence. This is microarchitecture-specific. Requires recompiling all code with
147 | this sequence.
148 |
149 | Flush branch predictor state on privilege level changes and context switches.
150 | Causes some performance loss (how much?). Current CPUs do not implement a
151 | mechanism to do this this. Hyperthreading makes things more complicated, as two
152 | threads of different privilege level or isolation may be running on the same CPU
153 | and sharing the branch prediction resources. Complete fix may require disabling
154 | hyperthreading or introducing OS scheduler changes to ensure that sibling
155 | threads are always owned by the same application/user/security context.
156 |
157 | Ideally future CPUs would guarantee that hyperthreads have independent branch
158 | prediction resources to avoid sharing state, and/or would have efficient methods
159 | of isolating branch prediction state (e.g. tagging prediction entries with a
160 | process/protection key).
161 |
162 | ### [PRIV-LOAD] Privileged data reads from unprivileged code
163 |
164 | Google name: **Variant 3: Rogue data cache load**\
165 | Research name: **Meltdown**\
166 | CVE: **CVE-2017-5754**
167 |
168 | Some CPUs will perform speculative memory reads from memory that the current
169 | context does not have access to read. While these accesses will ultimately fail,
170 | their result can be used in further speculation and thus leak. This chiefly
171 | allows userspace to read kernel (and thus physical) memory.
172 |
173 | #### Attack scenarios
174 |
175 | * JIT: Possible. Combined with [MISPREDICT], can read arbitrary kernel memory.
176 | * Same-cpu cross-privilege: Easy. Combine with [MISPREDICT] to avoid
177 | actual page faults (not required).
178 | * Remote/service: Same as [MISPREDICT] on affected systems. Probably not
179 | practical.
180 |
181 | This is by far the worst attack on affected systems, as it allows physical
182 | memory reads from Javascript on major browsers.
183 |
184 | #### Mitigations
185 |
186 | Do not map privileged address space into unprivileged contexts at all. On
187 | systems without a functional mechanism to do this without TLB flushing (e.g.
188 | PCID) that actually prevents the speculative load, this will incur a significant
189 | performance penalty.
190 |
191 | ### [PRIV-REG] Privileged register reads from unprivileged code
192 |
193 | ARM name: **Variant 3a**
194 |
195 | A variant of [PRIV-LOAD], where instead of memory, a privileged system register
196 | is being read.
197 |
198 | #### Attack scenarios
199 |
200 | * JIT: Not possible.
201 | * Same-cpu cross-privilege: Easy, but limited impact.
202 | * Remote/service: Not possible.
203 |
204 | ### Alternate side channels
205 |
206 | The above examples use a data-dependent load to leak information from the
207 | speculatively executed instructions via the local cache. However, this is not
208 | the only possible side channel. Other examples could be data-dependent loads
209 | where what is measured instead is system memory bandwidth impact or the effects
210 | on other cores (e.g. data cached on one core is accessed on another core),
211 | the effects on execution units that can be measured via timing or from another
212 | thread (e.g. conditional execution of an instruction that issues to a given
213 | functional unit), the timing of variable-cycle-count instructions and their
214 | effect on functional unit occupation (e.g. DIV), and probably others. This
215 | is orthogonal to the three attacks described above, and any such technique
216 | could be applied to any given attack.
217 |
218 | ## Impacted CPU matrix
219 |
220 | ### Intel
221 |
222 | | CPU/µArch | MISPREDICT | BTI | PRIV-LOAD | PRIV-REG |
223 | | ------------------------------ | -------------- | ------------------------- | ----------------- | -------- |
224 | | i486 | N | N | N | N |
225 | | Nehalem | Y?4 | Y[1](#intel-1) | Y?4 | |
226 | | Westmere | Y?4 | Y[1](#intel-1) | Y?4 | |
227 | | Sandy Bridge | Y3 | Y[1](#intel-1) | **Y**2 | |
228 | | Ivy Bridge | Y3 | Y[1](#intel-1) | **Y**2 | |
229 | | Haswell | Y3 | Y[1](#intel-1) | **Y**2 | |
230 | | Broadwell | Y3 | Y[1](#intel-1) | **Y**2 | |
231 | | Skylake | Y3 | Y[1](#intel-1) | **Y**2 | |
232 | | Kaby Lake | Y3 | Y[1](#intel-1) | **Y**2 | |
233 | | Coffee Lake | Y3 | Y[1](#intel-1) | **Y**2 | |
234 | | Knights Landing | Y?4 | Y[1](#intel-1) | Y?4 | |
235 | | Knights Mill | Y?4 | Y[1](#intel-1) | Y?4 | |
236 | | Avoton | Y?4 | Y[1](#intel-1) | Y?4 | |
237 | | Rangeley | Y?4 | Y[1](#intel-1) | Y?4 | |
238 | | Apollo Lake | Y?4 | Y[1](#intel-1) | Y?4 | |
239 | | Denverton | Y?4 | Y[1](#intel-1) | Y?4 | |
240 | | SoFIA | Y?4 | Y[1](#intel-1) | Y?4 | |
241 | | Lincroft | Y?4 | Y[1](#intel-1) | Y?4 | |
242 | | Cloverview | Y?4 | Y[1](#intel-1) | Y?4 | |
243 | | Bay Trail | Y?4 | Y[1](#intel-1) | Y?4 | |
244 | | Tunnel Creek | Y?4 | Y[1](#intel-1) | Y?4 | |
245 | | Stellarton | Y?4 | Y[1](#intel-1) | Y?4 | |
246 |
247 | 2: [Meltdown paper](https://meltdownattack.com/meltdown.pdf) confirms
248 | [PRIV-LOAD] on Ivy Bridge, Haswell, Skylake. Sibling microarchitectures presumed
249 | vulnerable too.\
250 | 3: [Spectre paper](https://meltdownattack.com/spectre.pdf) confirms
251 | [MISPREDICT],[BTI] on Ivy Bridge, Haswell, Skylake. Sibling microarchitectures
252 | presumed vulnerable too.\
253 | 4: Presumed affected since the issues appear to be pervasive to Intel CPUs and
254 | no counterexamples are known yet.
255 |
256 | ### AMD
257 |
258 | | CPU/µArch | MISPREDICT | BTI | PRIV-LOAD | PRIV-REG |
259 | | ------------------------------ | ----------------------- | ------------------------ | ----------------------- | -------- |
260 | | Zen (17h) | Y[1](#amd-1) | Y[1](#amd-1) | N[1](#amd-1) | |
261 |
262 | ### ARM
263 |
264 | See [ARM Vendor Response](#arm-1) for source.
265 |
266 | | CPU/µArch | MISPREDICT | BTI | PRIV-LOAD | PRIV-REG |
267 | | ------------------------------ | ---------- | ----- | --------- | -------- |
268 | | Cortex-R7 | Y | Y | N | N |
269 | | Cortex-R8 | Y | Y | N | N |
270 | | Cortex-A8 (under review) | Y | Y | N | N |
271 | | Cortex-A9 | Y | Y | N | N |
272 | | Cortex-A15 (under review) | Y | Y | N | Y |
273 | | Cortex-A17 | Y | Y | N | N |
274 | | Cortex-A57 | Y | Y | N | Y |
275 | | Cortex-A72 | Y | Y | N | Y |
276 | | Cortex-A73 | Y | Y | N | N |
277 | | Cortex-A75 | Y | Y | **Y** | N |
278 | | All others | N | N | N | N |
279 |
280 | ### IBM
281 |
282 | Red Hat [says](https://access.redhat.com/security/vulnerabilities/speculativeexecution)
283 | System Z, POWER8, POWER9 are affected.
284 |
285 | IBM says firmware patches will be available January 9 for POWER7 and up: https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/
286 |
287 | ### Apple
288 |
289 | No info.
290 |
291 | ### Nvidia
292 |
293 | No info (CPUs). GPUs not affected.
294 |
295 | ### Qualcomm
296 |
297 | No info.
298 |
299 | ### Marvell
300 |
301 | No info.
302 |
303 | ### Cavium
304 |
305 | No info.
306 |
307 | ### Samsung
308 |
309 | No info.
310 |
311 | ## PoCs
312 |
313 | ### [MISPREDICT] Google Project Zero: basic same-process PoC
314 |
315 | Platforms:
316 | * Intel Haswell Xeon
317 | * AMD FX CPU
318 | * AMD PRO CPU
319 | * ARM Cortex A57
320 |
321 | Not an actual attack against real software, just a [PoC](https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6) with synthetic code.
322 |
323 | ### [MISPREDICT] Google Project Zero: arbitrary kernel reads with eBPF JIT
324 |
325 | Platforms:
326 | * Intel Haswell Xeon CPU
327 | * AMD PRO CPU
328 |
329 | A process running with normal user privileges under a modern Linux kernel with a
330 | distro-standard config, can perform arbitrary reads in a 4GiB range in kernel
331 | virtual memory.
332 |
333 | This is an interpreter/JIT attack in the kernel. On Haswell, it works in both
334 | JIT and interpreter mode, as the speculation seems to be deep enough to reach
335 | even in interpreter mode. On AMD, JIT is required.
336 |
337 | Mitigation: AMD: disable eBPF JIT (`net.core.bpf_jit_enable` sysctl). Intel:
338 | disable BPF entirely?
339 |
340 | ### [BTI] Google Project Zero: HV guest root process can read host physical memory
341 |
342 | Platforms:
343 | * Intel Haswell Xeon CPU
344 |
345 | A process running with root privileges inside a KVM guest created using
346 | virt-manager, with a specific (now outdated) version of Debian's distro kernel
347 | running on the host, can read host kernel memory at a rate of around 1500
348 | bytes/second, with room for optimization.
349 |
350 | Mitigation: None yet. Kernel/compiler patches in the works.
351 |
352 | ### [PRIV-LOAD] Google Project Zero: Partial kernel memory read from userspace
353 |
354 | Platforms:
355 | * Intel Haswell Xeon CPU
356 |
357 | A process running with normal user privileges can read kernel memory under some
358 | precondition, presumed to be that the targeted kernel memory is present in the
359 | L1D cache.
360 |
361 | Mitigation: KPTI.
362 |
363 | ## Deployed or in-development mitigations
364 |
365 | ### [PRIV-LOAD] Linux: KPTI
366 |
367 | Linux kernel page-table isolation. Shipped in Linux 4.14.11 and will ship in
368 | 4.15. 4.14.11 version is rough around the edges; future versions should fix
369 | further issues.
370 |
371 | ### [BTI] Linux/GCC/LLVM: retpolines
372 |
373 | * [Retpoline: a software construct for preventing branch-target-injection](https://support.google.com/faqs/answer/7625886)
374 | * [LLVM patch](https://reviews.llvm.org/D41723)
375 | * [GCC tree](http://git.infradead.org/users/dwmw2/gcc-retpoline.git/shortlog/refs/heads/gcc-7_2_0-retpoline-20171219)
376 |
377 | Still in development.
378 |
379 | Kernel assembly mitigation + compiler mitigation (both for kernel and userspace)
380 | that uses a different code sequence (using the `ret` instruction) to avoid
381 | the indirect branch predictor on Intel CPUs. Instead, retpolines set up a fake
382 | return address prediction (using the return address stack, which is specific to
383 | `call`/`ret`) that leads to an infinite loop, thus poisoning speculative
384 | execution.
385 |
386 | This incurs some small performance impact for every indirect branch. Requires
387 | recompiling all affected software (not just the kernel, but all of userspace)
388 | for full mitigation.
389 |
390 | This is microarchitecture-specific and thus not necessarily applicable to all
391 | CPUs. Kernel implementation will likely enable it only when a vulnerable CPU is
392 | detected. In fact, it's insufficient on Skylake and newer CPUs, where even `ret`
393 | may predict from the indirect branch predictor as a fallback; those need IBRS.
394 |
395 | ### [BTI] Linux/QEMU: IBRS patches
396 |
397 | * [Patchset](https://lkml.org/lkml/2018/1/4/615) (under review).
398 |
399 | Support for Intel's architectural mitigation in lieu of retpolines. Required
400 | on Skylake and newer, where even retpolines may be vulnerable. Requires
401 | microcode update on current CPUs. Perf hit vs. retpolines on older CPUs. Future
402 | CPUs will have "cheap" support. This doesn't require userspace mitigation, as
403 | long as "full" mode is enabled (IBRS active in userspace too, non-default
404 | config).
405 |
406 | Support to pass through this feature to guest OSes is required for this to work
407 | inside VMs:
408 |
409 | * [QEMU and the Spectre and Meltdown attacks](https://www.qemu.org/2018/01/04/spectre/)
410 | * [QEMU mailing list discussion](https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html)
411 |
412 | ### [PRIV-LOAD + BTI] Windows: KB4056892 (OS Build 16299.192)
413 |
414 | Out-of-band update. Presumably does roughly the same thing as KPTI. Also [contains IBRS support](https://twitter.com/aionescu/status/948818841747955713).
415 |
416 | Some AV software is incompatible (probably due to evil kernel hooks). AV users
417 | require this registry key to be set for the fix to be enabled:
418 |
419 | ```
420 | Key="HKEY_LOCAL_MACHINE"
421 | Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
422 | Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
423 | Type="REG_DWORD”
424 | Data="0x00000000”
425 | ```
426 |
427 | A PowerShell command has been [detailed](https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution) (installable via `Install-Module SpeculationControl`) called `Get-SpeculationControlSettings` which shows the status of both mitigations.
428 |
429 | Microsoft mentions at this time server operating systems must explicitly enable mitigations.
430 |
431 | ## CPU Vendor response
432 |
433 | ### Intel
434 |
435 | * [Intel responds to security research findings](https://newsroom.intel.com/news/intel-responds-to-security-research-findings/)
436 |
437 | PR fluff. No real content. Tries to deflect blame. No useful technical
438 | information.
439 |
440 | * [Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method](https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr)
441 |
442 | Security advisory. Applies to [BTI]. Contains list of CPU marketing names
443 | affected.
444 |
445 | * [Intel Issues Updates to Protect Systems from Security Exploits](https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/)
446 | * [Intel Analysis of Speculative Execution Side Channels](https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf)
447 |
448 | For [MISPREDICT], recommends an `LFENCE` barrier.
449 |
450 | For [BTI], Intel is introducing new interfaces to the CPU through microcode:
451 |
452 | * `IBRS`: Indirect Branch Restricted Speculation: Marketing-speak for "we
453 | flipped a chicken bit", presumably.
454 | * `STIBP`: Single Thread Indirect Branch Predictors isolates branch prediction
455 | state between two hyperthreads.
456 | * `IBPB`: Indirect Branch Predictor Barrier instruction prevents leakage of
457 | indirect branch predictor state across contexts (for use on context/privilege
458 | switches).
459 |
460 | Alternatively, Intel is recommending retpolines for [BTI], especially on current
461 | processors where that may be faster than the microcode patches for `IBPB`.
462 | Retpolines also require a microcode patch on Broadwell and newer CPUs,
463 | presumably because on those even `ret` ends up being predicted in an exploitable
464 | way.
465 |
466 | For [PRIV-LOAD], Intel recommends KPTI. Processors supporting PCID have reduced
467 | performance impact. Future CPUs will have a hardware fix.
468 |
469 | TODO: further info on microcode updates released.
470 |
471 | ### AMD
472 |
473 | * [AMD Update on Processor Security](https://www.amd.com/en/corporate/speculative-execution)
474 |
475 | Claims "near zero" risk for [BTI] but offers no proof. This suggests reliance
476 | on obscurity (AMD's branch predictor has not yet been reverse engineered).
477 | Assume vulnerable unless proven otherwise.
478 |
479 | AMD CPUs are affected by [MISPREDICT] and not affected by [PRIV-LOAD].
480 |
481 | TODO: [Gentoo bug 643476](https://bugs.gentoo.org/643476) claims microcode
482 | update to disable branch prediction (entirely?) on family 17h (Zen) is
483 | available ([SUSE notice](https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00005.html)).
484 | Performance impact unknown.
485 |
486 | ### ARM
487 |
488 | * [ARM Processor Security Update](https://developer.arm.com/support/security-update)
489 |
490 | Comprehensive list of affected ARM CPUs.
491 |
492 | For [MISPREDICT], ARM recommends using a newly defined barrier `CSDB` together
493 | with a conditional move to guard the loaded value with the preceding condition.
494 |
495 | For [BTI] there is no architectural solution, but specific implementations may
496 | have branch prediction control features that may allow for mitigation.
497 |
498 | For [PRIV-LOAD], there is an Aarch64 implementation of KPTI which uses ASID to
499 | isolate the two address spaces, avoiding TLB maintenance overhead.
500 |
501 | For [PRIV-REG] the impact is small (KASLR bypass), but can be mitigated by
502 | having the kernel use dummy values or a different virtual base for registers
503 | that might hold virtual kernel addresses while in usermode (e.g. ensure
504 | `VBAR_EL1` doesn't leak the true main kernel base).
505 |
506 | ### IBM
507 |
508 | No response.
509 |
510 | ### Nvidia
511 |
512 | * [NVIDIA's response to speculative side channels](http://nvidia.custhelp.com/app/answers/detail/a_id/4609)
513 |
514 | GPUs not affected. SoC info and mitigations work in progress. Pending further
515 | info.
516 |
517 | ### Apple
518 |
519 | No response on the CPU side of things for Apple's custom ARM cores.
520 |
521 | ## Software/Service Vendor response
522 |
523 | ### Google Chrome
524 |
525 | * [Actions Required to Mitigate Speculative Side-Channel Attack Techniques](https://www.chromium.org/Home/chromium-security/ssca)
526 |
527 | Enable Site Isolation in `chrome://flags` to prevent cross-origin exploitation
528 | of same-process vulns (e.g. JIT).
529 |
530 | Starting with Chrome 64, the V8 JS engine will have additional mitigations
531 | (which?). Also `SharedArrayBuffer` is being disabled. This makes the attacks
532 | harder (but is not a perfect fix).
533 |
534 | ### Mozilla Firefox
535 |
536 | * [Mitigations landing for new class of timing attack](https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/)
537 |
538 | Removing `SharedArrayBuffer` and reducing resolution of `performance.now()` to
539 | 20µs. This makes the attacks harder (but is not a perfect fix).
540 |
541 | Starting with Firefox 57.0.4, [both techniques are enabled](https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/).
542 |
543 | ### Microsoft Edge / IE
544 |
545 | * [Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer](https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/)
546 |
547 | Removing `SharedArrayBuffer` and reducing resolution of `performance.now()` to
548 | 20µs plus random jitter. This makes the attacks harder (but is not a perfect
549 | fix).
550 |
551 | ### Google (all products)
552 |
553 | * [Google’s Mitigations Against CPU Speculative Execution Attack Methods](https://support.google.com/faqs/answer/7622138)
554 |
555 | Summary:
556 |
557 | * Android: 2018-01-05 Security Patch Level mitigates by restricting high
558 | precision timers. KPTI not included yet.
559 | * Chrome OS: Version 63 includes KPTI on Intel machines with kernel 3.18/4.4.
560 | * Cloud: Infrastructure has been hitlessly patched. Guest instances for
561 | Cloud Dataflow/Cloud Datalab/Cloud Dataproc/Cloud Launcher/Cloud Machine
562 | Learning Engine/Compute Engine/Kubernetes Engine need to be updated/restarted
563 | with fixes.
564 |
565 | ### Amazon AWS
566 |
567 | * [Processor Speculative Execution Research Disclosure](https://aws.amazon.com/security/security-bulletins/AWS-2018-013/)
568 |
569 | Amazon scheduled maintenance reboots to update their infrastructure. Customers
570 | must patch guest OSes/kernels.
571 |
572 | ### Microsoft Azure
573 |
574 | * [Securing Azure customers from CPU vulnerability](https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/)
575 |
576 | MS scheduled maintenance reboots to update their infrastructure. They claim the
577 | vulnerability is mitigated at the hypervisor level and does not need guest
578 | updates, but that is almost certainly BS, since these vulnerabilities affect
579 | both inter-guest security (mitigated at HV) and intra-guest security (mitigated
580 | at guest). Users should still update their guest OSes to ensure they are
581 | protected.
582 |
583 | ### Apple
584 |
585 | * [About speculative execution vulnerabilities in ARM-based and Intel CPUs](https://support.apple.com/en-us/HT208394)
586 |
587 | Mitigations for [PRIV-READ] shipped in iOS 11.2, macOS 10.13.2, and tvOS 11.2.
588 | watchOS is not impacted. Claims no performance impact.
589 |
590 | Safari mitigations incoming for [BTI] and [MISPREDICT]. <2.5% perf impact.
591 |
592 | ### Red Hat
593 |
594 | * [Advisory](https://access.redhat.com/security/vulnerabilities/speculativeexecution) and mitigations for CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715 released. Expected [performance impact analysis](https://access.redhat.com/articles/3307751) on different scenarios released, based on Red Hat's own testing.
595 | * [Advisory](https://access.redhat.com/articles/3311301) about controlling the performance impact of the mitigations. Can be disabled on boot with "noibrs noibpb nopti" kernel options, or at runtime (see below).
596 | ```
597 | echo 0 > /sys/kernel/debug/x86/pti_enabled
598 | echo 0 > /sys/kernel/debug/x86/ibpb_enabled
599 | echo 0 > /sys/kernel/debug/x86/ibrs_enabled
600 | ```
601 |
602 | ### Ubuntu
603 |
604 | Preliminary [Advisory](https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown) published with no mitigations/patches released so far for Ubuntu Linux.
605 |
606 | ### VMware
607 |
608 | * [Advisory](https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html) and patches for ESXi 5.5, 6.0 and 6.5 released. Patch for ESXi 5.5 lacks mitigation for CVE-2017-5753.
609 | * [Advisory](https://kb.vmware.com/s/article/52264) about affected VMware's virtual appliances and impact status.
610 |
611 | ### Xen
612 |
613 | * [Xen Project Spectre/Meltdown FAQ](https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/)
614 | * [XSA-254](http://xenbits.xen.org/xsa/advisory-254.html)
615 |
616 | 64-bit PV mode VMs can attack Xen with [PRIV-READ], but are immune to userspace
617 | attacks. Other VM modes are the opposite: the guest kernel is vulnerable to
618 | userspace attacks, but cannot attack Xen.
619 |
620 | ### Cisco
621 |
622 | * [Advisory](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel) available with list of products currently under investigation, affected products and potential fix availability (current expected date 18-Feb-2018). Relevant for Cisco UCS server product range, that require microcode update to resolve the issue.
623 |
624 | ### Scaleway
625 |
626 | * [Advisory](https://www.scaleway.com/meltdown-spectre-status/) available with list of products currently under investigation, affected products and mitigated products. Shows all supported distros as well as all Scaleway services and online.net products.
627 |
628 | ## Future Speculation
629 |
630 | [BTI], [PRIV-READ], and [PRIV-REG] are CPU implementation bugs that are easily
631 | fixable in newer silicon (with some OS support for [BTI]). [MISPREDICT] is,
632 | however, inherent in how modern speculation works, and may change how we have to
633 | think about writing secure code in the future, much like how we think about
634 | memory races and atomicity in multithreaded code today. In the future, I expect
635 | we'll end up seeing speculation guard compiler intrinsics and teaching people to
636 | use them.
637 |
638 | ## References
639 |
640 | * [Google Project Zero blog post](https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html)
641 | * [Meltdown paper](https://meltdownattack.com/meltdown.pdf)
642 | * [Spectre paper](https://spectreattack.com/spectre.pdf)
643 | * [LWN summary of the vulnerabilities](https://lwn.net/SubscriberLink/742702/e23889188fce9f7f/)
644 | * [LWN collection of Meltdown/Spectre posting](https://lwn.net/Articles/742999/)
645 | * [ARM Processor Security Update](https://developer.arm.com/support/security-update)
646 | * [ARM Cache-speculation Side-channels whitepaper](https://developer.arm.com/-/media/Files/pdf/Cache_Speculation_Side-channels.pdf?revision=966364ce-10aa-4580-8431-7e4ed42fb90b&la=en)
647 | * [AMD Update on Processor Security](https://www.amd.com/en/corporate/speculative-execution)
648 | * [Intel responds to security research findings](https://newsroom.intel.com/news/intel-responds-to-security-research-findings/)
649 | * [Intel: Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method](https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr)
650 | * [Intel Issues Updates to Protect Systems from Security Exploits](https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/)
651 | * [Intel Analysis of Speculative Execution Side Channels](https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf)
652 | * [Windows 10 KB4056892](https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892)
653 | * [Chrome: Actions Required to Mitigate Speculative Side-Channel Attack Techniques](https://www.chromium.org/Home/chromium-security/ssca)
654 | * [Chrome: Mitigation with Site Isolation](http://www.chromium.org/Home/chromium-security/site-isolation)
655 | * [Mozilla: Mitigations landing for new class of timing attack](https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/)
656 | * [MS Edge/IE: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer](https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/)
657 | * [Google’s Mitigations Against CPU Speculative Execution Attack Methods](https://support.google.com/faqs/answer/7622138)
658 | * [AWS: Processor Speculative Execution Research Disclosure](https://aws.amazon.com/security/security-bulletins/AWS-2018-013/)
659 | * [Securing Azure customers from CPU vulnerability](https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/)
660 | * [About speculative execution vulnerabilities in ARM-based and Intel CPUs](https://support.apple.com/en-us/HT208394)
661 | * [Retpoline: a software construct for preventing branch-target-injection](https://support.google.com/faqs/answer/7625886)
662 | * [VMSA-2018-0002VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution](https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html)
663 | * [VMware Virtual Appliances and CVE-2017-5753, CVE-2017-5715 (Spectre), CVE-2017-5754 (Meltdown) (52264)](https://kb.vmware.com/s/article/52264)
664 | * [Redhat: Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715](https://access.redhat.com/security/vulnerabilities/speculativeexecution)
665 | * [Ubuntu: Information Leak via speculative execution side channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 aka Spectre and Meltdown)](https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown)
666 | * [Cisco: CPU Side-Channel Information Disclosure Vulnerabilities](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel)
667 | * [QEMU and the Spectre and Meltdown attacks](https://www.qemu.org/2018/01/04/spectre/)
668 | * [Scaleway Spectre and Meltdown status page](https://www.scaleway.com/meltdown-spectre-status/)
669 |
--------------------------------------------------------------------------------