Speculative Store Bypass

Speculative Store Bypass (SSB) (CVE-2018-3639) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities.[1] It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ).[2] After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG,[3][4][5][6] it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".[7][1]

Details

Speculative execution exploit Variant 4,[8] is referred to as Speculative Store Bypass (SSB),[1][9] and has been assigned CVE-2018-3639.[7] SSB is named Variant 4, but it is the fifth variant in the Spectre-Meltdown class of vulnerabilities.[7]

Steps involved in exploit:[1]

  1. "Slowly" store a value at a memory location
  2. "Quickly" load that value from that memory location
  3. Utilize the value that was just read to disrupt the cache in a detectable way

Impact and mitigation

Intel claims that web browsers that are already patched to mitigate Spectre Variants 1 and 2 are partially protected against Variant 4.[7] Intel said in a statement that the likelihood of end users being affected was "low" and that not all protections would be on by default due to some impact on performance.[10] The Chrome JavaScript team confirmed that effective mitigation of Variant 4 in software is infeasible, in part due to performance impact.[11]

Intel is planning to address Variant 4 by releasing a microcode patch that creates a new hardware flag named Speculative Store Bypass Disable (SSBD).[7][2][12] A stable microcode patch is yet to be delivered, with Intel suggesting that the patch will be ready "in the coming weeks".[7] Many operating system vendors will be releasing software updates to assist with mitigating Variant 4;[13][2][14] however, microcode/firmware updates are required for the software updates to have an effect.[13]

Speculative execution exploit variants

Summary of speculative execution variants[15][7][16][17]
VulnerabilityCVEExploit namePublic vulnerability nameCVSS v2.0CVSS v3.0
Spectre2017-5753Variant 1Bounds Check Bypass (BCB)4.75.6
Spectre2017-5715Variant 2Branch Target Injection (BTI)4.75.6
Meltdown2017-5754Variant 3Rogue Data Cache Load (RDCL)4.75.6
Spectre-NG2018-3640Variant 3aRogue System Register Read (RSRR[18])4.75.6
Spectre-NG2018-3639Variant 4Speculative Store Bypass (SSB)4.95.5
Spectre-NG2018-3665Lazy FP State Restore4.75.6
Spectre-NG2018-3693Bounds Check Bypass Store (BCBS)4.75.6
Foreshadow2018-3615Variant 5L1 Terminal Fault (L1TF)5.46.4
Foreshadow-NG2018-36204.75.6
Foreshadow-NG2018-36464.75.6

References

  1. Bright, Peter (2018-05-22). "Predictable problems - New speculative-execution vulnerability strikes AMD, ARM, and Intel". Ars Technica. Archived from the original on 2018-05-26. Retrieved 2018-05-25.
  2. Ubuntu Community (2018-05-21). "Variant4". Archived from the original on 2018-05-22. Retrieved 2018-05-21.
  3. Schmidt, Jürgen (2018-05-03). "Super-GAU für Intel: Weitere Spectre-Lücken im Anflug". c't - magazin für computertechnik (in German). Heise online. Archived from the original on 2018-05-05. Retrieved 2018-05-03. Schmidt, Jürgen (2018-05-03). "Exclusive: Spectre-NG - Multiple new Intel CPU flaws revealed, several serious". c't - magazin für computertechnik. Heise online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.
  4. Fischer, Martin (2018-05-03). "Spectre-NG: Intel-Prozessoren von neuen hochriskanten Sicherheitslücken betroffen, erste Reaktionen von AMD und Intel". c't - magazin für computertechnik (in German). Heise online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.
  5. Tung, Liam (2018-05-04). "Are 8 new 'Spectre-class' flaws about to be exposed? Intel confirms it's readying fixes". ZDNet. Archived from the original on 2018-05-22. Retrieved 2018-03-04.
  6. Kumar, Mohit (2018-05-04). "8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs". The Hacker News. Archived from the original on 2018-05-05. Retrieved 2018-05-05.
  7. "Q2 2018 Speculative Execution Side Channel Update". Intel. 2018-05-21. Archived from the original on 2018-05-22. Retrieved 2018-05-21.
  8. Warren, Tom (2018-05-21). "Google and Microsoft disclose new CPU flaw, and the fix can slow machines down - New firmware updates are on the way". The Verge. Archived from the original on 2018-05-26. Retrieved 2018-05-22.
  9. Martindale, Jon (2018-05-22). "New Spectre-like bug could mean more performance-degrading patches". Digital Trends. Archived from the original on 2018-05-26. Retrieved 2018-05-22.
  10. Newman, Lily Hay (2018-05-21). "After Meltdown and Spectre, Another Scary Chip Flaw Emerges". Wired. Archived from the original on 2018-05-26. Retrieved 2018-05-26.
  11. "A year with Spectre: a V8 perspective". 2019-04-23. Retrieved 2019-04-23.
  12. "Speculative Execution Side Channel Mitigations" (PDF). Revision 2.0. Intel. May 2018 [January 2018]. Document Number: 336996-002. Retrieved 2018-05-26.
  13. "Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639". RedHat. 2018-05-21. Resolve tab. Archived from the original on 2018-05-22. Retrieved 2018-05-22.
  14. Miller, Matt. "Analysis and mitigation of speculative store bypass (CVE-2018-3639)". Microsoft Security Response Center. Speculative store bypass disable (SSBD) section. Archived from the original on 2018-05-22. Retrieved 2018-05-21.
  15. "Vulnerability Note VU#180049 - CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks". CERT. 2018-05-24 [2018-05-21]. Archived from the original on 2018-05-26. Retrieved 2018-05-26.
  16. Windeck, Christof (2018-05-21). "CPU-Sicherheitslücken Spectre-NG: Updates rollen an Update". Heise Security (in German). Archived from the original on 2018-05-21. Retrieved 2018-05-21.
  17. https://nvd.nist.gov/vuln/detail/CVE-2017-5753#
  18. Sometimes misspelled "RSRE"

See also

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.