Difference between revisions of "Speculative Execution Vulnerabilities of 2018"
(moving sections to be ordered by CVE) |
(adding distinctions from official CVE entry) |
||
Line 4: | Line 4: | ||
! CVE | ! CVE | ||
! Group | ! Group | ||
− | ! | + | ! GPZ name<ref>[https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html Reading privileged memory with a side-channel]. Google Project Zero blog</ref> |
+ | ! Description | ||
|- | |- | ||
| CVE-2017-5715 | | CVE-2017-5715 | ||
| Spectre | | Spectre | ||
− | | Variant 2: branch | + | | Variant 2 |
+ | | ''indirect'' branch prediction with side-channel analysis<ref>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 CVE-2017-5715]. Mitre CVE List. "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis."</ref> | ||
|- | |- | ||
| CVE-2017-5753 | | CVE-2017-5753 | ||
| Spectre | | Spectre | ||
− | | Variant 1: | + | | Variant 1 |
+ | | branch prediction with side-channel analysis<ref>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 CVE-2017-5753]. Mitre CVE List. "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis."</ref> | ||
|- | |- | ||
| CVE-2017-5754 | | CVE-2017-5754 | ||
| Meltdown | | Meltdown | ||
− | | Variant 3: | + | | Variant 3 |
+ | | ''indirect'' branch prediction with side-channel analysis ''of data cache''<ref>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 CVE-2017-5754]. Mitre CVE List. "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache."</ref> | ||
|} | |} | ||
At this time we know that [[POWER9|POWER9]], [[POWER8|POWER8]], [[POWER8E|POWER8E]], POWER7+, POWER6, and certain PowerPC architectures are affected by at least some of these vulnerabilities. <ref>IBM PSIRT Blog post, [https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ Potential Impact on Processors in the POWER family]</ref><ref>TenFourFox Development blog post, [https://tenfourfox.blogspot.co.at/2018/01/actual-field-testing-of-spectre-on.html Actual field testing of Spectre on various Power Macs]</ref><ref>Raptor Engineering GNU Social [https://social.raptorengineering.io/conversation/731 notices about POWER8 and POWER9 vulnerability]</ref><ref>Red Hat security page for [https://access.redhat.com/security/vulnerabilities/speculativeexecution Kernel Side-Channel Attacks]</ref> | At this time we know that [[POWER9|POWER9]], [[POWER8|POWER8]], [[POWER8E|POWER8E]], POWER7+, POWER6, and certain PowerPC architectures are affected by at least some of these vulnerabilities. <ref>IBM PSIRT Blog post, [https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ Potential Impact on Processors in the POWER family]</ref><ref>TenFourFox Development blog post, [https://tenfourfox.blogspot.co.at/2018/01/actual-field-testing-of-spectre-on.html Actual field testing of Spectre on various Power Macs]</ref><ref>Raptor Engineering GNU Social [https://social.raptorengineering.io/conversation/731 notices about POWER8 and POWER9 vulnerability]</ref><ref>Red Hat security page for [https://access.redhat.com/security/vulnerabilities/speculativeexecution Kernel Side-Channel Attacks]</ref> | ||
− | == CVE-2017-5715 (Spectre | + | == CVE-2017-5715 (Spectre) == |
+ | |||
+ | According to the official CVE list, this may affect processors using "speculative execution and ''indirect'' branch prediction". Google's Project Zero calls this ''Variant 2: branch target injection''. | ||
=== POWER9 === | === POWER9 === | ||
Line 27: | Line 33: | ||
Hardware fixes are in place for [[POWER9]] Nimbus DD2.2 / Cumulus DD1.1 and above <ref name="hostboot-commit-fcf7d0e3" />. With these hardware changes, Spectre variant 2 is believed to be mitigated on the production POWER9 devices. | Hardware fixes are in place for [[POWER9]] Nimbus DD2.2 / Cumulus DD1.1 and above <ref name="hostboot-commit-fcf7d0e3" />. With these hardware changes, Spectre variant 2 is believed to be mitigated on the production POWER9 devices. | ||
− | == CVE-2017-5753 (Spectre | + | == CVE-2017-5753 (Spectre) == |
+ | |||
+ | According to the official CVE list, this may affect processors using "speculative execution and branch prediction". Google's Project Zero calls this ''Variant 1: bounds check bypass''. | ||
=== POWER9 === | === POWER9 === | ||
Line 34: | Line 42: | ||
== CVE-2017-5754 (Meltdown) == | == CVE-2017-5754 (Meltdown) == | ||
+ | |||
+ | According to the official CVE list, this may affect processors using "speculative execution and ''indirect'' branch prediction", but specifically uses a data cache side channel. Google's Project Zero calls this '' Variant 3: rogue data cache load''. | ||
=== Common Mitigations === | === Common Mitigations === |
Revision as of 13:32, 24 February 2018
In January of 2018, news of three speculative execution vulnerabilities was made public. Information about these vulnerabilities had been disclosed in private to certain companies and projects in June of 2016.
CVE | Group | GPZ name[1] | Description |
---|---|---|---|
CVE-2017-5715 | Spectre | Variant 2 | indirect branch prediction with side-channel analysis[2] |
CVE-2017-5753 | Spectre | Variant 1 | branch prediction with side-channel analysis[3] |
CVE-2017-5754 | Meltdown | Variant 3 | indirect branch prediction with side-channel analysis of data cache[4] |
At this time we know that POWER9, POWER8, POWER8E, POWER7+, POWER6, and certain PowerPC architectures are affected by at least some of these vulnerabilities. [5][6][7][8]
Contents
CVE-2017-5715 (Spectre)
According to the official CVE list, this may affect processors using "speculative execution and indirect branch prediction". Google's Project Zero calls this Variant 2: branch target injection.
POWER9
Hardware fixes are in place for POWER9 Nimbus DD2.2 / Cumulus DD1.1 and above [9]. With these hardware changes, Spectre variant 2 is believed to be mitigated on the production POWER9 devices.
CVE-2017-5753 (Spectre)
According to the official CVE list, this may affect processors using "speculative execution and branch prediction". Google's Project Zero calls this Variant 1: bounds check bypass.
POWER9
Hardware fixes are in place for POWER9 Nimbus DD2.2 / Cumulus DD1.1 and above [9]. With these hardware changes, cross-process attacks via Spectre variant 1 are believed to be fully mitigated on the production POWER9 devices.
CVE-2017-5754 (Meltdown)
According to the official CVE list, this may affect processors using "speculative execution and indirect branch prediction", but specifically uses a data cache side channel. Google's Project Zero calls this Variant 3: rogue data cache load.
Common Mitigations
POWER7, POWER8, and POWER9 are patched from CVE-2017-5754 by purging the L1 cache when context switching to a less privileged process, as the vulnerability on these architectures affects L1 but not L2 cache.[10] Firmware updates are also required to enable workarounds at the hardware level.[11] [12].
POWER9
Hardware fixes are also in place for POWER9 Nimbus DD2.2 / Cumulus DD1.1 and above [9]. In conjunction with the above kernel patch, Meltdown is fully mitigated on the production POWER9 devices.
Official statement from Raptor Computing Systems regarding Talos™ II
POWER9 will not ship with vulnerability to Meltdown or any loss in performance compared with the current prototype chips (DD2.1). Further, Spectre is fully mitigated with the exception of the same-process issue that is affecting the entire CPU industry. As far as we are aware there will be no further mitigation from any major CPU vendor now or in the future, as the remaining Spectre issue has been deemed an application level programming issue versus a CPU design issue. Patches for GCC to help fix the affected applications are already rolling out.
External Links
References
- ↑ Reading privileged memory with a side-channel. Google Project Zero blog
- ↑ CVE-2017-5715. Mitre CVE List. "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis."
- ↑ CVE-2017-5753. Mitre CVE List. "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis."
- ↑ CVE-2017-5754. Mitre CVE List. "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache."
- ↑ IBM PSIRT Blog post, Potential Impact on Processors in the POWER family
- ↑ TenFourFox Development blog post, Actual field testing of Spectre on various Power Macs
- ↑ Raptor Engineering GNU Social notices about POWER8 and POWER9 vulnerability
- ↑ Red Hat security page for Kernel Side-Channel Attacks
- ↑ 9.0 9.1 9.2 Hostboot commit message listing security changes for NDD2.2 / CDD1.1
- ↑ Larabel, Michael. PowerPC Memory Protection Keys In For Linux 4.16, Power Has Meltdown Mitigation In 4.15. 2018-01-22
- ↑ IBM Power8 Systems Server Firmware
- ↑ IBM POWER9 Systems Server Firmware