Skip to end of metadata
Go to start of metadata

Overview

Modern CPUs have speculative execution capabilities, which improves processor performance. Depending on the design and architecture of the CPU, speculative execution can introduce side-channel-attack vulnerabilities.

Known Vulnerabilities

PublicCVEAlias(es)CPU Vendors AffectedSpeculative TriggerImpactMitigationsReferences
Jan 3, 2018CVE-2017-5753

Spectre V1

NetSpectre
(network attack vector)

Spectre-PHT

Intel

ARM

IBM

Branch prediction bounds check bypassCross- and intra-process (including kernel) memory disclosure

OS

Compiler

Browser

https://www.kb.cert.org/vuls/id/584653

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Jan 3, 2018CVE-2017-5715

Spectre V2

Spectre-BTB

Intel

AMD

ARM

IBM

Branch target injectionCross- and intra-process (including kernel) memory disclosureMicrocode

https://www.kb.cert.org/vuls/id/584653

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://www.amd.com/en/corporate/security-updates

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Jan 3, 2018CVE-2017-5754

Spectre V3

Meltdown

Meltdown-US

Intel

IBM

Out-of-order executionKernel memory disclosure to userspaceOS

https://www.kb.cert.org/vuls/id/584653

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

May 21, 2018CVE-2018-3640

Spectre V3a (RSRE)

Meltdown-GP

Intel

ARM


System register readDisclosure of system register valuesMicrocode

https://www.kb.cert.org/vuls/id/180049

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

May 21, 2018CVE-2018-3639

Spectre V4 (SSB)

Spectre-STL

Intel

AMD

ARM

IBM

Memory reads before prior memory write addresses knownCross- and intra-process (including kernel) memory disclosure

Microcode

OS


https://www.kb.cert.org/vuls/id/180049

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

https://www.amd.com/en/corporate/security-updates

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Jun 13, 2018CVE-2018-3665

Lazy FP

Meltdown-NM

IntelLazy FPU state restoreLeak of FPU stateOShttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
July 10, 2018CVE-2018-3693

Spectre1.1

Spectre-PHT

Intel

Bounds check bypass store

Speculative buffer overflow

Cross- and intra-process (including kernel) memory disclosure

OS

https://01.org/security/advisories/intel-oss-10002

https://arxiv.org/abs/1807.03757

July 10, 2018N/A

Spectre1.2

Meltdown-RW

IntelRead-only protection bypass

Overwrite read-only data and pointers

Cross- and intra-process (including kernel) memory disclosure

OS

https://01.org/security/advisories/intel-oss-10002

https://arxiv.org/abs/1807.03757

August 14, 2018CVE-2018-3615

L1 Terminal Fault: SGX

Foreshadow-SGX

Meltdown-P

IntelTransient out-of-order executionSGX enclave memory disclosure

Microcode

TCB Recovery

https://www.kb.cert.org/vuls/id/982149

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://foreshadowattack.eu/

https://foreshadowattack.eu/foreshadow.pdf

August 14, 2018CVE-2018-3620

L1 Terminal Fault: OS/SMM

Foreshadow-OS

Foreshadow-NG

Meltdown-P

Intel

IBM

Transient out-of-order executionOS or SMM memory disclosure

Microcode

OS

https://www.kb.cert.org/vuls/id/982149

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

https://foreshadowattack.eu/

https://foreshadowattack.eu/foreshadow-NG.pdf

August 14, 2018CVE-2018-3646

L1 Terminal Fault: VMM

Foreshadow-VMM

Foreshadow-NG

Meltdown-P

Intel

IBM

Transient out-of-order executionVirtual Machine Monitor (VMM) memory disclosure

Microcode

OS

https://www.kb.cert.org/vuls/id/982149

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

https://foreshadowattack.eu/

https://foreshadowattack.eu/foreshadow-NG.pdf

November 13, 2018
Spectre-PHT-CA-OP

Intel

ARM

AMD

Pattern History Table

https://arxiv.org/abs/1811.05441
November 13, 2018
Spectre-PHT-CA-IP

Intel

ARM

AMD

Pattern History Table

https://arxiv.org/abs/1811.05441
November 13, 2018
Spectre-PHT-SA-OP

Intel

ARM

AMD

Pattern History Table

https://arxiv.org/abs/1811.05441
November 13, 2018
Spectre-BTB-SA-IP

Intel

ARM

AMD

Branch Target Buffer

https://arxiv.org/abs/1811.05441
November 13, 2018
Spectre-BTB-SA-OP

Intel

Branch Target Buffer

https://arxiv.org/abs/1811.05441
November 13, 2018
Meltdown-PKIntelProtection Keys

https://arxiv.org/abs/1811.05441
November 13, 2018
Meltdown-BND

Intel

AMD

Bound instruction

https://arxiv.org/abs/1811.05441

Notes

General

The causes of these vulnerabilities are rooted in CPU hardware design choices intended to optimize performance.
https://lwn.net/Articles/755419/
https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf

Other Information

NSA guidance on speculative execution vulnerabilities includes a similar list.
https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance

Spectre V1

Spectre V1 has been demonstrated to bypass protections provided by Intel SGX. Intel has updated the SGX SDK to mitigate these vulnerabilities when SGX enclaves are rebuilt. 
https://software.intel.com/sites/default/files/managed/e1/ec/SGX_SDK_Developer_Guidance-CVE-2017-5753.pdf

Spectre V1 has been demonstrated to bypass protections provided by the System Management Range Register (SMRR) to access protected System Management Mode (SMM) memory.
https://blog.eclypsium.com/2018/05/17/system-management-mode-speculative-execution-attacks/

Spectre V1 can be exploited over network connections rather than through local code execution of remotely delivered code such as JavaScript. This remote attack is known as NetSpectre.
https://misc0110.net/web/files/netspectre.pdf

Lazy FP

Lazy FP may particularly expose AES keys:

The FPU state may contain sensitive information such as cryptographic keys. As an example, the Intel AES instruction set (AES-NI) uses FPU registers to store round keys. It is only possible to exploit when the underlying operating system or hypervisor uses lazy FPU switching.
https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html

  • No labels