• Created by user-9a25e, last modified on 2018-07-10

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Overview

Modern CPUs have speculative execution capabilities, which improves processor performance. Depending on the design and architecture of the CPU, speculative execution can introduce side-channel-attack vulnerabilities.

Known Vulnerabilities

PublicCVEAlias(es)CPUs AffectedSpeculative TriggerImpactMitigationsReferences
Jan 3, 2018CVE-2017-5753Spectre V1Intel
ARM		Branch prediction bounds check bypassCross- and intra-process (including kernel) memory disclosureOS
Compiler
Browser		https://www.kb.cert.org/vuls/id/584653
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
Jan 3, 2018CVE-2017-5715Spectre V2Intel
AMD
ARM		Branch target injectionCross- and intra-process (including kernel) memory disclosureMicrocodehttps://www.kb.cert.org/vuls/id/584653
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
https://www.amd.com/en/corporate/security-updates
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
Jan 3, 2018CVE-2017-5754Spectre V3
Meltdown		IntelOut-of-order executionKernel memory disclosure to userspaceOShttps://www.kb.cert.org/vuls/id/584653
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
May 21, 2018CVE-2018-3640Spectre V3a (RSRE)Intel
ARM		System register readDisclosure of system register valuesMicrocodehttps://www.kb.cert.org/vuls/id/180049
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
May 21, 2018CVE-2018-3639Spectre V4 (SSB)Intel
AMD
ARM

Memory reads before prior memory write addresses knownCross- and intra-process (including kernel) memory disclosureOS
Microcode		https://www.kb.cert.org/vuls/id/180049
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
https://www.amd.com/en/corporate/security-updates
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
Jun 13, 2018CVE-2018-3665Lazy FPIntelLazy FPU state restoreLeak of FPU stateOShttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
July 10, 2018CVE-2017-5753
IntelBounds check bypassCross- and intra-process (including kernel) memory disclosureOShttps://01.org/security/advisories/intel-oss-10002
July 10, 2018CVE-2018-3693
IntelBounds check bypass storeCross- and intra-process (including kernel) memory disclosureOShttps://01.org/security/advisories/intel-oss-10002

Notes

General

The causes of these vulnerabilities are rooted in CPU hardware design choices intended to optimize performance.
https://lwn.net/Articles/755419/
https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf

Spectre V1

Spectre V1 has been demonstrated to bypass protections provided by Intel SGX. Intel has updated the SGX SDK to mitigate these vulnerabilities when the SGX enclaves are rebuilt. 
https://software.intel.com/sites/default/files/managed/e1/ec/SGX_SDK_Developer_Guidance-CVE-2017-5753.pdf

Spectre V1 has also been demonstrated to access protections provided by the System Management Range Register (SMRR) to access protected System Management Mode (SMM) memory.
https://blog.eclypsium.com/2018/05/17/system-management-mode-speculative-execution-attacks/

Lazy FP

Lazy FP may particularly expose AES keys:

The FPU state may contain sensitive information such as cryptographic keys. As an example, the Intel AES instruction set (AES-NI) uses FPU registers to store round keys. It is only possible to exploit when the underlying operating system or hypervisor uses lazy FPU switching.

https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html

  • No labels