Jump to content

Spectre (security vulnerability)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 64.121.146.209 (talk) at 21:34, 26 January 2018 (→‎Detailed explanation). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

A logo created for the vulnerability, featuring a ghost with a branch

Spectre is a vulnerability that affects modern microprocessors that perform branch prediction.[1][2][3] On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.[4][5][6]

Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 (bounds check bypass) and CVE-2017-5715 (branch target injection), have been issued.[7] JIT engines used for JavaScript were found vulnerable. A website can read data stored in the browser for another website, or the browser's memory itself.[8]

Several procedures to help protect home computers and related devices from the Spectre (and Meltdown) security vulnerabilities have been published.[9][10][11][12] Spectre patches have been reported to significantly slow down performance, especially on older computers; on the newer eighth-generation Core platforms, benchmark performance drops of 2–14 percent have been measured.[13][5][14][15] On January 18, 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported. Nonetheless, according to DELL computers: "No 'real-world' exploits of these vulnerabilities [ie, Meltdown and Spectre] have been reported to date [January 26, 2018], though researchers have produced proof-of-concepts."[16][17] Further, recommended preventions include: "promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources ... following secure password protocols ... [using] security software to help protect against malware (advanced threat prevention software or anti-virus)."[16][17]

When Intel announced that Spectre mitigation can be switched on as a "security feature" instead of being a bug, Linux creator Linus Torvalds called the patches "complete and utter garbage". Ingo Molnar then suggested to use function tracing machinery in the Linux kernel to fix Spectre without Indirect Branch Restricted Speculation (IBRS) microcode support. This has then only a performance impact on processors based on Intel Skylake and newer architecture.[18][19][20][21]

On January 25, 2018, the current status and possible future considerations in solving the Meltdown and Spectre vulnerabilities were presented.[22]

History

In 2002 and 2003 Yukiyasu Tsunoo and colleagues from NEC showed how to attack MISTY and DES respectively. In 2005, Daniel Bernstein from the University of Illinois reported an extraction of an OpenSSL AES key via a cache timing attack, and Colin Percival had a working attack on the OpenSSL RSA key using the Intel processor's cache. 2013 Yuriv Yarom and Katrina Falkner from the University of Adelaide showed how measuring the access time to data lets a spy application guess if the information was read from the cache, or not. If it was read from the cache the access time was very short, and the data read could contain the private key of encryption algorithms. This technique was used to successfully attack GnuPG, AES and other cryptographic implementations[23][24][25][26][27][28] In January 2017, Anders Fogh gave a presentation at the Ruhruniversität Bochum about automatically finding covert channels, especially on processors with a pipeline used by more than one processor core. [29].

Spectre was discovered independently by Jann Horn from Google's Project Zero and Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom.[when?] Microsoft Vulnerability Research extended it to browsers' JavaScript JIT engines.[4][30] It was made public in conjunction with another vulnerability, Meltdown, on January 3, 2018, after the affected hardware vendors had already been made aware of the issue on June 1, 2017.[31]

The vulnerability was called "Spectre" because it "is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time."[32]

Detailed explanation

Spectre is a vulnerability that forces programs on a user's operating system to access an arbitrary location in the program's memory space.

Instead of a single easy-to-fix vulnerability, the Spectre white paper[1] describes a whole class[33] of potential vulnerabilities. They are all based on exploiting side effects of speculative execution, a common means of hiding memory latency and so speeding up execution in modern microprocessors. In particular, Spectre centers on branch prediction, which is a special case of speculative execution. Unlike the related Meltdown vulnerability disclosed at the same time, Spectre does not rely on a specific feature of a single processor's memory management and protection system, but is a more generalized idea.

The starting point of the white paper is that of a side-channel timing attack[34] applied to the branch prediction machinery of modern out-of-order executing microprocessors. While at the architectural level documented in processor data books, any results of misprediction are specified to be annulled after the fact, the resulting speculative execution may still leave around side effects, like loaded cache lines. Those can then affect the so-called non-functional aspects of the computing environment later on. If such side effects – including but not limited to memory access timing – are visible to a malicious program, and can be engineered to depend on sensitive data held by the victim process, then these side effects can result in that sensitive data becoming discernible. This can happen despite the formal architecture-level security arrangements working as designed; in this case, lower, microarchitecture-level optimizations to code execution [can] leak information not essential to the correctness of normal program execution.

The Spectre paper displays the attack in four essential steps:

  1. First, it shows that branch prediction logic in modern processors can be trained to reliably hit or miss based on the internal workings of a malicious program.
  2. It then goes on to show that the subsequent difference between cache hits and misses can be reliably timed, so that what should have been a simple non-functional difference can in fact be subverted into a covert channel which extracts information from an unrelated process's inner workings.
  3. Thirdly, the paper synthesizes the results with return-oriented programming exploits and other principles with a simple example program and a JavaScript snippet run under a sandboxing browser; in both cases, the entire address space of the victim process (i.e. the contents of a running program) is shown to be readable by simply exploiting speculative execution of conditional branches in code generated by a stock compiler or the JavaScript machinery present in an extant browser. The basic idea is to search existing code for places where speculation touches upon otherwise inaccessible data, manipulate the processor into a state where speculative execution has to touch that data, and then time the side effect of the processor being faster, if its by-now-prepared prefetch machinery indeed did load a cache line.
  4. Finally, the paper concludes by generalizing the attack to any non-functional state of the victim process. It briefly discusses even such highly non-obvious non-functional effects as bus arbitration latency.

The basic difference between Spectre and Meltdown is that Spectre can be used to manipulate a process into revealing its own data. On the other hand, Meltdown can be used to read privileged memory in a process's address space which even the process itself would normally be unable to access (on some unprotected OS's this includes data belonging to the kernel or other processes).

The Meltdown paper distinguishes the two vulnerabilities thus: "Meltdown is distinct from the Spectre Attacks in several ways, notably that Spectre requires tailoring to the victim process's software environment, but applies more broadly to CPUs and is not mitigated by KAISER."[35]

Impact

As of 2018, almost every computer system is affected by Spectre, including desktops, laptops, and mobile devices. Specifically, Spectre has been shown to work on Intel, AMD, ARM-based, and IBM processors.[36][37][38] Intel responded to the reported security vulnerabilities with an official statement.[39] AMD originally stated that vulnerability to one of the two Spectre variants had not been demonstrated on AMD processors, claiming it posed "near zero risk of exploitation" due to differences in AMD architecture.[40] However, AMD later stated that their processors were affected by both variants of Spectre.[41][42][43]

Researchers have indicated that the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors.[44][45][46][47] Specifically, processors with speculative execution are affected with these vulnerabilities.[48]

ARM has reported that the majority of their processors are not vulnerable, and published a list of the specific processors that are affected by the Spectre vulnerability: Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73 and ARM Cortex-A75 cores.[49]

A large portion of the current mid-range Android handsets use the Cortex-A53 or Cortex-A55 in an octa-core arrangement and are not affected by either the Meltdown or Spectre vulnerability as they do not perform out-of-order execution.[citation needed] This includes devices with the Qualcomm Snapdragon 630, Snapdragon 626, Snapdragon 625, and all Snapdragon 4xx processors based on A53 or A55 cores.[50] Also, all Raspberry Pi computers are not vulnerable to either Meltdown or Spectre.[51]

Spectre has the potential of having a greater impact on cloud providers than Meltdown. Whereas Meltdown allows unauthorized applications to read from privileged memory to obtain sensitive data from processes running on the same cloud server, Spectre can allow malicious programs to induce a hypervisor to transmit the data to a guest system running on top of it.[52]

Mitigation

Since Spectre represents a whole class of attacks, there most likely cannot be a single patch for it.[3] While work is already being done to address special cases of the vulnerability, the original website devoted to Spectre and Meltdown states: "As [Spectre] is not easy to fix, it will haunt us for a long time."[4]

Nonetheless, several procedures to help protect home computers and related devices from the "Meltdown" and "Spectre" security vulnerabilities have been published.[9][10][11][12] Spectre patches have been reported to significantly slow down performance, especially on older computers; on the newer eighth generation Core platforms, benchmark performance drops of 2–14 percent have been measured.[13] On January 18, 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported.[18]

Exploitation through JavaScript embedded in websites is possible.[1] Chrome 64 will include mitigations against the attack by default, and Chrome 63 users can manually mitigate the attack by enabling the Site Isolation feature (chrome://flags#enable-site-per-process).[53] As of Firefox 57.0.4, Mozilla is reducing the resolution of JavaScript timers to help prevent timing attacks, with additional work on time-fuzzing techniques planned for future releases.[30][54]

On January 4, 2018, Google detailed a new technique on their security blog called "Retpoline" (return trampoline)[55] which can overcome the Spectre vulnerability with a negligible amount of processor overhead. It involves compiler level steering of indirect branches towards a different target that does not result in a vulnerable speculative out-of-order execution taking place.[56][57] While it was developed for the x86 instruction set, the Google engineers believe the technique is transferable to other processors as well.[58] In Linux kernel 4.14.14/4.9.77/4.4.112 this appeared as RETPOLINE=y option of the .config which can optionally take advantage of gcc -mindirect-branch=thunk-extern (will appear in gcc-8.1 (to be released in Mar 2018) and possibly be backported to gcc-4/5/6/7 series). Users and distro maintainers should care to update toolchain[59]. The help text of the kernel entry says: "Without compiler support, at least indirect branches in assembler code are eliminated. Since this includes the syscall entry path, it is not entirely pointless.". More details and some links to benchmarks showing mostly marginal slowdown of the kernel are at phoronix.com site[60]. The kernels also report some new entries in syslog and applications can use new runtime bits describing the CPU bugs. On a virtual-hosted instance one yields:

[    0.009003] CPU: AMD QEMU Virtual CPU version 0.14 (family: 0x6, model: 0x2, stepping: 0x3)

[    0.009673] Spectre V2 mitigation: LFENCE not serializing. Switching to generic retpoline

[    0.010003] Spectre V2 mitigation: Vulnerable: Minimal generic ASM retpoline

It has also been suggested[61] that the cost of mitigation can be alleviated by processors which feature selective translation lookaside buffer (TLB) flushing, a feature which is called process-context identifier (PCID) under Intel 64 architecture, and under Alpha, an address space number (ASN). This is because selective flushing enables the TLB behavior crucial to the exploit to be isolated across processes, without constantly flushing the entire TLB – the primary reason for the cost of mitigation.[citation needed]

Summary of mitigations on Microsoft Windows[7]
Vulnerability CVE Exploit Name Public Vulnerability Name Windows Changes Firmware Changes
Spectre 2017-5753 Variant 1 Bounds Check Bypass Recompiling with a new compiler
Hardened Browser to prevent exploit from JavaScript		 No
Spectre 2017-5715 Variant 2 Branch Target Injection New CPU instructions eliminating branch speculation Yes
(Meltdown) 2017-5754 Variant 3 Rogue Data Cache Load Isolate kernel and user mode page tables No


References

  1. ^ a b c Kocher, Paul; Genkin, Daniel; Gruss, Daniel; Haas, Werner; Hamburg, Mike; Lipp, Moritz; Mangard, Stefan; Prescher, Thomas; Schwarz, Michael; Yarom, Yuval (2018). "Spectre Attacks: Exploiting Speculative Execution" (PDF). Archived from the original (PDF) on January 3, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  2. ^ Greenberg, Andy (January 3, 2018). "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. Archived from the original on January 3, 2018. Retrieved January 3, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  3. ^ a b Bright, Peter (January 5, 2018). "Meltdown and Spectre: Here's what Intel, Apple, Microsoft, others are doing about it". Ars Technica. Retrieved January 6, 2018.
  4. ^ a b c Staff (2018). "Meltdown and Spectre". Graz University of Technology. Archived from the original on January 3, 2018. Retrieved January 3, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  5. ^ a b Metz, Cade; Perlroth, Nicole (January 3, 2018). "Researchers Discover Two Major Flaws in the World's Computers". The New York Times. ISSN 0362-4331. Archived from the original on January 3, 2018. Retrieved January 3, 2018. {{cite news}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  6. ^ Warren, Tom (January 3, 2018). "Intel's processors have a security bug and the fix could slow down PCs". The Verge. Archived from the original on January 3, 2018. Retrieved January 3, 2018. {{cite news}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  7. ^ a b "Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems". Microsoft. January 9, 2018.
  8. ^ "Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs". The Register. January 4, 2018.
  9. ^ a b Metz, Cade; Chen, Brian X. (January 4, 2018). "What You Need to Do Because of Flaws in Computer Chips". The New York Times. Retrieved January 5, 2018.
  10. ^ a b Pressman, Aaron (January 5, 2018). "Why Your Web Browser May Be Most Vulnerable to Spectre and What to Do About It". Fortune (magazine). Retrieved January 5, 2018.
  11. ^ a b Chacos, Brad (January 4, 2018). "How to protect your PC from the major Meltdown and Spectre CPU flaws". PC World. Archived from the original on January 4, 2018. Retrieved January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  12. ^ a b Elliot, Matt (January 4, 2018). "Security – How to protect your PC against the Intel chip flaw – Here are the steps to take to keep your Windows laptop or PC safe from Meltdown and Spectre". CNET. Archived from the original on January 4, 2018. Retrieved January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  13. ^ a b Hachman, Mark (January 9, 2018). "Microsoft tests show Spectre patches drag down performance on older PCs". PC World. Retrieved January 9, 2018.
  14. ^ "Computer chip scare: What you need to know". BBC News. January 4, 2018. Retrieved January 4, 2018.
  15. ^ "Intel says processor bug isn't unique to its chips and performance issues are 'workload-dependent'". The Verge. Retrieved January 4, 2018.
  16. ^ a b Staff (January 26, 2018). "Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products". Dell. Retrieved January 26, 2018.
  17. ^ a b Staff (January 26, 2018). "Meltdown and Spectre Vulnerabilities". Dell. Retrieved January 26, 2018.
  18. ^ a b Tung, Liam (January 18, 2018). "Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch - Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs". ZDNet. Retrieved January 18, 2018.
  19. ^ 'WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature, Patches slammed as 'complete and utter garbage' as Chipzilla U-turns on microcode, The Register, January 22, 2018.
  20. ^ Molnar suggesting to use function tracing, Re: [RFC 09/10 x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation], Ingo Molnar, January 23, 2018.
  21. ^ IBRS patch series, Intel, January 4, 2018 .
  22. ^ Hachman, Mark (January 25, 2018). "Intel's plan to fix Meltdown in silicon raises more questions than answers - But what silicon?!! Be sure and read the questions Wall Street should have asked". PC World. Retrieved January 26, 2018.
  23. ^ Y. Tsunoo, E. Tsujihara, K. Minematsu, H. Miyauchi, “Cryptanalysis of Block Ciphers Implemented on Computers with Cache,” ISITA 2002, 2002.
  24. ^ [Cryptanalysis of DES Implemented on Computers with Cache Cryptanalysis of DES Implemented on Computers with Cache], Yukiyasu Tsunoo, Teruo Saito, Tomoyasu Suzaki, Maki Shigeri, and Hiroshi Miyauchi, Cryptographic Hardware and Embedded Systems - CHES 2003, 5th International Workshop, Cologne, Germany, September 8-10, 2003.
  25. ^ Cache-timing attacks on AES, Daniel J. Bernstein, April 14, 2005.
  26. ^ Cache missing for fun and profit, Colin Percival, presented at BSDCan '05, May 2005. Conference presentation slides. Superseded by: Cache missing for fun and profit, October 2005.
  27. ^ FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack, Yuval Yarom and Katrina Falkner, The University of Adelaide, 23rd USENIX Symposium, August 22-24, 2014, San Diego.
  28. ^ CacheBleed A Timing Attack on OpenSSL Constant Time RSA, uval Yarom and Daniel Genkin and Nadia Heninger, CHES 2016, Yuval Yarom referring to the history, September 21, 2016.
  29. ^ Anders Fogh: "Covert shotgun: Automatically finding covert channels in SMT", Ruhruniversität Bochum, HackPra channel from the Chair of Network and Data Security, January 12, 2017. Fogh describing a Side Channel using fashioned listening to a safe while turning its wheel
  30. ^ a b "Speculative execution side-channel attack ("Spectre")". Mozilla.
  31. ^ Gibbs, Samuel (January 4, 2018). "Meltdown and Spectre: 'worst ever' CPU bugs affect virtually all computers". The Guardian. Archived from the original on January 6, 2018. Retrieved January 6, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  32. ^ "Meltdown and Spectre". spectreattack.com.
  33. ^ "Reading privileged memory with a side-channel". 2018. Archived from the original on January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  34. ^ "Mitigations landing for new class of timing attack". 2018. Archived from the original on January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  35. ^ "Meltdown" (PDF). 2018. Archived from the original (PDF) on January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  36. ^ Staff (2018). "Meltdown and Spectre-faq-systems-spectre". Graz University of Technology. Archived from the original on January 3, 2018. Retrieved January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  37. ^ Busvine, Douglas; Nellis, Stephen (January 3, 2018). "Security flaws put virtually all phones, computers at risk". Reuters. Thomson-Reuters. Archived from the original on January 3, 2018. Retrieved January 3, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  38. ^ "Potential Impact on Processors in the POWER family". 2018.
  39. ^ Staff (January 3, 2018). "Intel Responds To Security Research Findings". Intel. Archived from the original on January 3, 2018. Retrieved January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  40. ^ "An Update on AMD Processor Security". Advanced Micro Devices. 2018. Archived from the original on January 4, 2018. Retrieved January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  41. ^ "AMD: Yes, Spectre does affect our processors". CNET. Retrieved January 12, 2018.
  42. ^ "AMD Processor Security | AMD". www.amd.com. Retrieved January 12, 2018.
  43. ^ Vaughan-Nichols, Steven J. (January 12, 2018). "AMD processors: Not as safe as you might have thought - With all the hub-bub about Meltdown and Spectre, AMD CPUs are widely regarded as being perfectly safe. Well AMD chips may be safer, but they're not invulnerable". ZDNet. Retrieved January 12, 2018.
  44. ^ "Who's affected by computer chip security flaw".
  45. ^ "Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign". The Register. January 2, 2018.
  46. ^ Staff (2018). "Meltdown and Spectre-faq-systems-spectre". Graz University of Technology. Retrieved January 4, 2018.
  47. ^ Busvine, Douglas; Nellis, Stephen (January 3, 2018). "Security flaws put virtually all phones, computers at risk". Reuters. Thomson-Reuters. Retrieved January 3, 2018.
  48. ^ "Today's CPU vulnerability: what you need to know".
  49. ^ "Arm Processor Security Update". ARM Developer. ARM Ltd. January 3, 2018. Retrieved January 5, 2018.
  50. ^ "'Spectre' and 'Meltdown': New CPU vulnerabilities affect most smartphones and computers". January 4, 2018.
  51. ^ "Why Raspberry Pi isn't vulnerable to Spectre or Meltdown - Raspberry Pi". January 5, 2018.
  52. ^ Fox-Brewster, Thomas (January 3, 2018). "Massive Intel Vulnerabilities Just Landed -- And Every PC User On The Planet May Need To Update". Forbes. Forbes Media LLC. Archived from the original on January 3, 2018. Retrieved January 3, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  53. ^ "Google's Mitigations Against CPU Speculative Execution Attack Methods". support.google.com. Archived from the original on January 3, 2018. Retrieved January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  54. ^ "Mitigations landing for new class of timing attack". Mozilla Security Blog. Archived from the original on January 4, 2018. Retrieved January 4, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  55. ^ "Intel Analysis of Speculative Execution Side Channels" (PDF). White Paper (336983-001 Revision 1.0). Intel. January 2018: 5. Retrieved January 11, 2018. second technique introduces the concept of a "return trampoline", also known as "retpoline" {{cite journal}}: Cite journal requires |journal= (help)
  56. ^ "More details about mitigations for the CPU Speculative Execution issue". Archived from the original on January 5, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  57. ^ "Google Says CPU Patches Cause 'Negligible Impact On Performance' With New 'Retpoline' Technique". tech.slashdot.org.
  58. ^ Paul Turner. "Retpoline: a software construct for preventing branch-target-injection – Google Help". support.google.com. Archived from the original on January 5, 2018. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  59. ^ "kernel/git/stable/linux-stable.git - Linux kernel stable tree". git.kernel.org. Retrieved January 19, 2018.
  60. ^ "Spectre Mitigation Added To GCC 8, Seeking Backport To GCC 7 - Phoronix". www.phoronix.com. Retrieved January 19, 2018.
  61. ^ "How Will the Meltdown and Spectre Flaws Affect My PC?". How-To Geek.

Further reading

Retrieved from "https://en.wikipedia.org/w/index.php?title=Spectre_(security_vulnerability)&oldid=822523693"