Speculative Store Bypass
Speculative Store Bypass (SSB) (CVE-2018-3639) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on May 3, 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on May 21, 2018, alongside a related speculative execution vulnerability designated "Variant 3a".
Speculative execution exploit Variant 4, is referred to as Speculative Store Bypass (SSB), and has been assigned CVE-2018-3639. SSB is named Variant 4, but it is the fifth variant in the Spectre-Meltdown class of vulnerabilities.
Steps involved in exploit:
- "Slowly" store a value at a memory location
- "Quickly" load that value from that memory location
- Utilize the value that was just read to disrupt the cache in a detectable way
Impact and mitigation
Intel claims that web browsers that are already patched to mitigate Spectre Variants 1 and 2 are partially protected against Variant 4. Intel said in a statement that the likelihood of end users being affected was "low" and that not all protections would be on by default due to some impact on performance.
Intel is planning to address Variant 4 by releasing a microcode patch that creates a new hardware flag named Speculative Store Bypass Disable (SSBD). A stable microcode patch is yet to be delivered, with Intel suggesting that the patch will be ready "in the coming weeks"[needs update]. Many operating system vendors will be releasing software updates to assist with mitigating Variant 4; however, microcode/firmware updates are required for the software updates to have an effect.
Speculative execution exploit variants
|Vulnerability||CVE||Exploit name||Public vulnerability name|
|Spectre||2017-5753||Variant 1||Bounds Check Bypass (BCB)|
|Spectre||2017-5715||Variant 2||Branch Target Injection (BTI)|
|Meltdown||2017-5754||Variant 3||Rogue Data Cache Load (RDCL)|
|Spectre-NG||2018-3640||Variant 3a||Rogue System Register Read (RSRE)|
|Spectre-NG||2018-3639||Variant 4||Speculative Store Bypass (SSB)|
|Spectre-NG||2018-3665||Lazy FP State Restore|
|Spectre-NG||2018-3693||Bounds Check Bypass Store (BCBS)|
|Foreshadow||2018-3615||Variant 5||L1 Terminal Fault (L1TF)|
- Bright, Peter (2018-05-22). "Predictable problems - New speculative-execution vulnerability strikes AMD, ARM, and Intel". Ars Technica. Archived from the original on 2018-05-26. Retrieved 2018-05-25.
- Ubuntu Community (2018-05-21). "Variant4". Archived from the original on 2018-05-21. Retrieved 2018-05-21.
- Schmidt, Jürgen (2018-05-03). "Super-GAU für Intel: Weitere Spectre-Lücken im Anflug". c't - magazin für computertechnik (in German). Heise online. Archived from the original on 2018-05-05. Retrieved 2018-05-03. Schmidt, Jürgen (2018-05-03). "Exclusive: Spectre-NG - Multiple new Intel CPU flaws revealed, several serious". c't - magazin für computertechnik. Heise online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.
- Fischer, Martin (2018-05-03). "Spectre-NG: Intel-Prozessoren von neuen hochriskanten Sicherheitslücken betroffen, erste Reaktionen von AMD und Intel". c't - magazin für computertechnik (in German). Heise online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.
- Tung, Liam (2018-05-04). "Are 8 new 'Spectre-class' flaws about to be exposed? Intel confirms it's readying fixes". ZDNet. Archived from the original on 2018-05-22. Retrieved 2018-03-04.
- Kumar, Mohit (2018-05-04). "8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs". The Hacker News. Archived from the original on 2018-05-05. Retrieved 2018-05-05.
- "Q2 2018 Speculative Execution Side Channel Update". Intel. 2018-05-21. Archived from the original on 2018-05-21. Retrieved 2018-05-21.
- Warren, Tom (2018-05-21). "Google and Microsoft disclose new CPU flaw, and the fix can slow machines down - New firmware updates are on the way". The Verge. Archived from the original on 2018-05-26. Retrieved 2018-05-22.
- Martindale, Jon (2018-05-22). "New Spectre-like bug could mean more performance-degrading patches". Digital Trends. Archived from the original on 2018-05-26. Retrieved 2018-05-22.
- Newman, Lily Hay (2018-05-21). "After Meltdown and Spectre, Another Scary Chip Flaw Emerges". Wired. Archived from the original on 2018-05-26. Retrieved 2018-05-26.
- "Speculative Execution Side Channel Mitigations" (PDF). Revision 2.0. Intel. May 2018 [January 2018]. Document Number: 336996-002. Retrieved 2018-05-26.
- "Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639". RedHat. 2018-05-21. Resolve tab. Archived from the original on 2018-05-21. Retrieved 2018-05-22.
- Miller, Matt. "Analysis and mitigation of speculative store bypass (CVE-2018-3639)". Microsoft Security Response Center. Speculative store bypass disable (SSBD) section. Archived from the original on 2018-05-21. Retrieved 2018-05-21.
- "Vulnerability Note VU#180049 - CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks". CERT. 2018-05-24 [2018-05-21]. Archived from the original on 2018-05-26. Retrieved 2018-05-26.
- Windeck, Christof (2018-05-21). "CPU-Sicherheitslücken Spectre-NG: Updates rollen an Update". Heise Security (in German). Archived from the original on 2018-05-21. Retrieved 2018-05-21.