HIRT-PUB18001 : Meltdown, Spectre and CPU Vulnerability Variant issues

Last Update: September 10, 2018

In early January 2018, issues known as Meltdown and Spectre were reported as CPU vulnerabilities. Because these vulnerabilities affect many CPUs, such as those manufactured by Intel, AMD, and ARM, and therefore affect many information systems, related information was published from various security vendors, researchers and medias. HIRT-PUB18001 introduces the issues associated with Meltdown and Spectre.

[Update] At the end of May 2018, CPU Vulnerability Variant issues were reported.

[Update] At the middle of June 2018, CPU Vulnerability Variant issues were reported.

[Update] At the middle of July 2018, CPU Vulnerability Variant issues were reported.

[Update] At the middle of August 2018, CPU Vulnerability Variant issues were reported.

Many articles about Meltdown and Spectre use the words "speculative execution".

About Speculative Execution

In order to take maximum advantage of high-speed CPUs, PC are equipped with functionality such as out-of-order execution, which processes instructions as they are able to be processed rather than processing them in order, and branch prediction, which predicts the next choice to be made based on processing history, and performs the predicted processing in advance. This type of functionality is referred to by the general term "speculative execution". Because speculative execution involves performing work in advance, it is effective in increasing the efficiency of processing. However, irregular situations also occur in which the results are ineffective or in which instructions that do not need to be processed are executed, and the results of the processing performed in advance become unnecessary. Exploits such as Meltdown and Spectre can abuse vulnerabilities in this situation. The vulnerabilities came about because the security mechanisms that have existed up to this point did not take into account operations performed during these irregular situations.

Next, we will examine the issues associated with Meltdown and Spectre.

Meltdown utilizes the functionality that processes instructions as they are able to be processed rather than processing them in order (out-of-order execution) to process data that cannot be accessed without the appropriate permissions, and to execute processing that utilizes such data. By doing so, Meltdown enables information related to data that cannot be accessed without the appropriate permissions to be stored in cache memory, which can be accessed even without permission (Figure 1). Meltdown causes a problem because it allows the execution of processing of data that should not be processed.

Spectre takes two approaches, both of which utilize the functionality that predicts the next choice to be made based on processing history, and performs the predicted processing in advance (branch prediction). The first approach accesses areas that cannot be accessed without the appropriate permissions while the CPU is checking whether access is being made to areas that should be inaccessible, thereby storing, in cache memory, information related to the data in the inaccessible areas (Figure 2). The other approach exploits the functionality that predicts the memory addresses of branches based on the processing history in order to induce the prediction of the memory addresses of incorrect branches, thereby reading data in areas that should be inaccessible (Figure 3).

RSRE (Variant 3a) is a similar issue of Meltdown. An attacker with local user access may be able to use timing side-channel analysis to determine the values stored in system registers.

SSB, SpectreNG (Variant 4) is issue that systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may read an earlier value of the data.

Table 1: Impact

Table 2: Countermeasure approaches

In order to resolve the Meltdown and Spectre issues, partial firmware updates are necessary. However, it is also possible to mitigate the threat by updating applications (such as browsers and virtual environments) and OSs, and it will be necessary to thus implement a defense-in-depth. In addition, however, we have received reports not only of the threat of cyberattacks, but also that the countermeasures result in degraded performance and issues with restarting devices. Therefore, operability must be sufficiently considered when implementing these particular vulnerability countermeasures. As a result, when considering the necessity and details of countermeasures (such as whether to update browsers, virtual environments, OSs, and firmware) and the implementation period, it is necessary to take the following into account: (1) the threat status of cyberattacks, (2) performance degradation as a result of countermeasures, and (3) system failures occurring as a result of countermeasures.

(1) The threat status of cyberattacks

The following types of cyberattacks are possible: Attacks against virtual hosting environments (such as access to a virtual hosting environment by accessing the host OS from a guest OS), and attacks via a web browser (such as leakage of sensitive information stored by a web browser. Countermeasures must be prioritized for environments in which one or both of these types of cyberattacks are possible. Although the AV-TEST Institute in Germany reports the discovery of 139 malware samples that exploit the issues dubbed Meltdown and Spectre.

Cisco Systems

Meltdown and Spectre

http://blog.talosintelligence.com/2018/01/meltdown-and-spectre.html

AV-TEST

[UPDATE: 2018-01-23] #Spectre & #Meltdown

https://twitter.com/avtestorg/status/955823351141949440

Intel
Intel Security Issue Update: Initial Performance Data Results for Client Systems
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

Microsoft
Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

Red Hat
Speculative Execution Exploit Performance Impacts - Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715
https://access.redhat.com/articles/3307751

VMware
VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52337) (January 12, 2018)
https://kb.vmware.com/s/article/52337

(3) System failures occurring as a result of countermeasures

The following failures, such as problems with restarting devices as the result of updates, have been reported. When responding to Meltdown and Spectre issues, it is also important from the perspective of ensuring operational continuity to consider system failures that occur as the result of countermeasures.

• Microsoft
  If a security update is applied in an environment in which anti-virus software that is not compatible with the security update is installed, the device might become unable to boot.
• Intel
  On January 1, 2018, a reboot issue (higher system reboots) was reported as having occurred after applying firmware updates. On January 22, an announcement recommended that, based on this reboot issue, the deployment of the problematic version was to be suspended. At the same time, investigation into the trouble continues.

Microsoft
Important: Windows security updates and antivirus software
https://support.microsoft.com/en-us/help/4072699/windows-security-updates-and-antivirus-software

Intel
Jan. 11, 2018: Intel Security Issue Update: Addressing Reboot Issues
https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/

Intel
Jan. 22, 2018: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners
https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/

Followings are updates of Hitachi products and OEM products (indicated by an asterisk (*)).

hitachi-sec-2018-204: Speculative Execution CPU hardware vulnerable to side-channel attacks (Lazy FP state restore) [Japanese]

hitachi-sec-2018-203: Speculative Execution CPU hardware vulnerable to side-channel attacks (Bounds check bypass on stores) [Japanese]

HWS18-004: Speculative Execution CPU hardware vulnerable to side-channel attacks (L1TF,L1 Terminal Fault) [Japanese]

HWS18-003: Speculative Execution CPU hardware vulnerable to side-channel attacks (SSB,RSRE) [Japanese]

Published Security Advisory HIRT-PUB18001.

Published Security Advisory HIRT-PUB18001[Japanese].

hitachi-sec-2018-301: Speculative Execution CPU hardware vulnerable to side-channel attacks [Japanese]
Notice on "side channel attack to the CPUs with speculative execution function"

Hitachi Vantara Statement Regarding Spectre and Meltdown Vulnerabilities

hitachi-sec-2018-201: Speculative Execution CPU hardware vulnerable to side-channel attacks [Japanese]

This vulnerability has been assigned the following enumeration.

US-CERT Alert (TA18-004A): Meltdown and Spectre Side-Channel Vulnerability Guidance
https://www.us-cert.gov/ncas/alerts/TA18-004A

CERT/CC Vulnerability Note VU#584653: CPU hardware vulnerable to side-channel attacks
https://www.kb.cert.org/vuls/id/584653

Rogue Data Cache Load (CVE-2017-5754) Variant 3
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Bounds Check Bypass (CVE-2017-5753) Variant 1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

Branch Target Injection (CVE-2017-5715) Variant 2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

US-CERT Alert (TA18-141A): Side-Channel Vulnerability Variants 3a and 4
https://www.us-cert.gov/ncas/alerts/TA18-141A

CERT/CC Vulnerability Note VU#180049: CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks
https://www.kb.cert.org/vuls/id/180049

Rogue System Register Read (CVE-2018-3640) Variant 3a
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Speculative Store Bypass (CVE-2018-3639) Variant 4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

Bounds Check Bypass Store (CVE-2018-3693)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3693

CERT/CC Vulnerability Note VU#982149: Intel processors are vulnerable to a speculative execution side-channel attack called L1 Terminal Fault (L1TF)
https://www.kb.cert.org/vuls/id/982149

L1 Terminal Fault (L1TF) SGX (CVE-2018-3615)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615

L1 Terminal Fault (L1TF) OS/SMM (CVE-2018-3620)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620

L1 Terminal Fault (L1TF) VMM (CVE-2018-3646)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646

Vulnerabilities Associated with CPU Speculative Execution
https://vuls.cert.org/confluence/display/Wiki/Vulnerabilities+Associated+with+CPU+Speculative+Execution

Meltdown
https://meltdownattack.com/meltdown.pdf

Spectre Attacks: Exploiting Speculative Execution
https://spectreattack.com/spectre.pdf

Speculative Buffer Overflows: Attacks and Defenses
https://arxiv.org/abs/1807.03757

Intel
Intel Analysis of Speculative Execution Side Channels
https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf

Intel
Analyzing potential bounds check bypass vulnerabilities
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Intel
L1 Terminal Fault / CVE-2018-3615 , CVE-2018-3620,CVE-2018-3646 / INTEL-SA-00161
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

Intel
Deep Dive: Intel Analysis of L1 Terminal Fault
https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-l1-terminal-fault

speculative execution, variant 4: speculative store bypass
https://bugs.chromium.org/p/project-zero/issues/detail?id=1528

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)