Speculative Store Bypass

Speculative Store Bypass (SSB) (

Variant 3a".^[7]^[1]

Details

Speculative execution exploit Variant 4,

CVE-2018-3639.^[7] SSB is named Variant 4, but it is the fifth variant in the Spectre-Meltdown class of vulnerabilities.^[7]

Steps involved in exploit:[1]

"Slowly" store a value at a memory location
"Quickly" load that value from that memory location
Utilize the value that was just read to disrupt the cache in a detectable way

Impact and mitigation

Intel claims that web browsers that are already patched to mitigate Spectre Variants 1 and 2 are partially protected against Variant 4.^[7] Intel said in a statement that the likelihood of end users being affected was "low" and that not all protections would be on by default due to some impact on performance.^[10] The Chrome JavaScript team confirmed that effective mitigation of Variant 4 in software is infeasible, in part due to performance impact.^[11]

Intel is planning to address Variant 4 by releasing a

Speculative Store Bypass Disable (SSBD).^[7]^[2]^[12] A stable microcode patch is yet to be delivered, with Intel suggesting that the patch will be ready "in the coming weeks"^{[needs update]}.^[7] Many operating system vendors will be releasing software updates to assist with mitigating Variant 4;^[13]^[2]^[14] however, microcode/firmware updates are required for the software updates to have an effect.^[13]

Speculative execution exploit variants

Summary of speculative execution variants^[15]^[7]^[16]^[17]
Vulnerability	CVE	Exploit name	Public vulnerability name	CVSS v2.0	CVSS v3.0
Spectre	2017-5753	Variant 1	Bounds Check Bypass (BCB)	4.7	5.6
Spectre	2017-5715	Variant 2	Branch Target Injection (BTI)	4.7	5.6
Meltdown	2017-5754	Variant 3	Rogue Data Cache Load (RDCL)	4.7	5.6
Spectre-NG	2018-3640	Variant 3a	Rogue System Register Read (RSRR^[18] )	4.7	5.6
Spectre-NG	2018-3639	Variant 4	Speculative Store Bypass (SSB)	4.9	5.5
Spectre-NG	2018-3665		Lazy FP State Restore	4.7	5.6
Spectre-NG	2018-3693		Bounds Check Bypass Store (BCBS)	4.7	5.6
Foreshadow	2018-3615	Variant 5	L1 Terminal Fault (L1TF)	5.4	6.4
Foreshadow-NG	2018-3620			4.7	5.6
Foreshadow-NG	2018-3646			4.7	5.6

References

^ ^a ^b ^c ^d Bright, Peter (2018-05-22). "Predictable problems - New speculative-execution vulnerability strikes AMD, ARM, and Intel". Ars Technica. Archived from the original on 2018-05-26. Retrieved 2018-05-25.
^
Ubuntu Community (2018-05-21). "Variant4". Archived
from the original on 2018-05-22. Retrieved 2018-05-21.

Heise Online. Archived
from the original on 2018-05-05. Retrieved 2018-05-04.

Heise Online. Archived
from the original on 2018-05-05. Retrieved 2018-05-04.

ZDNet. Archived
from the original on 2018-05-22. Retrieved 2018-03-04.

^ Kumar, Mohit (2018-05-04). "8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs". The Hacker News. Archived from the original on 2018-05-05. Retrieved 2018-05-05.

^ ^a ^b ^c ^d ^e ^f ^g "Q2 2018 Speculative Execution Side Channel Update". Intel. 2018-05-21. Archived from the original on 2018-05-22. Retrieved 2018-05-21.

^ Warren, Tom (2018-05-21). "Google and Microsoft disclose new CPU flaw, and the fix can slow machines down - New firmware updates are on the way". The Verge. Archived from the original on 2018-05-26. Retrieved 2018-05-22.

^ Martindale, Jon (2018-05-22). "New Spectre-like bug could mean more performance-degrading patches". Digital Trends. Archived from the original on 2018-05-26. Retrieved 2018-05-22.

^ Newman, Lily Hay (2018-05-21). "After Meltdown and Spectre, Another Scary Chip Flaw Emerges". Wired. Archived from the original on 2018-05-26. Retrieved 2018-05-26.

^ "A year with Spectre: a V8 perspective". 2019-04-23. Retrieved 2019-04-23.

^ "Speculative Execution Side Channel Mitigations" (PDF). Revision 2.0. Intel. May 2018 [January 2018]. Document Number: 336996-002. Retrieved 2018-05-26.

^
RedHat. 2018-05-21. Resolve tab. Archived
from the original on 2018-05-22. Retrieved 2018-05-22.

Microsoft Security Response Center. Speculative store bypass disable (SSBD) section. Archived
from the original on 2018-05-22. Retrieved 2018-05-21.

^ "Vulnerability Note VU#180049 - CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks". CERT. 2018-05-24 [2018-05-21]. Archived from the original on 2018-05-26. Retrieved 2018-05-26.

Heise Security (in German). Archived
from the original on 2018-05-21. Retrieved 2018-05-21.

^ "NVD - Cve-2017-5753".

^ Sometimes misspelled "RSRE"

See also

Transient execution CPU vulnerabilities

External links

Website detailing the Meltdown and Spectre vulnerabilities, hosted by Graz University of Technology

Google Project Zero write-up

Meltdown/Spectre Checker
Gibson Research Corporation

v
t
e
Speculative execution security vulnerabilities
Variants

Bounds Check Bypass (Spectre, Variant 1)

Bounds Check Bypass Store (Spectre-NG)

Branch Target Injection (Spectre, Variant 2)

Downfall

Foreshadow

Lazy FP state restore (Spectre-NG)

Load value injection

Microarchitectural Data Sampling

Pacman

Retbleed

Rogue Data Cache Load (Meltdown, Variant 3)

Rogue System Register Read (Spectre-NG, Variant 3a)

Speculative Store Bypass (Spectre-NG, Variant 4)

Spoiler

Topics

Cache side-channel attack

Hardware security bug

Speculative execution

Transient execution CPU vulnerability

v
t
e
Hacking in the 2010s
← 2000s
Timeline
2020s →
Major incidents
2010

Operation Aurora (publication of 2009 events)

Australian cyberattacks

Operation Olympic Games

Operation ShadowNet

Operation Payback

2011

Canadian government

DigiNotar

DNSChanger

HBGary Federal

Operation AntiSec

PlayStation network outage

RSA SecurID compromise

2012

LinkedIn hack

Stratfor email leak

Operation High Roller

2013

South Korea cyberattack

Snapchat hack

Cyberterrorism Attack of June 25

2013 Yahoo! data breach

Singapore cyberattacks

2014

Anthem medical data breach

Operation Tovar

2014 celebrity nude photo leak

2014 JPMorgan Chase data breach

2014 Sony Pictures hack

Russian hacker password theft

2014 Yahoo! data breach

2015

Office of Personnel Management data breach

Hacking Team

Ashley Madison data breach

VTech data breach

Ukrainian Power Grid Cyberattack

SWIFT banking hack

2016

Bangladesh Bank robbery

Hollywood Presbyterian Medical Center ransomware incident

Commission on Elections data breach

Democratic National Committee cyber attacks

Vietnam Airport Hacks

DCCC cyber attacks

Indian Bank data breaches

Surkov leaks

Dyn cyberattack

Russian interference in the 2016 U.S. elections

2016 Bitfinex hack

2017

SHAttered

2017 Macron e-mail leaks

WannaCry ransomware attack

Westminster data breach

Petya and NotPetya
2017 Ukraine ransomware attacks

Vault7 data breach

Equifax data breach

Deloitte breach

Disqus breach

2018

Trustico

Atlanta cyberattack

SingHealth data breach

2019

Sri Lanka cyberattack

Baltimore ransomware attack

Bulgarian revenue agency hack

WhatsApp snooping scandal

Jeff Bezos phone hacking incident

Hacktivism

Anonymous
associated events

CyberBerkut

GNAA

Goatse Security

Lizard Squad

LulzRaft

LulzSec

New World Hackers

NullCrew

OurMine

PayPal 14

RedHack

Teamp0ison

TDO

UGNazi

Ukrainian Cyber Alliance

Advanced
persistent threats

Bangladesh Black Hat Hackers

Bureau 121

Charming Kitten

Cozy Bear

Dark Basin

DarkMatter

Elfin Team

Equation Group

Fancy Bear

GOSSIPGIRL (confederation)

Guccifer 2.0

Hacking Team

Helix Kitten

Iranian Cyber Army

Lazarus Group (BlueNorOff) (AndAriel)

NSO Group

Numbered Panda

PLA Unit 61398

PLA Unit 61486

PLATINUM

Pranknet

Red Apollo

Rocket Kitten

Stealth Falcon

Syrian Electronic Army

Tailored Access Operations

The Shadow Brokers

Yemen Cyber Army

Individuals

George Hotz

Guccifer

Jeremy Hammond

Junaid Hussain

Kristoffer von Hassel

Mustafa Al-Bassam

MLT

Ryan Ackroyd

Sabu

Topiary

Track2

The Jester

Major vulnerabilities
publicly disclosed

Evercookie (2010)

iSeeYou (2013)

Heartbleed (2014)

Shellshock (2014)

POODLE (2014)

Rootpipe (2014)

Row hammer (2014)

SS7 vulnerabilities
(2014)

JASBUG (2015)

Stagefright (2015)

DROWN (2016)

Badlock (2016)

Dirty COW (2016)

Cloudbleed (2017)

Broadcom Wi-Fi (2017)

EternalBlue (2017)

DoublePulsar (2017)

Silent Bob is Silent (2017)

KRACK (2017)

ROCA vulnerability (2017)

BlueBorne (2017)

Meltdown (2018)

Spectre (2018)

EFAIL (2018)

Exactis (2018)

Speculative Store Bypass (2018)

Lazy FP state restore (2018)

TLBleed (2018)

SigSpoof (2018)

Foreshadow (2018)

Dragonblood (2019)

Microarchitectural Data Sampling (2019)

BlueKeep (2019)

Kr00k (2019)

Malware
2010

Bad Rabbit

Black Energy 2

SpyEye

Stuxnet

2011

Coreflood

Alureon

Duqu

Kelihos

Metulji botnet

Stars

2012

Carna

Dexter

FBI

Flame

Mahdi

Red October

Shamoon

2013

CryptoLocker

DarkSeoul

2014

Brambul

Black Energy 3

Carbanak

Careto

DarkHotel

Duqu 2.0

FinFisher

Gameover ZeuS

Regin

2015

Dridex

Hidden Tear

Rombertik

TeslaCrypt

2016

Hitler

Jigsaw

KeRanger

Necurs

MEMZ

Mirai

Pegasus

Petya and NotPetya

X-Agent

2017

BrickerBot

Kirk

LogicLocker

Rensenware

Triton

WannaCry

XafeCopy

2018

VPNFilter

2019

Grum

Joanap

NetTraveler

R2D2

Tinba

Titanium

ZeroAccess botnet

Retrieved from "https://en.wikipedia.org/w/index.php?title=Speculative_Store_Bypass&oldid=1095445238"

[ARST-20180522-1] Bright, Peter (2018-05-22). "Predictable problems - New speculative-execution vulnerability strikes AMD, ARM, and Intel". Ars Technica. Archived from the original on 2018-05-26. Retrieved 2018-05-25.

[ubuntu-wiki-v4-2] 
Ubuntu Community (2018-05-21). "Variant4". Archived
from the original on 2018-05-22. Retrieved 2018-05-21.

[Schmidt_2018_NG-3] Heise Online. Archived
from the original on 2018-05-05. Retrieved 2018-05-04.

[Fischer_2018_NG-4] Heise Online. Archived
from the original on 2018-05-05. Retrieved 2018-05-04.

[Tung_2018_NG-5] ZDNet. Archived
from the original on 2018-05-22. Retrieved 2018-03-04.

[Kumar_2018_NG-6] Kumar, Mohit (2018-05-04). "8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs". The Hacker News. Archived from the original on 2018-05-05. Retrieved 2018-05-05.

[INTEL-SA-00115-7] ^ ^a ^b ^c ^d ^e ^f ^g "Q2 2018 Speculative Execution Side Channel Update". Intel. 2018-05-21. Archived from the original on 2018-05-22. Retrieved 2018-05-21.

[TVRG-20180522-8] Warren, Tom (2018-05-21). "Google and Microsoft disclose new CPU flaw, and the fix can slow machines down - New firmware updates are on the way". The Verge. Archived from the original on 2018-05-26. Retrieved 2018-05-22.

[DIGT-20180522-9] Martindale, Jon (2018-05-22). "New Spectre-like bug could mean more performance-degrading patches". Digital Trends. Archived from the original on 2018-05-26. Retrieved 2018-05-22.

[wired-10] Newman, Lily Hay (2018-05-21). "After Meltdown and Spectre, Another Scary Chip Flaw Emerges". Wired. Archived from the original on 2018-05-26. Retrieved 2018-05-26.

[v8_dev_2019-11] "A year with Spectre: a V8 perspective". 2019-04-23. Retrieved 2019-04-23.

[Intel_2018_SESEM-12] "Speculative Execution Side Channel Mitigations" (PDF). Revision 2.0. Intel. May 2018 [January 2018]. Document Number: 336996-002. Retrieved 2018-05-26.

[redhat-ssbd-13] 
RedHat. 2018-05-21. Resolve tab. Archived
from the original on 2018-05-22. Retrieved 2018-05-22.

[ms-analysis-v4-14] Microsoft Security Response Center. Speculative store bypass disable (SSBD) section. Archived
from the original on 2018-05-22. Retrieved 2018-05-21.

[CERT-15] "Vulnerability Note VU#180049 - CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks". CERT. 2018-05-24 [2018-05-21]. Archived from the original on 2018-05-26. Retrieved 2018-05-26.

[Windeck_2018_V3aV4-16] Heise Security (in German). Archived
from the original on 2018-05-21. Retrieved 2018-05-21.

[17] "NVD - Cve-2017-5753".

[18] Sometimes misspelled "RSRE"

[7]

[1]

[10]

[11]

[2]

[12]

[13]

[14]

[15]

[16]

[17]

[18]