Speculative Store Bypass
Speculative Store Bypass (SSB) (
Details
Speculative execution exploit Variant 4,
Steps involved in exploit:[1]
- "Slowly" store a value at a memory location
- "Quickly" load that value from that memory location
- Utilize the value that was just read to disrupt the cache in a detectable way
Impact and mitigation
Intel claims that web browsers that are already patched to mitigate Spectre Variants 1 and 2 are partially protected against Variant 4.[7] Intel said in a statement that the likelihood of end users being affected was "low" and that not all protections would be on by default due to some impact on performance.[10] The Chrome JavaScript team confirmed that effective mitigation of Variant 4 in software is infeasible, in part due to performance impact.[11]
Intel is planning to address Variant 4 by releasing a
Speculative Store Bypass Disable (SSBD).[7][2][12] A stable microcode patch is yet to be delivered, with Intel suggesting that the patch will be ready "in the coming weeks"[needs update].[7] Many operating system vendors will be releasing software updates to assist with mitigating Variant 4;[13][2][14] however, microcode/firmware updates are required for the software updates to have an effect.[13]
Speculative execution exploit variants
Vulnerability | CVE | Exploit name | Public vulnerability name | CVSS v2.0 | CVSS v3.0 |
---|---|---|---|---|---|
Spectre | 2017-5753 | Variant 1 | Bounds Check Bypass (BCB) |
4.7 | 5.6 |
Spectre | 2017-5715 | Variant 2 | Branch Target Injection (BTI) |
4.7 | 5.6 |
Meltdown | 2017-5754 | Variant 3 | Rogue Data Cache Load (RDCL) |
4.7 | 5.6 |
Spectre-NG | 2018-3640 | Variant 3a | Rogue System Register Read (RSRR[18] ) |
4.7 | 5.6 |
Spectre-NG | 2018-3639 | Variant 4 | Speculative Store Bypass (SSB) | 4.9 | 5.5 |
Spectre-NG | 2018-3665 | Lazy FP State Restore |
4.7 | 5.6 | |
Spectre-NG | 2018-3693 | Bounds Check Bypass Store (BCBS) |
4.7 | 5.6 | |
Foreshadow |
2018-3615 | Variant 5 | L1 Terminal Fault (L1TF) |
5.4 | 6.4 |
Foreshadow-NG | 2018-3620 | 4.7 | 5.6 | ||
Foreshadow-NG | 2018-3646 | 4.7 | 5.6 |
References
- ^ a b c d Bright, Peter (2018-05-22). "Predictable problems - New speculative-execution vulnerability strikes AMD, ARM, and Intel". Ars Technica. Archived from the original on 2018-05-26. Retrieved 2018-05-25.
- ^ Ubuntu Community (2018-05-21). "Variant4". Archivedfrom the original on 2018-05-22. Retrieved 2018-05-21.
- Heise Online. Archivedfrom the original on 2018-05-05. Retrieved 2018-05-04.
- Heise Online. Archivedfrom the original on 2018-05-05. Retrieved 2018-05-04.
- ZDNet. Archivedfrom the original on 2018-05-22. Retrieved 2018-03-04.
- ^ Kumar, Mohit (2018-05-04). "8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs". The Hacker News. Archived from the original on 2018-05-05. Retrieved 2018-05-05.
- ^ a b c d e f g "Q2 2018 Speculative Execution Side Channel Update". Intel. 2018-05-21. Archived from the original on 2018-05-22. Retrieved 2018-05-21.
- ^ Warren, Tom (2018-05-21). "Google and Microsoft disclose new CPU flaw, and the fix can slow machines down - New firmware updates are on the way". The Verge. Archived from the original on 2018-05-26. Retrieved 2018-05-22.
- ^ Martindale, Jon (2018-05-22). "New Spectre-like bug could mean more performance-degrading patches". Digital Trends. Archived from the original on 2018-05-26. Retrieved 2018-05-22.
- ^ Newman, Lily Hay (2018-05-21). "After Meltdown and Spectre, Another Scary Chip Flaw Emerges". Wired. Archived from the original on 2018-05-26. Retrieved 2018-05-26.
- ^ "A year with Spectre: a V8 perspective". 2019-04-23. Retrieved 2019-04-23.
- ^ "Speculative Execution Side Channel Mitigations" (PDF). Revision 2.0. Intel. May 2018 [January 2018]. Document Number: 336996-002. Retrieved 2018-05-26.
- ^ RedHat. 2018-05-21. Resolve tab. Archivedfrom the original on 2018-05-22. Retrieved 2018-05-22.
- Microsoft Security Response Center. Speculative store bypass disable (SSBD) section. Archivedfrom the original on 2018-05-22. Retrieved 2018-05-21.
- ^ "Vulnerability Note VU#180049 - CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks". CERT. 2018-05-24 [2018-05-21]. Archived from the original on 2018-05-26. Retrieved 2018-05-26.
- Heise Security (in German). Archivedfrom the original on 2018-05-21. Retrieved 2018-05-21.
- ^ "NVD - Cve-2017-5753".
- ^ Sometimes misspelled "RSRE"
See also
- Transient execution CPU vulnerabilities