Meltdown and Spectre – current overview

The out-of-order execution features of processors, together with speculated execution and lacking permission checking recently lead to new two major classes of side channel attacks that could leak privileged information.

The core issue is that some side effects of out-of-order execution are not being rolled back fully when the respective instructions flow is not executed, leaving some lingering effects, like cache presence of fetched data.

The last year saw various attacks and mitigations being published for these effects, but so far they lacked classification and an overview of those attacks.

Security researchers have how published a paper that clarifies and classifies these attack classes better, finding some new (sub-)flavors to them on the way. Intel has also published a reply on the new research findings.

This blog explains the new classification in a high-level way and also shows SUSE’s current status on it.

Overview

Codename	New Codename	CVE	TID	Blog
Meltdown	Meltdown-US	CVE-2017-5754	TID 7022512	Meltdown and Spectre Blog
Spectre v3a	Meltdown-GP	CVE-2018-3640	TID 7022950	No blog entry
L1 Terminal Fault / Foreshadow	Meltdown-P	CVE-2018-3620 and CVE-2018-3646	TID 7023077	L1TF Blog
Lazy FP Save/Restore	Meltdown-NM	CVE-2018-3665	TID 7023076	No blog entry
Bounds Check Bypass Store Spectre Variant 1.2	Meltdown-RW	CVE-2018-3693	TID 7023075	No blog entry
Meltdown-BR	Meltdown-BR	CVE-2017-5754	TID 7022512	Covered by Meltdown and Spectre Blog, also see below
Meltdown-PK	Meltdown-PK	No CVE assigned	No TID	See below
Spectre Variant 1	Spectre-PHT	CVE-2017-5753	TID 7022512	Meltdown and Spectre Blog
Bounds Check Bypass Storage, Spectre Variant 1.1	Spectre-PHT	CVE-2018-3693	TID 7023075	No blog entry
Spectre Variant 2	Spectre-BTB	CVE-2017-5715	TID 7022512	Meltdown and Spectre Blog
Spectre Variant 4	Spectre-STL	CVE-2018-3639	TID 7022937	Spectre Variant 4 Blog
Ret2Spec / spectreRSB	Spectre-RSB	CVE-2018-15572	No TID posted	No blog posted

Meltdown

With Meltdown, out-of-order execution was bypassing otherwise faulting instructions, making it possible to get information from memory, FPU state or registers contents, which would have otherwise not been readable.

The Meltdown class has the following flavors so far:

Meltdown-US also known as the original “Meltdown” (CVE-2017-5754)

The super-user level flag in page tables was not checked during out-of-order execution, so content with higher privileges could be learned by local attackers.

The mitigation for processors affected by this are splitting the memory map between userspace and kernel space using KAISER or KPTI, implemented in the kernel and in affected hypervisor modes.

The next CPU generations from Intel will not be affected by this attack.

SUSE has released fixed packages for all affected products at the beginning of 2018.

Meltdown-NM also known as “Lazy FP save/restore” (CVE-2018-3665)

Up to now the processors FPU state was saved and restored on demand using a special trick where using the FPU in the new process would cause a fault and then trigger the save / restore logic. This was done to reduce the overhead of a task switch.

So while the new process was still running with the old process FPU state in the registers, on the first FPU usage the kernel would replace the state with this process actual state.

However out-of-order execution could use the old state to have lingering micro architectural side effects, and a process could get FPU information from other processes.

This was fully mitigated by switching to direct save and restore of the FPU state on task switching in the Linux kernel and Hypervisors.

Meltdown-GP also known as “Spectre v3a” (CVE-2018-3640)

Attacking privileged processor registers like CRx, while called “Spectre” the attack is considered of Meltdown class, as the register
access would case a fault while its contents are already used out-of-oder even before the fault.

This issue is fully mitigated using updated CPU Microcode.

Meltdown-P also known as “L1TF” or “Foreshadow” (CVE-2018-3620 and CVE-2018-3646)

Attacking faults of pages without Present bit. This vulnerability could leave to even reading memory outside of an attacking process, getting access to all physical memory.

This was mitigated at OS level by adjusting page table usage in bare-metal kernels, and with enforced L1 datacache flushing and multithreading adjustments in hypervisors.

Meltdown-BR

A Meltdown attack using the bounds checking exception on 32bit x86. This flavor was newly identified by the researchers.

This is already mitigated by the KAISER/KPTI patches done for Meltdown-US.

Meltdown-PK

A Meltdown style attack where memory protected by Intel Protection Keys could be read even if protected. This is also a new flavor identified by researchers.

SUSE does not use Protection Keys at this time, only programs using it would need to take care of speculative fencing before use of such memory in their application.

Meltdown-RW also known as “Spectre Variant 1.2”

This is in same out-of-order address access of otherwise read or write protected pages, where even content of read or write protected pages could be leaked.

This is largely relevant only for sandboxed code that can read memory outside of its in-process sandbox, like javascript sandboxes in web-browsers.

Future Mitigations

Meltdown style issues can and will be addressed in future CPU generations which should start shipping now or in the near future. Our software mitigations will detect new CPUs no longer affected by it and disable the mitigations in those cases.

Spectre

The Spectre class describes a side-channel attack, where the speculative out-of-order execution of conditional branches, indirect jumps or returns
could take paths that would later be rolled back, but where lingering effects from the execution could still be detected by attackers.

The researchers classified these using the different mistraining strategies of the processors speculative execution engine.

Spectre-PHT also known as “Spectre Variant 1” (CVE-2017-5753) and “Spectre Variant 1.1” (part of CVE-2018-3693)

The out-of-order execution follows conditional branches which might otherwise not be taken, like an out-of-range buffer access after an index size check. The speculative out-of-order execution would read or write over these buffer size boundaries, leaving lingering side-effects when it finally would be rolled back.

This currently needs to be mitigated using methods like “fencing”, where the speculative execution is stopped at the fence, before
operations that could leak data, or using index masking which cannot be speculatively executed over.

The Linux kernel has implemented index masking and fencing for its userspace interfaces. SUSE has released updates for these issues.

Spectre-BTB also known as “Spectre Variant 2” (CVE-2017-5715)

This issue describes mistraining the branch prediction logic so it would speculatively execute code it would otherwise never reached. This again would leave lingering side effects for data disclosure.

We have adjusted our kernel to use “retpolines” instead of indirect jumps, and also facilitate CPU microcode help for branch predictor flushing when switching between processes and VMs.

Spectre-RSB also known as “SpectreRSB” and “ret2spec” (CVE-2018-15572)

In this issue instead of the branch predictor the return stack buffer (RSB) would be used for mistraining the speculative execution.

As a fix we are overwriting the return-stack-buffer on privilege transitions between kernel, userspace and VMs.

Spectre-STL also known as “Spectre v4”

In this issue the speculation is using content of the “Store Buffer” which caches written memory contents for easier access. Speculation could bypass this buffer and access old values from memory.

This was solved by allowing to disable this store buffer speculative bypass, using a new microcode feature on Intel CPUs.

Mitigations

Only some Spectre style issues will be mitigated in newer CPU generations, for the rest changed programming style will be needed. These include the one listed above like speculative fencing, array index masking and/or flushing of prediction buffers on privilege transitions.