Spectre (security vulnerability)












Spectre

Spectre logo with text.svg
A logo created for the vulnerability, featuring a ghost with a branch

CVE identifier(s)
CVE-2017-5753 (Spectre-V1),
CVE-2017-5715 (Spectre-V2)
Date discoveredJanuary 2018; 1 year ago (2018-01)
Affected hardwareAll pre-2019 microprocessor that uses branch prediction
Websitemeltdownattack.com

Spectre is a vulnerability that affects modern microprocessors that perform branch prediction.[1][2][3]
On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.[4][5][6]


Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-.mw-parser-output cite.citationfont-style:inherit.mw-parser-output .citation qquotes:"""""""'""'".mw-parser-output .citation .cs1-lock-free abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/6/65/Lock-green.svg/9px-Lock-green.svg.png")no-repeat;background-position:right .1em center.mw-parser-output .citation .cs1-lock-limited a,.mw-parser-output .citation .cs1-lock-registration abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/d/d6/Lock-gray-alt-2.svg/9px-Lock-gray-alt-2.svg.png")no-repeat;background-position:right .1em center.mw-parser-output .citation .cs1-lock-subscription abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/a/aa/Lock-red-alt-2.svg/9px-Lock-red-alt-2.svg.png")no-repeat;background-position:right .1em center.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registrationcolor:#555.mw-parser-output .cs1-subscription span,.mw-parser-output .cs1-registration spanborder-bottom:1px dotted;cursor:help.mw-parser-output .cs1-ws-icon abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/12px-Wikisource-logo.svg.png")no-repeat;background-position:right .1em center.mw-parser-output code.cs1-codecolor:inherit;background:inherit;border:inherit;padding:inherit.mw-parser-output .cs1-hidden-errordisplay:none;font-size:100%.mw-parser-output .cs1-visible-errorfont-size:100%.mw-parser-output .cs1-maintdisplay:none;color:#33aa33;margin-left:0.3em.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registration,.mw-parser-output .cs1-formatfont-size:95%.mw-parser-output .cs1-kern-left,.mw-parser-output .cs1-kern-wl-leftpadding-left:0.2em.mw-parser-output .cs1-kern-right,.mw-parser-output .cs1-kern-wl-rightpadding-right:0.2em2017-5753 (bounds check bypass, Spectre-V1, Spectre 1.0) and CVE-2017-5715 (branch target injection, Spectre-V2), have been issued.[7]JIT engines used for JavaScript were found to be vulnerable. A website can read data stored in the browser for another website, or the browser's memory itself.[8]


On March 15, 2018, Intel reported that it will redesign its CPUs (performance losses to be determined) to help protect against the Spectre and related Meltdown vulnerabilities (especially, Spectre variant 2 and Meltdown, but not Spectre variant 1), and expects to release the newly redesigned processors later in 2018.[9][10][11][12] On October 8, 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors.[13] On October 18, 2018, MIT researchers suggested a new mitigation approach, called DAWG (Dynamically Allocated Way Guard), which may promise better security without compromising performance.[14]




Contents





  • 1 History


  • 2 Detailed explanation

    • 2.1 Remote exploitation



  • 3 Impact


  • 4 Mitigation

    • 4.1 Particular software


    • 4.2 General approaches


    • 4.3 Controversy


    • 4.4 Persistent threat without a possibility of mitigation in software



  • 5 Immune hardware


  • 6 See also


  • 7 References


  • 8 Further reading


  • 9 External links




History


In 2002 and 2003, Yukiyasu Tsunoo and colleagues from NEC showed how to attack MISTY and DES symmetric key ciphers, respectively. In 2005, Daniel Bernstein from the University of Illinois reported an extraction of an OpenSSL AES key via a cache timing attack, and Colin Percival had a working attack on the OpenSSL RSA key using the Intel processor's cache. In 2013 Yuval Yarom and Katrina Falkner from the University of Adelaide showed how measuring the access time to data lets a nefarious application determine if the information was read from the cache or not. If it was read from the cache the access time was very short, and the data read could contain the private key of encryption algorithms.


This technique was used to successfully attack GnuPG, AES and other cryptographic implementations[15][16][17][18][19][20] In January 2017, Anders Fogh gave a presentation at the Ruhruniversität Bochum about automatically finding covert channels, especially on processors with a pipeline used by more than one processor core.[21]


Spectre proper was discovered independently by Jann Horn from Google's Project Zero and Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom.[when?] Microsoft Vulnerability Research extended it to browsers' JavaScript JIT engines.[4][22] It was made public in conjunction with another vulnerability, Meltdown, on January 3, 2018, after the affected hardware vendors had already been made aware of the issue on June 1, 2017.[23] The vulnerability was called Spectre because it was "based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time."[24]


On January 28, 2018, it was reported that Intel shared news of the Meltdown and Spectre security vulnerabilities with Chinese technology companies, before notifying the U.S. government of the flaws.[25]


On January 29, 2018, Microsoft was reported to have released a Windows update that disabled the problematic Intel Microcode fix—which had, in some cases, caused reboots, system instability, and data loss/corruption—issued earlier by Intel for the Spectre Variant 2 attack.[26][27] Concerns about installing the new Microsoft patch have been reported.[28]


On May 3, 2018, eight additional Spectre-class flaws provisionally named Spectre-NG were reported affecting Intel and possibly AMD and ARM processors. Intel reported that they were preparing new patches to mitigate these flaws.[29][30][31][32] Affected are all Core-i processors and Xeon derivates since Nehalem (2010) and Atom-based processors since 2013.[33] Intel postponed their release of microcode updates to July 10, 2018.[34][33]



On May 21, 2018, Intel published information on the first two Spectre-NG class side-channel vulnerabilities CVE-2018-3640 (Rogue System Register Read, Variant 3a) and CVE-2018-3639 (Speculative Store Bypass, Variant 4),[35][36] also referred to as Intel SA-00115 and HP PSR-2018-0074, respectively.


According to Amazon Deutschland, Cyberus Technology, SYSGO, and Colin Percival (FreeBSD), Intel has revealed details on the third Spectre-NG variant CVE-2018-3665 (Lazy FP State Restore, Intel SA-00145) on June 13, 2018.[37][38][39][40] It is also known as Lazy FPU state leak (abbreviated "LazyFP") and "Spectre-NG 3".[39]


On July 10, 2018, Intel revealed details on another Spectre-NG class vulnerability called "Bounds Check Bypass Store" (BCBS), AKA "Spectre 1.1" (CVE-2018-3693), which was able to write as well as read out of bounds.[41][42][43][44] Another variant named "Spectre 1.2" was mentioned as well.[44]


In late July 2018, researchers at the universities of Saarland and California revealed ret2spec (aka "Spectre v5") and SpectreRSB, new types of code execution vulnerabilities using the Return Stack Buffer (RSB).[45][46][47]


At the end of July 2018, researchers at the University of Graz revealed "NetSpectre", a new type of remote attack similar to Spectre V1, but which does not need attacker-controlled code to be run on the target device at all.[48][49]


On October 8, 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors.[13]


In November 2018, five new variants of the attacks were revealed. Researchers attempted to compromise CPU protection mechanisms using code to exploit the CPU pattern history table, branch target buffer, return stack buffer, and branch history table.[50]



Detailed explanation


Spectre is a vulnerability that tricks a program into accessing arbitrary locations in the program's memory space. An attacker may read the content of accessed memory, and thus potentially obtain sensitive data.


Instead of a single easy-to-fix vulnerability, the Spectre white paper[1] describes a whole class[51] of potential vulnerabilities. They are all based on exploiting side effects of speculative execution, a common means of hiding memory latency and so speeding up execution in modern microprocessors. In particular, Spectre centers on branch prediction,[52] which is a special case of speculative execution. Unlike the related Meltdown vulnerability disclosed at the same time, Spectre does not rely on a specific feature of a single processor's memory management and protection system, but is a more generalized idea.


The starting point of the white paper is that of a side-channel timing attack[53] applied to the branch prediction machinery of modern out-of-order executing microprocessors. While at the architectural level documented in processor data books, any results of misprediction are specified to be annulled after the fact, the resulting speculative execution may still leave around side effects, like loaded cache lines. These can then affect the so-called non-functional aspects of the computing environment later on. If such side effects – including but not limited to memory access timing – are visible to a malicious program, and can be engineered to depend on sensitive data held by the victim process, then these side effects can result in those sensitive data becoming discernible. This can happen despite the formal architecture-level security arrangements working as designed; in this case, lower, microarchitecture-level optimizations to code execution [can] leak information not essential to the correctness of normal program execution.


The Spectre paper displays the attack in four essential steps:


  1. First, it shows that branch prediction logic in modern processors can be trained to reliably hit or miss based on the internal workings of a malicious program.

  2. It then goes on to show that the subsequent difference between cache hits and misses can be reliably timed, so that what should have been a simple non-functional difference can in fact be subverted into a covert channel which extracts information from an unrelated process's inner workings.

  3. Thirdly, the paper synthesizes the results with return-oriented programming exploits and other principles with a simple example program and a JavaScript snippet run under a sandboxing browser; in both cases, the entire address space of the victim process (i.e. the contents of a running program) is shown to be readable by simply exploiting speculative execution of conditional branches in code generated by a stock compiler or the JavaScript machinery present in an extant browser. The basic idea is to search existing code for places where speculation touches upon otherwise inaccessible data, manipulate the processor into a state where speculative execution has to touch that data, and then time the side effect of the processor being faster, if its by-now-prepared prefetch machinery indeed did load a cache line.

  4. Finally, the paper concludes by generalizing the attack to any non-functional state of the victim process. It briefly discusses even such highly non-obvious non-functional effects as bus arbitration latency.

The basic difference between Spectre and Meltdown is that Spectre can be used to manipulate a process into revealing its own data. On the other hand, Meltdown can be used to read privileged memory in a process's address space which even the process itself would normally be unable to access (on some unprotected OSes this includes data belonging to the kernel or other processes).


The Meltdown paper distinguishes the two vulnerabilities thus: "Meltdown is distinct from the Spectre Attacks in several ways, notably that Spectre requires tailoring to the victim process's software environment, but applies more broadly to CPUs and is not mitigated by KAISER."[54]



Remote exploitation


While Spectre is simpler to exploit with a compiled language such as C or C++ by locally executing machine code, it can also be remotely exploited by code hosted on remote malicious web pages, for example interpreted languages like JavaScript, which run locally using a web browser. The scripted malware would then have access to all the memory mapped to the address space of the running browser.[55]


The exploit using remote JavaScript follows a similar flow to that of a local machine code exploit: Flush Cache → Mistrain Branch Predictor → Timed Reads (tracking hit / miss).


The absence of the availability to use the clflush instruction (cache-line flush) in JavaScript requires an alternate approach. There are several automatic cache eviction policies which the CPU may choose, and we rely on being able to force that eviction for the exploit to work. It was found that using a second index on the large array, which was kept several iterations behind the first index, would cause the least recently used (LRU) policy to be used. This allows the exploit to effectively clear the cache just by doing incremental reads on a large dataset.


The branch predictor would then be mistrained by iterating over a very large dataset using bitwise operations for setting the index to in-range vales, and then using an out-of-bounds address for the final iteration.


A high-precision timer would then be required in order to determine if a set of reads led to a cache-hit or a cache-miss. While browsers like Chrome, Firefox, and Tor (based on Firefox) have placed restrictions on the resolution of timers (required in Spectre exploit to determine if cache hit/miss), at the time of authoring the white paper, the Spectre author was able to create a high-precision timer using the web worker feature of HTML5.


Careful coding and analysis of the machine code executed by the just-in-time compilation (JIT) compiler was required to ensure the cache-clearing and exploitive reads were not optimized-out.



Impact


As of 2018, almost every computer system is affected by Spectre, including desktops, laptops, and mobile devices. Specifically, Spectre has been shown to work on Intel, AMD, ARM-based, and IBM processors.[56][57][58] Intel responded to the reported security vulnerabilities with an official statement.[59] AMD originally acknowledged vulnerability to one of the Spectre variants (GPZ variant 1), but stated that vulnerability to another (GPZ variant 2) had not been demonstrated on AMD processors, claiming it posed a "near zero risk of exploitation" due to differences in AMD architecture. In an update nine days later, AMD said that "GPZ Variant 2…is applicable to AMD processors" and defined upcoming steps to mitigate the threat. Several sources took AMD's news of the vulnerability to GPZ variant 2 as a change from AMD's prior claim, though AMD maintained that their position had not changed.[60][61][62]


Researchers have indicated that the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors.[63][64][65][66] Specifically, processors with speculative execution are affected with these vulnerabilities.[67]


ARM has reported that the majority of their processors are not vulnerable, and published a list of the specific processors that are affected by the Spectre vulnerability: Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73 and ARM Cortex-A75 cores.[68] Other manufacturers' custom CPU cores implementing the ARM instruction set, such as those found in newer members of the Apple A series processors, have also been reported to be vulnerable.[69]


Spectre has the potential of having a greater impact on cloud providers than Meltdown. Whereas Meltdown allows unauthorized applications to read from privileged memory to obtain sensitive data from processes running on the same cloud server, Spectre can allow malicious programs to induce a hypervisor to transmit the data to a guest system running on top of it.[70]



Mitigation


Since Spectre represents a whole class of attacks, most likely, there cannot be a single patch for it.[3] While work is already being done to address special cases of the vulnerability, the original website devoted to Spectre and Meltdown states: "As [Spectre] is not easy to fix, it will haunt us for a long time."[4] At the same time, according to Dell: "No 'real-world' exploits of these vulnerabilities [i.e., Meltdown and Spectre] have been reported to date [February 7, 2018], though researchers have produced proof-of-concepts."[71][72]


Several procedures to help protect home computers and related devices from the vulnerability have been published.[73][74][75][76] Spectre patches have been reported to significantly slow down performance, especially on older computers; on the newer eighth-generation Core platforms, benchmark performance drops of 2–14 percent have been measured.[77][5][78][79] On January 18, 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported.


It has been suggested[80] that the cost of mitigation can be alleviated by processors which feature selective translation lookaside buffer (TLB) flushing, a feature which is called process-context identifier (PCID) under Intel 64 architecture, and under Alpha, an address space number (ASN). This is because selective flushing enables the TLB behavior crucial to the exploit to be isolated across processes, without constantly flushing the entire TLB – the primary reason for the cost of mitigation.[citation needed]


In March 2018, Intel announced that they had developed hardware fixes for Meltdown and Spectre-V2 only, but not Spectre-V1.[9][10][11] The vulnerabilities were mitigated by a new partitioning system that improves process and privilege-level separation.[12]


On October 8, 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its Coffee Lake-R processors and onwards.[13]


On March 2, 2019, Microsoft is reported to have released an important Windows 10 (v1809) software mitigation to the Spectre v2 CPU vulnerability.[81]









































































Summary of mitigations on Microsoft Windows
VulnerabilityCVEExploit namePublic vulnerability nameWindows changesFirmware changesSource
Spectre2017-5753Variant 1Bounds Check Bypass (BCB)Recompiling with a new compiler
Hardened browser to prevent exploit from JavaScript
No[7]
Spectre2017-5715Variant 2Branch Target Injection (BTI)New CPU instructions eliminating branch speculationYes[7]
Meltdown2017-5754Variant 3
Rogue Data Cache Load (RDCL)
Isolate kernel and user mode page tablesNo[7]
Spectre-NG2018-3640Variant 3aRogue System Register Read (RSRR[82])Yes
[83][35]
Spectre-NG2018-3639Variant 4
Speculative Store Bypass (SSB)
Yes
[83][35]
Spectre-NG2018-3665Lazy FP State Restore
[39][40]
Spectre-NG2018-3693Variant 1.1
Bounds Check Bypass Store (BCBS)
SpectreVariant 1.2Read-only protection bypass (RPB)
SpectreRSBReturn Mispredict


Particular software


Several procedures to help protect home computers and related devices from the vulnerability have been published.[73][74][75][76]


Initial mitigation efforts were not entirely without incident. At first, Spectre patches were reported to significantly slow down performance, especially on older computers. On the newer eighth generation Core platforms, benchmark performance drops of 2–14 percent were measured.[77] On January 18, 2018, unwanted reboots were reported even for newer Intel chips.[84]


Since exploitation of Spectre through JavaScript embedded in websites is possible,[1] it was planned to include mitigations against the attack by default in Chrome 64. Chrome 63 users could manually mitigate the attack by enabling the Site Isolation feature (chrome://flags#enable-site-per-process).[85]


As of Firefox 57.0.4, Mozilla was reducing the resolution of JavaScript timers to help prevent timing attacks, with additional work on time-fuzzing techniques planned for future releases.[22][86]



General approaches


On January 4, 2018, Google detailed a new technique on their security blog called "Retpoline" (return trampoline)[87] which can overcome the Spectre vulnerability with a negligible amount of processor overhead. It involves compiler-level steering of indirect branches towards a different target that does not result in a vulnerable speculative out-of-order execution taking place.[88][89] While it was developed for the x86 instruction set, Google engineers believe the technique is transferable to other processors as well.[90]


On January 25, 2018, the current status and possible future considerations in solving the Meltdown and Spectre vulnerabilities were presented.[91]


On October 18, 2018, MIT researchers suggested a new mitigation approach, called DAWG (Dynamically Allocated Way Guard), which may promise better security without compromising performance.[14]



Controversy


When Intel announced that Spectre mitigation can be switched on as a "security feature" instead of being a bug, Linux creator Linus Torvalds called the patches "complete and utter garbage".[92]Ingo Molnár then suggested the use of function tracing machinery in the Linux kernel to fix Spectre without Indirect Branch Restricted Speculation (IBRS) microcode support. This would, as a result, only have a performance impact on processors based on Intel Skylake and newer architecture.[84][93][94][95]



Persistent threat without a possibility of mitigation in software


In February 2019, it was reported that there are variants of Spectre threat that cannot be effectively mitigated in software at all.[96][97]


It is also possible that the lack of a patch and other operational issues for Atom CPUs led Microsoft to discontinue Windows 10 support but this is unconfirmed at the current time. [98]
Atom CPUs used on the D270 and 1001PXD are known to be vulnerable but as these are now old machines using the VT-64x and N455 CPU it is less likely to be a problem.
It is feasible to third party patch the BIOS on these but a major problem as the fix would require parsing the existing microcode updates which is beyond the abilities of most end users.



Immune hardware


  • ARM:[99]

    • A76 (2019)

    • A53

    • A55

    • A32

    • A7

    • A5


  • Intel Ice Lake (2019)

  • AMD Zen 2 (2019)


See also


  • Foreshadow (security vulnerability)


References




  1. ^ abc Kocher, Paul; Genkin, Daniel; Gruss, Daniel; Haas, Werner; Hamburg, Mike; Lipp, Moritz; Mangard, Stefan; Prescher, Thomas; Schwarz, Michael; Yarom, Yuval (2018). "Spectre Attacks: Exploiting Speculative Execution" (PDF). Archived (PDF) from the original on 2018-01-03.


  2. ^ Greenberg, Andy (2018-01-03). "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. Archived from the original on 2018-01-03. Retrieved 2018-01-03.


  3. ^ ab Bright, Peter (2018-01-05). "Meltdown and Spectre: Here's what Intel, Apple, Microsoft, others are doing about it". Ars Technica. Archived from the original on 2018-05-26. Retrieved 2018-01-06.


  4. ^ abc Staff (2018). "Meltdown and Spectre". Graz University of Technology. Archived from the original on 2018-01-03. Retrieved 2018-01-03.


  5. ^ ab Metz, Cade; Perlroth, Nicole (2018-01-03). "Researchers Discover Two Major Flaws in the World's Computers". The New York Times. ISSN 0362-4331. Archived from the original on 2018-01-03. Retrieved 2018-01-03.


  6. ^ Warren, Tom (2018-01-03). "Intel's processors have a security bug and the fix could slow down PCs". The Verge. Archived from the original on 2018-01-03. Retrieved 2018-01-03.


  7. ^ abcd Myerson, Terry (2018-01-09). "Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems". Microsoft. Archived from the original on 2018-05-25.


  8. ^ Williams, Chris (2018-01-04). "Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs". The Register. Archived from the original on 2018-05-27.


  9. ^ ab Warren, Tom (2018-03-15). "Intel processors are being redesigned to protect against Spectre – New hardware coming later this year". The Verge. Archived from the original on 2018-04-21. Retrieved 2018-03-15.


  10. ^ ab Shankland, Stephen (2018-03-15). "Intel will block Spectre attacks with new chips this year – Cascade Lake processors for servers, coming this year, will fight back against a new class of vulnerabilities, says CEO Brian Krzanich". CNET. Archived from the original on 2018-04-23. Retrieved 2018-03-15.


  11. ^ ab Coldewey, Devin (2018-03-15). "Intel announces hardware fixes for Spectre and Meltdown on upcoming chips". TechCrunch. Archived from the original on 2018-04-12. Retrieved 2018-03-28.


  12. ^ ab Smith, Ryan (2018-03-15). "Intel Publishes Spectre & Meltdown Hardware Plans: Fixed Gear Later This Year". AnandTech. Archived from the original on 2018-05-04. Retrieved 2018-03-20.


  13. ^ abc Shilov, Anton (2018-10-08). "Intel's New Core and Xeon W-3175X Processors: Spectre and Meltdown Security Update". AnandTech. Retrieved 2018-10-09.


  14. ^ ab Fingas, Jon (October 18, 2018). "MIT finds a smarter way to fight Spectre-style CPU attacks – DAWG offers more security without a steep performance hit". EndGadget.com. Retrieved October 18, 2018.


  15. ^ Tsunoo, Yukiyasu; Tsujihara, Etsuko; Minematsu, Kazuhiko; Miyauchi, Hiroshi (January 2002), "Cryptanalysis of Block Ciphers Implemented on Computers with Cache", ISITA 2002


  16. ^ Tsunoo, Yukiyasu; Saito, Teruo; Suzaki, Tomoyasu; Shigeri, Maki; Miyauchi, Hiroshi (2003-09-10) [2003-09-10], "Cryptanalysis of DES Implemented on Computers with Cache Cryptanalysis of DES Implemented on Computers with Cache", Cryptographic Hardware and Embedded Systems, CHES 2003, 5th International Workshop, Cologne, Germany


  17. ^ Bernstein, Daniel J. (2005-04-14), Cache-timing attacks on AES (PDF), archived (PDF) from the original on 2018-01-17, retrieved 2018-05-26


  18. ^ Percival, Colin (May 2005), "Cache missing for fun and profit" (PDF), BSDCan '05 (Conference presentation slides), archived (PDF) from the original on 2017-10-12, retrieved 2018-05-26
    [1] Superseded by: Cache missing for fun and profit (PDF), October 2005, archived (PDF) from the original on 2018-05-19, retrieved 2018-05-26



  19. ^ Yarom, Yuval; Falkner, Katrina (2014-08-24) [2014-08-24], "FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack", 23rd USENIX Symposium, San Diego, USA: The University of Adelaide, archived from the original on 2018-03-05, retrieved 2018-05-26


  20. ^ Yarom, Yuval; Genkin, Daniel; Heninger, Nadia (2016-09-21), "CacheBleed A Timing Attack on OpenSSL Constant Time RSA", CHES 2016 (Yuval Yarom referring to the history.)


  21. ^ Fogh, Anders (2017-01-12), "Covert shotgun: Automatically finding covert channels in SMT", HackPra channel from the Chair of Network and Data Security, Ruhruniversität Bochum, Germany
    [2] (Fogh describing a Side Channel using fashioned listening to a safe while turning its wheel.)



  22. ^ ab "Mozilla Foundation Security Advisory 2018-01 – Speculative execution side-channel attack ("Spectre")". Mozilla. Archived from the original on 2018-05-16. Retrieved 2018-05-26.


  23. ^ Gibbs, Samuel (2018-01-04). "Meltdown and Spectre: 'worst ever' CPU bugs affect virtually all computers". The Guardian. Archived from the original on 2018-01-06. Retrieved 2018-01-06.


  24. ^ "Meltdown and Spectre". spectreattack.com.


  25. ^ Lynley, Matthew (2018-01-28). "Intel reportedly notified Chinese companies of chip security flaw before the U.S. government". TechCrunch. Retrieved 2018-01-28.


  26. ^ Tung, Liam (2018-01-29). "Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix – The out-of-band update disabled Intel's mitigation for the Spectre Variant 2 attack, which Microsoft says can cause data loss on top of unexpected reboots". ZDNet. Retrieved 2018-01-29.


  27. ^ Staff (2018-01-26). "Update to Disable Mitigation against Spectre, Variant 2". Microsoft. Retrieved 2018-01-29.


  28. ^ Leonhard, Woody (2018-01-29). "Windows surprise patch KB 4078130: The hard way to disable Spectre 2 – Disabling the disruptive 'Spectre 2' bugs in Intel processors has always been quite straightforward, but on Friday night Microsoft released a download-only patch that also does the job. You probably don't want it". Computerworld. Retrieved 2018-01-29.


  29. ^ Schmidt, Jürgen (2018-05-03). "Super-GAU für Intel: Weitere Spectre-Lücken im Anflug". c't - magazin für computertechnik (in German). Heise online. Archived from the original on 2018-05-05. Retrieved 2018-05-03.
    Schmidt, Jürgen (2018-05-03). "Exclusive: Spectre-NG – Multiple new Intel CPU flaws revealed, several serious". c't - magazin für computertechnik. Heise online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.



  30. ^ Fischer, Martin (2018-05-03). "Spectre-NG: Intel-Prozessoren von neuen hochriskanten Sicherheitslücken betroffen, erste Reaktionen von AMD und Intel". c't - magazin für computertechnik (in German). Heise online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.


  31. ^ Tung, Liam (2018-05-04). "Are 8 new 'Spectre-class' flaws about to be exposed? Intel confirms it's readying fixes". ZDNet. Archived from the original on 2018-05-22. Retrieved 2018-03-04.


  32. ^ Kumar, Mohit (2018-05-04). "8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs". The Hacker News. Archived from the original on 2018-05-05. Retrieved 2018-05-05.


  33. ^ ab Schmidt, Jürgen (2018-05-07). "Spectre-NG: Intel verschiebt die ersten Patches – koordinierte Veröffentlichung aufgeschoben". Heise online (in German). Archived from the original on 2018-05-07. Retrieved 2018-05-07.


  34. ^ Armasu, Lucian (2018-05-08). "Intel Postpones Patching 'Spectre NG' CPU Flaws". Tom's Hardware. Retrieved 2018-05-11.


  35. ^ abc Windeck, Christof (2018-05-21). "CPU-Sicherheitslücken Spectre-NG: Updates rollen an Update". Heise Security (in German). Archived from the original on 2018-05-21. Retrieved 2018-05-21.


  36. ^ "Side-Channel Vulnerability Variants 3a and 4". US-CERT. 2018-05-21. Alert (TA18-141A). Archived from the original on 2018-05-21. Retrieved 2018-05-21.


  37. ^ Vaughan-Nichols, Steven J. (2018-06-13). "Another day, another Intel CPU security hole: Lazy State – Intel has announced that there's yet another CPU security bug in its Core-based microprocessors". ZDNet. Retrieved 2018-06-14.


  38. ^ Armasu, Lucian (2018-06-14). "Intel CPUs Affected By Yet Another Speculative Execution Flaw". Tom's Hardware. Retrieved 2018-06-14.


  39. ^ abc Windeck, Christof (2018-06-14). "CPU-Bug Spectre-NG Nr. 3: Lazy FP State Restore". Heise Security (in German). Archived from the original on 2018-06-14. Retrieved 2018-06-14.


  40. ^ ab Windeck, Christof (2018-06-14). "Spectre-NG: Harte Kritik von OpenBSD-Entwickler Theo de Raadt". Heise Security (in German). Archived from the original on 2018-06-14. Retrieved 2018-06-14.


  41. ^ "Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method". Intel. 2018-07-10 [2018-01-03]. INTEL-OSS-10002. Archived from the original on 2018-07-15. Retrieved 2018-07-15.


  42. ^ "Analysis of Speculative Execution Side Channels" (PDF) (White Paper). Revision 4.0. Intel. July 2018. 336983-004. Retrieved 2018-07-15.


  43. ^ Schmidt, Jürgen (2018-07-11). "Spectre-NG: Intel dokumentiert "spekulativen Buffer Overflow"". Heise Security (in German). Archived from the original on 2018-07-15. Retrieved 2018-07-15.
    [3]



  44. ^ ab Kiriansky, Vladimir; Waldspurger, Carl (2018-07-10). "Speculative Buffer Overflows: Attacks and Defenses" (PDF). arXiv:1807.03757v1. Archived (PDF) from the original on 2018-07-15. Retrieved 2018-07-15.


  45. ^ Maisuradze, Giorgi; Rossow, Christian (July 2018). "ret2spec: Speculative Execution Using Return Stack Buffers" (PDF) (preliminary version for ACM CCS 2018 ed.). Center for IT-Security, Privacy and Accountability (CISPA), University of Saarland. Archived (PDF) from the original on 2018-08-01. Retrieved 2018-08-01.


  46. ^ Koruyeh, Esmaiel Mohammadian; Khasawneh, Khaled; Song, Chengyu; Abu-Ghazaleh, Nael (July 2018). "Spectre Returns! Speculation Attacks using the Return Stack Buffer" (PDF). Computer Science and Engineering Department, University of California, Riverside (UCR). Archived (PDF) from the original on 2018-08-01. Retrieved 2018-08-01.


  47. ^ Windeck, Christof (2018-07-24). "CPU-Lücken ret2spec und SpectreRSB entdeckt" (in German). Heise Security. Archived from the original on 2018-08-01. Retrieved 2018-08-01.


  48. ^ Schwarz, Michael; Schwarzl, Martin; Lipp, Moritz; Gruss, Daniel (July 2018). "NetSpectre: Read Arbitrary Memory over Network" (PDF). Graz University of Technology. Archived (PDF) from the original on 2018-07-28. Retrieved 2018-07-28.


  49. ^ Windeck, Christof (2018-07-27). "NetSpectre liest RAM via Netzwerk aus" (in German). Heise Security. Archived from the original on 2018-07-28. Retrieved 2018-07-28.


  50. ^ Catalin Cimpanu (2018-11-14). "Researchers discover seven new Meltdown and Spectre attacks". ZDNet. Retrieved 2018-11-17.


  51. ^ "Reading privileged memory with a side-channel". 2018. Archived from the original on 2018-01-04.


  52. ^ "A Survey of Techniques for Dynamic Branch Prediction". Mittal, Sparsh; CPE, 2018


  53. ^ "Mitigations landing for new class of timing attack". 2018. Archived from the original on 2018-01-04.


  54. ^ "Meltdown" (PDF). 2018. Archived (PDF) from the original on 2018-01-04.


  55. ^ "Spectre Attack Whitepaper" (PDF). Retrieved 2018-02-08.


  56. ^ Staff (2018). "Meltdown and Spectre-faq-systems-spectre". Graz University of Technology. Archived from the original on 2018-01-03. Retrieved 2018-01-04.


  57. ^ Busvine, Douglas; Nellis, Stephen (2018-01-03). "Security flaws put virtually all phones, computers at risk". Reuters. Thomson-Reuters. Archived from the original on 2018-01-03. Retrieved 2018-01-03.


  58. ^ "Potential Impact on Processors in the POWER family". 2018.


  59. ^ Staff (2018-01-03). "Intel Responds To Security Research Findings". Intel. Archived from the original on 2018-01-03. Retrieved 2018-01-04.


  60. ^ "An Update on AMD Processor Security". Advanced Micro Devices. 2018. Archived from the original on 2018-01-04. Retrieved 2018-01-04.


  61. ^ Novet, Jordan (2018-01-11). "AMD stock drops 3 percent after the company says its chips are affected by security flaw". CNBC. Retrieved 2018-04-07.


  62. ^ "AMD Chips Vulnerable to Both Variants of Spectre Security Flaw". Fortune. Retrieved 2018-04-07.


  63. ^ "Who's affected by computer chip security flaw". Archived from the original on 2018-01-04. Retrieved 2018-01-04.


  64. ^ "Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign". The Register. 2018-01-02.


  65. ^ Staff (2018). "Meltdown and Spectre-faq-systems-spectre". Graz University of Technology. Retrieved 2018-01-04.


  66. ^ Busvine, Douglas; Nellis, Stephen (2018-01-03). "Security flaws put virtually all phones, computers at risk". Reuters. Thomson-Reuters. Retrieved 2018-01-03.


  67. ^ "Today's CPU vulnerability: what you need to know".


  68. ^ "Arm Processor Security Update". ARM Developer. ARM Ltd. 2018-01-03. Retrieved 2018-01-05.


  69. ^ "About speculative execution vulnerabilities in ARM-based and Intel CPUs". Apple Support. Retrieved 2018-07-17.


  70. ^ Fox-Brewster, Thomas (2018-01-03). "Massive Intel Vulnerabilities Just Landed – And Every PC User On The Planet May Need To Update". Forbes. Forbes Media LLC. Archived from the original on 2018-01-03. Retrieved 2018-01-03.


  71. ^ "Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products". Dell. 2018-02-07. Retrieved 2018-02-11.


  72. ^ "Meltdown and Spectre Vulnerabilities". Dell. 2018-02-07. Retrieved 2018-02-11.


  73. ^ ab Metz, Cade; Chen, Brian X. (2018-01-04). "What You Need to Do Because of Flaws in Computer Chips". The New York Times. Retrieved 2018-01-05.


  74. ^ ab Pressman, Aaron (2018-01-05). "Why Your Web Browser May Be Most Vulnerable to Spectre and What to Do About It". Fortune. Retrieved 2018-01-05.


  75. ^ ab Chacos, Brad (2018-01-04). "How to protect your PC from the major Meltdown and Spectre CPU flaws". PC World. Archived from the original on 2018-01-04. Retrieved 2018-01-04.


  76. ^ ab Elliot, Matt (2018-01-04). "Security – How to protect your PC against the Intel chip flaw – Here are the steps to take to keep your Windows laptop or PC safe from Meltdown and Spectre". CNET. Archived from the original on 2018-01-04. Retrieved 2018-01-04.


  77. ^ ab Hachman, Mark (2018-01-09). "Microsoft tests show Spectre patches drag down performance on older PCs". PC World. Retrieved 2018-01-09.


  78. ^ "Computer chip scare: What you need to know". BBC News. 2018-01-04. Retrieved 2018-01-04.


  79. ^ "Intel says processor bug isn't unique to its chips and performance issues are 'workload-dependent'". The Verge. Retrieved 2018-01-04.


  80. ^ "How Will the Meltdown and Spectre Flaws Affect My PC?". How-To Geek.


  81. ^ Cimnpanu, Catalin (2 March 2019). "Microsoft rolls out Google's Retpoline Spectre mitigation to Windows 10 users - KB4482887, released today, enables Google's Retpoline mitigation in the Windows 10 kernel (only for v1809 users)". ZDNet. Retrieved 2 March 2019.


  82. ^ Sometimes misspelled as "RSRE"


  83. ^ ab "Q2 2018 Speculative Execution Side Channel Update". Intel. 2018-06-25 [2018-05-21]. INTEL-SA-00115. Archived from the original on 2018-07-15. Retrieved 2018-07-15.


  84. ^ ab Tung, Liam (2018-01-18). "Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch – Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs". ZDNet. Retrieved 2018-01-18.


  85. ^ "Google's Mitigations Against CPU Speculative Execution Attack Methods". support.google.com. Archived from the original on 2018-01-03. Retrieved 2018-01-04.


  86. ^ "Mitigations landing for new class of timing attack". Mozilla Security Blog. Archived from the original on 2018-01-04. Retrieved 2018-01-04.


  87. ^ "Intel Analysis of Speculative Execution Side Channels" (PDF) (White Paper). Revision 1.0 (336983–001). Intel. January 2018: 5. Archived (PDF) from the original on 2018-05-01. Retrieved 2018-01-11. second technique introduces the concept of a "return trampoline", also known as "retpoline"


  88. ^ "More details about mitigations for the CPU Speculative Execution issue". Archived from the original on 2018-01-05.


  89. ^ "Google Says CPU Patches Cause 'Negligible Impact On Performance' With New 'Retpoline' Technique". tech.slashdot.org.


  90. ^ Turner, Paul. "Retpoline: a software construct for preventing branch-target-injection – Google Help". support.google.com. Archived from the original on 2018-01-05.


  91. ^ Hachman, Mark (2018-01-25). "Intel's plan to fix Meltdown in silicon raises more questions than answers – But what silicon?!! Be sure and read the questions Wall Street should have asked". PC World. Retrieved 2018-01-26.


  92. ^ Torvalds, Linus (2018-01-21). "Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation". linux-kernel (Mailing list). Retrieved 2018-05-22 – via marc.info.


  93. ^ 'WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature, Patches slammed as 'complete and utter garbage' as Chipzilla U-turns on microcode, The Register, 2018-01-22.


  94. ^ Molnar suggesting to use function tracing, Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation, Ingo Molnar, 2018-01-23.


  95. ^ IBRS patch series, Intel, 2018-01-04.


  96. ^ Mcilroy, Ross; Sevcik, Jaroslav; Tebbi, Tobias; Titzer, Ben L.; Verwaest, Toon (2019-02-14). "Spectre is here to stay: An analysis of side-channels and speculative execution". arXiv:1902.05178.


  97. ^ "Chips may be inherently vulnerable to Spectre and Meltdown attacks". MIT Technology Review. 2019-02-25. Retrieved 2019-02-25.


  98. ^ https://www.zdnet.com/article/microsoft-blocks-windows-10-creators-update-on-some-pcs/


  99. ^ "Arm-Trusted-Firmware-Security-Advisory-TFV-6".




Further reading



  • Kocher, Paul; Genkin, Daniel; Gruss, Daniel; Haas, Werner; Hamburg, Mike; Lipp, Moritz; Mangard, Stefan; Prescher, Thomas; Schwarz, Michael; Yarom, Yuval (2018). "Spectre Attacks: Exploiting Speculative Execution" (PDF). Archived (PDF) from the original on 2018-01-03.


  • "WRITEUP (59.9 KB) – Project Zero – Monorail". bugs.chromium.org.


  • Wang, Guanhua; Chattopadhyay, Sudipta; Gotovchits, Ivan; Mitra, Tulika; Roychoudhury, Abhik (2018-07-19). "007: Low-overhead Defense against Spectre Attacks via Binary Analysis" (PDF). arXiv:1807.05843v3. Archived (PDF) from the original on 2018-07-23. Retrieved 2018-07-23.


External links


  • Website detailing the Meltdown and Spectre vulnerabilities, hosted by Graz University of Technology

  • Google Project Zero write-up


  • Meltdown/Spectre Checker Gibson Research Corporation

  • Spectre & Meltdown vulnerability/mitigation checker for Linux









Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?