Transient execution CPU vulnerability
Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The archetype is Spectre, and transient execution attacks like Spectre belong to the cache-attack category, one of several categories of side-channel attacks. Since January 2018 many different cache-attack vulnerabilities have been identified.
Overview
Modern computers are highly parallel devices, composed of components with very different performance characteristics. If an operation (such as a branch) cannot yet be performed because some earlier slow operation (such as a memory read) has not yet completed, a microprocessor may attempt to predict the result of the earlier operation and execute the later operation speculatively, acting as if the prediction was correct. The prediction may be based on recent behavior of the system. When the earlier, slower operation completes, the microprocessor determines whether prediction was correct or incorrect. If it was correct then execution proceeds uninterrupted; if it was incorrect then the microprocessor rolls back the speculatively executed operations and repeats the original instruction with the real result of the slow operation. Specifically, a transient instruction[1] refers to an instruction processed by error by the processor (incriminating the branch predictor in the case of Spectre) which can affect the micro-architectural state of the processor, leaving the architectural state without any trace of its execution.
In terms of the directly visible behavior of the computer it is as if the speculatively executed code "never happened". However, this speculative execution may affect the state of certain components of the microprocessor, such as the cache, and this effect may be discovered by careful monitoring of the timing of subsequent operations.
If an attacker can arrange that the speculatively executed code (which may be directly written by the attacker, or may be a suitable gadget that they have found in the targeted system) operates on secret data that they are unauthorized to access, and has a different effect on the cache for different values of the secret data, they may be able to discover the value of the secret data.
Starting in 2017, multiple examples of such vulnerabilities were identified, with publication starting in early 2018.
In March 2021 AMD security researchers discovered that the Predictive Store Forwarding algorithm in Zen 3 CPUs could be used by malicious applications to access data it shouldn't be accessing.[2] According to Phoronix there's little performance impact in disabling the feature.[3]
In June 2021, two new vulnerabilities, Speculative Code Store Bypass (SCSB, CVE-2021-0086) and Floating Point Value Injection (FPVI, CVE-2021-0089), affecting all modern x86-64 CPUs both from Intel and AMD were discovered.[4] In order to mitigate them software has to be rewritten and recompiled. ARM CPUs are not affected by SCSB but some certain ARM architectures are affected by FPVI.[5]
In August 2021 a vulnerability called "Transient Execution of Non-canonical Accesses" affecting certain AMD CPUs was disclosed.[6][7][8] It requires the same mitigations as the MDS vulnerability affecting certain Intel CPUs.[9] It was assigned CVE-2020-12965. Since most x86 software is already patched against MDS and this vulnerability has the exact same mitigations, software vendors don't have to address this vulnerability.
In October 2021 for the first time ever a vulnerability similar to Meltdown was disclosed[10][11] to be affecting all AMD CPUs however the company doesn't think any new mitigations have to be applied and the existing ones are already sufficient.[12]
In March 2022, a new variant of the Spectre vulnerability called Branch History Injection was disclosed.[13][14] It affects certain ARM64 CPUs[15] and the following Intel CPU families: Cascade Lake, Ice Lake, Tiger Lake and Alder Lake. According to Linux kernel developers AMD CPUs are also affected.[16]
In March 2022, a vulnerability affecting a wide range of AMD CPUs was disclosed under CVE-2021-26341.[17][18]
In June 2022, multiple MMIO Intel CPUs vulnerabilities related to execution in virtual environments were announced.[19] The following CVEs were designated: CVE-2022-21123, CVE-2022-21125, CVE-2022-21166.
In July 2022, the Retbleed vulnerability was disclosed affecting Intel Core 6 to 8th generation CPUs and AMD Zen 1, 1+ and 2 generation CPUs. Newer Intel microarchitectures as well as AMD starting with Zen 3 are not affected. The mitigations for the vulnerability decrease the performance of the affected Intel CPUs by up to 39%, while AMD CPUs lose up to 14%.
In August 2022, the SQUIP vulnerability was disclosed affecting Ryzen 2000–5000 series CPUs.[20] According to AMD the existing mitigations are enough to protect from it.[21]
According to a Phoronix review released in October, 2022 Zen 4/Ryzen 7000 CPUs are not slowed down by mitigations, in fact disabling them leads to a performance loss.[22][23]
In February 2023 a vulnerability affecting a wide range of AMD CPU architectures called "Cross-Thread Return Address Predictions" was disclosed.[24][25][26]
In July 2023 a critical vulnerability in the Zen 2 AMD microarchitecture called Zenbleed was made public.[27] AMD released a microcode update to fix it.[28]
In August 2023 a vulnerability in AMD's Zen 1, Zen 2, Zen 3, and Zen 4 microarchitectures called INCEPTION[29][30] was revealed and assigned CVE-2023-20569. According to AMD it is not practical but the company will release a microcode update for the affected products.
Also in August 2023 a new vulnerability called Downfall or Gather Data Sampling was disclosed,[31][32][33] affecting Intel CPU Skylake, Cascade Lake, Cooper Lake, Ice Lake, Tiger Lake, Amber Lake, Kaby Lake, Coffee Lake, Whiskey Lake, Comet Lake & Rocket Lake CPU families. Intel will release a microcode update for affected products.
Future
Spectre class vulnerabilities will remain unfixed because otherwise CPU designers will have to disable speculative execution which will entail a massive performance loss. Despite this, AMD has managed to design Zen 4 such a way its performance is not affected by mitigations.[22][23]
Vulnerabilities and mitigations summary
Mitigation Type | Comprehensiveness | Effectiveness | Performance Impact |
---|---|---|---|
Hardware | Full | Full | None...Small |
Microcode | Partial | Partial...Full | None...Large |
OS/VMM | Partial | Partial...Full | Small...Large |
Software Recompilation | Poor | Partial...Full | Medium...Large |
Hardware mitigations require change to the CPU design and thus a new iteration of hardware, but impose close to zero performance loss. Microcode updates alter the software that the CPU runs on, requiring patches to be released and integrated into every operating system and for each CPU. OS/VMM mitigations are applied at the operating system or virtual machine level and (depending on workload) often incur quite a significant performance loss. Software recompilation requires recompiling every piece of software and usually incurs a severe performance hit.
Vulnerability Name
(aliases) |
CVE | Affected CPU architectures and mitigations | ||||||
---|---|---|---|---|---|---|---|---|
Intel[34] | AMD[35] | |||||||
Ice Lake[36] | Cascade Lake, Comet Lake |
Whiskey Lake, Amber Lake |
Coffee Lake (9th gen)[37] |
Coffee Lake (8th gen)* |
Zen 1 / Zen 1+ | Zen 2[38] | ||
Spectre v1 Bounds Check Bypass |
2017-5753 | Software Recompilation | Software Recompilation[39] | |||||
Spectre v2 Branch Target Injection |
2017-5715 | Hardware + OS | Microcode + OS | Microcode + OS | Microcode + OS/VMM | Hardware + OS/VMM | ||
SpectreRSB[40]/ret2spec[41] Return Mispredict |
2018-15572 | OS[42] | ||||||
Meltdown Rogue Data Cache Load |
2017-5754 | Not affected | Microcode | Not affected | ||||
Spectre-NG v3a | 2018-3640 | Not affected[43] | Microcode | |||||
Spectre-NG v4 Speculative Store Bypass |
2018-3639 | Hardware + OS/VMM[43] | Microcode + OS | OS/VMM | Hardware + OS/VMM | |||
Foreshadow L1 Terminal Fault (L1TF) |
2018-3615 | Not affected | Microcode | Not affected | ||||
Spectre-NG Lazy FP State Restore |
2018-3665 | OS/VMM[44] | ||||||
Spectre-NG v1.1 Bounds Check Bypass Store |
2018-3693 | OS/VMM[45] | ||||||
Foreshadow-OS L1 Terminal Fault (L1TF) |
2018-3620 | Not affected | Microcode + OS | Not affected | ||||
Foreshadow-VMM L1 Terminal Fault (L1TF) |
2018-3646 | |||||||
RIDL/ZombieLoad Microarchitectural Fill Buffer Data Sampling (MFBDS) |
2018-12130 | |||||||
RIDL Microarchitectural Load Port Data Sampling (MLPDS) |
2018-12127 | Not affected | Not affected | Not affected | Microcode + OS[46] | |||
RIDL Microarchitectural Data Sampling Uncacheable Memory (MDSUM) |
2019-11091 | Not affected | Microcode + OS | |||||
Fallout Microarchitectural Store Buffer Data Sampling (MSBDS) |
2018-12126 | Microcode[47][48] | Not affected | Not affected | Microcode + OS | |||
Spectre SWAPGS[49][50][51] | 2019-1125 | Same as Spectre 1 | ||||||
RIDL/ZombieLoad v2 Transactional Asynchronous Abort (TAA)[52][53][54] |
2019-11135 | Not Affected[55] | Microcode + OS | |||||
RIDL/CacheOut/ZombieLoad L1D Eviction Sampling (L1DES)[56][57][58] |
2020-0549 | Not Affected | ||||||
RIDL Vector Register Sampling (VRS)[56][57] |
2020-0548 | |||||||
Load Value Injection (LVI)[59][60][61][62] | 2020-0551 | Software recompilation | ||||||
CROSSTalk Special Register Buffer Data Sampling (SRBDS)[63][64][65] |
2020-0543 | Not affected | Microcode | Not affected | ||||
Branch History Injection (BHI) | 2022-0001 | Microcode + Software Recompilation | Not affected | |||||
Retbleed[66][67][68][69][70] | 2022-29900 | Not affected | Software recompilation | |||||
Cross-Thread Return Address Predictions[25][24] | 2022-27672 | Not affected | Software recompilation | |||||
Zenbleed[71][72][73] | 2023-20593 | Not affected | Microcode | |||||
INCEPTION[29][74][75] Speculative Return Stack Overflow (SRSO) |
2023-20569 | Not affected | Microcode + OS | |||||
Downfall[31][32][33] Gather Data Sampling (GDS) |
2022-40982 | Microcode + OS | Not affected |
The 8th generation Coffee Lake architecture in this table also applies to a wide range of previously released Intel CPUs, not limited to the architectures based on Intel Core, Pentium 4 and Intel Atom starting with Silvermont.[76][77] Various CPU microarchitectures not included above are also affected, among them are IBM Power, ARM, MIPS and others.[78][79][80][81]
Intel CPUs past Ice Lake, e.g. Rocket Lake and Tiger Lake are not affected by Fallout/MSBDS.
Notes
- 1.^ Stepping 5 of the 2nd Generation Intel® Xeon® Scalable Processors based on Cascade Lake microarchitecture is affected by both MSBDS and MLPDS.
References
- Kocher, Paul; Horn, Jann; Fogh, Anders; Genkin, Daniel; Gruss, Daniel. "Spectre Attacks: Exploiting Speculative Execution" (PDF). Retrieved 2020-04-16.
- Cutress, Ian. "AMD Issues Updated Speculative Spectre Security Status: Predictive Store Forwarding". www.anandtech.com. Retrieved 2021-04-08.
- "Benchmarking AMD Zen 3 With Predictive Store Forwarding Disabled - Phoronix". www.phoronix.com. Retrieved 2021-04-08.
- "Rage Against the Machine Clear". VUSec. Retrieved 2021-06-29.
- "Speculative Processor Vulnerability | Frequently asked questions". Arm Developer. Retrieved 2021-06-29.
- "Transient Execution of Non-canonical Accesses".
- Musaev, Saidgani; Fetzer, Christof (2021). "Transient Execution of Non-Canonical Accesses". arXiv:2108.10771 [cs.CR].
- Francisco, Thomas Claburn in San. "Boffins find if you torture AMD Zen+, Zen 2 CPUs enough, they are vulnerable to Meltdown-like attack". www.theregister.com. Retrieved 2021-09-05.
- https://developer.amd.com/wp-content/resources/90343-D_SoftwareTechniquesforManagingSpeculation_WP_9-20Update_R2.pdf
- Lipp, Moritz; Gruss, Daniel; Schwarz, Michael (2021-10-19). "AMD Prefetch Attacks through Power and Time". USENIX Security Symposium.
- "AMD Prefetch Attacks through Power and Time" (PDF).
- "Side-channels Related to the x86 PREFETCH Instruction".
- "Branch History Injection". VUSec. Retrieved 2022-03-08.
- "BHI: The Newest Spectre Vulnerability Affecting Intel & Arm CPUs". www.phoronix.com. Retrieved 2022-03-08.
- Ltd, Arm. "Speculative Processor Vulnerability | Spectre-BHB". Arm Developer. Retrieved 2022-03-11.
- "Linux Lands Mitigations For Spectre-BHB / BHI On Intel & Arm, Plus An AMD Change Too". www.phoronix.com. Retrieved 2022-03-08.
- "grsecurity - The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)". grsecurity.net. Retrieved 2022-03-11.
- "AMD CPUs May Transiently Execute Beyond Unconditional Direct Branch".
- "oss-security - Xen Security Advisory 404 v2 (CVE-2022-21123,CVE-2022-21125,CVE-2022-21166) - x86: MMIO Stale Data vulnerabilities". www.openwall.com. Retrieved 2022-06-19.
- "AMD Details "SQUIP" Side Channel Vulnerability For Zen's Execution Unit Scheduler". www.phoronix.com. Retrieved 2022-08-10.
- "Execution Unit Scheduler Contention Side-Channel Vulnerability on AMD Processors".
- "With AMD Zen 4, It's Surprisingly Not Worthwhile Disabling CPU Security Mitigations". www.phoronix.com. Retrieved 2022-10-07.
- "Disabling Spectre V2 Mitigations Is What Can Impair AMD Ryzen 7000 Series Performance". www.phoronix.com. Retrieved 2022-10-07.
- "[FYI PATCH 0/3] Cross-Thread Return Address Predictions vulnerability [LWN.net]". lwn.net. Retrieved 2023-02-14.
- "Cross-Thread Return Address Predictions | AMD". 2022-02-14. Retrieved 2023-08-11.
- "oss-sec: Xen Security Advisory 426 v1 (CVE-2022-27672) - x86: Cross-Thread Return Address Predictions". seclists.org. Retrieved 2023-02-15.
- Paul Alcorn (2023-07-24). "AMD 'Zenbleed' Bug Allows Data Theft From Zen 2 Processors, Patches Coming". Tom's Hardware. Retrieved 2023-07-24.
- "Cross-Process Information Leak". amd.com. 2023-07-24. Retrieved 2023-07-27.
- "Return Address Security Bulletin". amd.com. 2023-08-08. Retrieved 2023-08-08.
- "New Inception attack leaks sensitive data from all AMD Zen CPUs". BleepingComputer. Retrieved 2023-08-09.
- "Gather Data Sampling". Intel. Retrieved 2023-08-09.
- "Downfall". Downfall Attacks. Retrieved 2023-08-09.
- "Downfall and Zenbleed: Googlers helping secure the ecosystem". Google Online Security Blog. Retrieved 2023-08-09.
- "Affected Processors: Transient Execution Attacks & Related Security..." Intel. Retrieved 2021-06-29.
- "AMD Product Security | AMD". 2019-08-10. Retrieved 2019-08-10.
- Cutress, Dr Ian. "The Ice Lake Benchmark Preview: Inside Intel's 10nm". www.anandtech.com. Retrieved 2019-08-01.
- "Intel Core i9-9900K mit 8 Kernen und 5 GHz für Gamer". heise online (in German). 8 October 2018. Retrieved 2018-10-09.
- Cutress, Ian. "AMD Zen 2 Microarchitecture Analysis: Ryzen 3000 and EPYC Rome". www.anandtech.com. Retrieved 2019-06-11.
- https://developer.amd.com/wp-content/resources/90343-B_SoftwareTechniquesforManagingSpeculation_WP_7-18Update_FNL.pdf
- "Spectre Returns! Speculation Attacks using the Return Stack Buffer" (PDF). www.usenix.org. Retrieved 2019-08-17.
- Maisuradze, Giorgi; Rossow, Christian (2018). "ret2spec: Speculative Execution Using Return Stack Buffers". Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. pp. 2109–2122. arXiv:1807.10364. Bibcode:2018arXiv180710364M. doi:10.1145/3243734.3243761. ISBN 9781450356930. S2CID 51804116.
- "Kernel/Git/Torvalds/Linux.git - Linux kernel source tree".
- "Engineering New Protections Into Hardware". Intel. Retrieved 2019-04-28.
- "INTEL-SA-00145". Intel.
- "Bounds Check Bypass Store (BCBS) Vulnerability (INTEL-OSS-10002)". Intel.
- "Intel Deep Dive CPUID Enumeration and Architectural MSRs". Intel. Retrieved 2020-01-02.
- "INTEL-SA-00233". Intel. Retrieved 2020-07-15.
- danielmgmi (2020-07-15), danielmgmi/icebreak, retrieved 2020-07-15
- "Bitdefender SWAPGS Attack Mitigation Solutions". www.bitdefender.com. Retrieved 2019-08-07.
- "Documentation/admin-guide/hw-vuln/spectre.rst - chromiumos/third_party/kernel - Git at Google". chromium.googlesource.com. Archived from the original on 2019-08-07. Retrieved 2019-08-07.
- Winder, Davey (6 August 2019). "Microsoft Confirms New Windows CPU Attack Vulnerability, Advises All Users To Update Now". Forbes. Retrieved 7 August 2019.
- "Cyberus Technology: TSX Asynchronous Abort". www.cyberus-technology.de. Retrieved 2019-11-12.
- at 18:02, Shaun Nichols in San Francisco 12 Nov 2019. "True to its name, Intel CPU flaw ZombieLoad comes shuffling back with new variant". www.theregister.co.uk. Retrieved 2019-11-12.
- Cimpanu, Catalin. "Intel's Cascade Lake CPUs impacted by new Zombieload v2 attack". ZDNet. Retrieved 2019-11-12.
- "Intel Deep Dive TSX Asynchronous Abort". Intel. Retrieved 2020-01-02.
- "MDS Attacks: Microarchitectural Data Sampling". mdsattacks.com. Retrieved 2020-01-27.
- "IPAS: INTEL-SA-00329". Technology@Intel. 2020-01-27. Retrieved 2020-01-28.
- "CacheOut". cacheoutattack.com. Retrieved 2020-01-29.
- at 17:00, Thomas Claburn in San Francisco 10 Mar 2020. "You only LVI twice: Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling flaw will cost you 50%+ of performance". www.theregister.co.uk. Retrieved 2020-03-10.
- "LVI: Hijacking Transient Execution with Load Value Injection". lviattack.eu. Retrieved 2020-03-10.
- "INTEL-SA-00334". Intel. Retrieved 2020-03-10.
- "Deep Dive: Load Value Injection". software.intel.com. Retrieved 2020-03-10.
- "CROSSTalk". VUSec. Retrieved 2020-06-09.
- "Deep Dive: Special Register Buffer Data Sampling". software.intel.com. Retrieved 2020-06-09.
- "INTEL-SA-00320". Intel. Retrieved 2020-06-09.
- "Retbleed: Arbitrary Speculative Code Execution with Return Instructions – Computer Security Group". Retrieved 2022-07-12.
- "AMD, Intel chips vulnerable to 'Retbleed' Spectre variant". www.theregister.com. Retrieved 2022-07-12.
- Goodin, Dan (2022-07-12). "New working speculative execution attack sends Intel and AMD scrambling". Ars Technica. Retrieved 2022-07-12.
- "AMD CPU Branch Type Confusion".
- "INTEL-SA-00702". Intel. Retrieved 2022-07-13.
- "AMD: Information Leak in Zen 2". GitHub. Retrieved 2023-07-27.
- "Cross-Process Information Leak". AMD. Retrieved 2023-07-27.
- "security-research/pocs/cpus/zenbleed at master · google/security-research". GitHub. Retrieved 2023-07-27.
- "oss-security - Xen Security Advisory 434 v1 (CVE-2023-20569) - x86/AMD: Speculative Return Stack Overflow". www.openwall.com. Retrieved 2023-09-15.
- "Inception: how a simple XOR can cause a Microarchitectural Stack Overflow". Computer Security Group. Retrieved 2023-09-15.
- "INTEL-SA-00088". Intel. Retrieved 2018-09-01.
- "INTEL-SA-00115". Intel. Retrieved 2018-09-01.
- "Meltdown and Spectre Status Page". wiki.netbsd.org. Retrieved 2019-09-29.
- Ltd, Arm. "Speculative Processor Vulnerability | Cache Speculation Issues Update". ARM Developer. Retrieved 2019-09-29.
- "About speculative execution vulnerabilities in ARM-based and Intel CPUs". Apple Support. 31 May 2018. Retrieved 2019-09-29.
- "Potential Impact on Processors in the POWER Family". IBM PSIRT Blog. 2019-05-14. Retrieved 2019-09-29.
External links
- Linux kernel: Hardware vulnerabilities
- spectre-meltdown-checker on GitHub
- Vulnerabilities associated with CPU speculative execution
- A systematic evaluation of transient execution attacks and defenses
- A dynamic tree of transient execution vulnerabilities for Intel, AMD and ARM CPUs
- Transient Execution Attacks by Daniel Gruss, June 20, 2019
- CPU Bugs
- Intel: Refined Speculative Execution Terminology