QEMU-Vulneratilibites_and_Mitigations

Differences between revisions 2 and 3
Revision 2 as of 2019-11-10 17:33:43
Size: 18202
Editor: rafaeldtinoco
Comment:
Revision 3 as of 2019-11-10 18:05:16
Size: 10547
Editor: rafaeldtinoco
Comment:
Deletions are marked like this. Additions are marked like this.
Line 66: Line 66:
Line 67: Line 68:
Line 72: Line 74:
Line 73: Line 76:
Line 74: Line 78:
Line 79: Line 84:
Line 80: Line 86:
Line 85: Line 92:
Line 86: Line 94:
Line 87: Line 96:
Line 91: Line 101:
Line 102: Line 113:
      _user pointer sanitization::
  :: To mitigate this exploit technique in the Linux kernel, we first identify instruction sequences that can be tricked into exploitable behavior. Since a sequence must fit a specific pattern and operate on untrusted data before any potential exploit, not all conditional branches are exploitable. Techniques such as static analysis or manual inspection can identify these sequences.
   
Line 103: Line 118:
     <<BR>>The branch target injection exploit targets a processor’s 'indirect branch predictor'. Indirect branches are used very differently than the conditional branches that the first exploit may target. In Linux, indirect branches are used relatively rarely compared to conditional branches, but they are used in critical locations. In addition, the compiler may insert indirect branches without the programmer ever being aware.<<BR>>
 <<BR>>Since the compiler generates these branches, mitigation against this exploit is the most straightforward when the compiler can simply avoid generating vulnerable branch sequences. A software construct called [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ#Retpoline | retpoline ]] can be deployed to help ensure that a given indirect branch is resistant to exploitation. The compiler, automatically, or the programmer, manually, can insert the retpoline logic in binary code. Retpoline deliberately steer the processor’s branch prediction logic to a trusted location, preventing a potential exploit from steering them elsewhere.
   
Line 105: Line 124:
''' Side Channel Attacks - Others '''
Line 107: Line 125:
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3665.html | CVE-2018-3665 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/LazyFP | Lazy FP Save/Restore (LazyFP) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3693.html | CVE-2018-3693 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BCBS | Bounds Check Bypass Store (Variant (or Spectre) 1.1 and 1.2 / BCBS) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3640.html | CVE-2018-3640 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/RSRE | Rogue System Register Read (RSRE / Variant 3a) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3639.html | CVE-2018-3639 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4 | Speculative Store Bypass (SSB / Variant 4 / Spectre-NG) ]]
Line 112: Line 126:
''' L1 Terminal Fault (L1TF) '''
Line 114: Line 127:
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3615.html | CVE-2018-3615 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | Intel SGX (Software Guard Extensions) (Foreshadow / L1TF) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3620.html | CVE-2018-3620 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | Operating Systems and System Management Mode (Fault-OS / SMM) (L1TF) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3646.html | CVE-2018-3646 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | Virtualization Extensions (L1TF) ]]

''' Microarchitectural Data Sampling (MDS) '''

 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html | CVE-2018-12126 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Store Buffer Data Sampling (MSBDS / Fallout) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html | CVE-2018-12127 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Load Port Data Sampling (MLPDS / RIDL) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html | CVE-2018-12130 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Fill Buffer Data Sampling (MFBDS / ZombieLoad) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11091.html | CVE-2019-11091 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Data Sampling Uncacheable Memory (MDSUM) ]]
Line 131: Line 134:
''' Side Channel Attacks - Spectre and Meltdown '''
Line 133: Line 135:
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html | CVE-2017-5753 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | Bounds Check Bypass (Variant 1 / Spectre) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html | CVE-2017-5715 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | Branch Target Injection (Variant 2 / Spectre) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html | CVE-2017-5754 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | Rogue Data Cache Load (Variant 3 / Meltdown) ]]

''' Side Channel Attacks - Others '''

 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3665.html | CVE-2018-3665 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/LazyFP | Lazy FP Save/Restore (LazyFP) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3693.html | CVE-2018-3693 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BCBS | Bounds Check Bypass Store (Variant (or Spectre) 1.1 and 1.2 / BCBS) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3640.html | CVE-2018-3640 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/RSRE | Rogue System Register Read (RSRE / Variant 3a) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3639.html | CVE-2018-3639 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4 | Speculative Store Bypass (SSB / Variant 4 / Spectre-NG) ]]

''' L1 Terminal Fault (L1TF) '''

 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3615.html | CVE-2018-3615 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | Intel SGX (Software Guard Extensions) (Foreshadow / L1TF) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3620.html | CVE-2018-3620 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | Operating Systems and System Management Mode (Fault-OS / SMM) (L1TF) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3646.html | CVE-2018-3646 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | Virtualization Extensions (L1TF) ]]

''' Microarchitectural Data Sampling (MDS) '''

 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html | CVE-2018-12126 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Store Buffer Data Sampling (MSBDS / Fallout) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html | CVE-2018-12127 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Load Port Data Sampling (MLPDS / RIDL) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html | CVE-2018-12130 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Fill Buffer Data Sampling (MFBDS / ZombieLoad) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11091.html | CVE-2019-11091 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Data Sampling Uncacheable Memory (MDSUM) ]]
Line 160: Line 139:



''' Side Channel Attacks - Spectre and Meltdown '''

 a. [[ https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html | CVE-2017-5753 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | Bounds Check Bypass (Variant 1 / Spectre) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html | CVE-2017-5715 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | Branch Target Injection (Variant 2 / Spectre) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html | CVE-2017-5754 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | Rogue Data Cache Load (Variant 3 / Meltdown) ]]

''' Side Channel Attacks - Others '''

 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3665.html | CVE-2018-3665 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/LazyFP | Lazy FP Save/Restore (LazyFP) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3693.html | CVE-2018-3693 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BCBS | Bounds Check Bypass Store (Variant (or Spectre) 1.1 and 1.2 / BCBS) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3640.html | CVE-2018-3640 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/RSRE | Rogue System Register Read (RSRE / Variant 3a) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3639.html | CVE-2018-3639 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4 | Speculative Store Bypass (SSB / Variant 4 / Spectre-NG) ]]

''' L1 Terminal Fault (L1TF) '''

 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3615.html | CVE-2018-3615 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | Intel SGX (Software Guard Extensions) (Foreshadow / L1TF) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3620.html | CVE-2018-3620 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | Operating Systems and System Management Mode (Fault-OS / SMM) (L1TF) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3646.html | CVE-2018-3646 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | Virtualization Extensions (L1TF) ]]

''' Microarchitectural Data Sampling (MDS) '''

 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html | CVE-2018-12126 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Store Buffer Data Sampling (MSBDS / Fallout) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html | CVE-2018-12127 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Load Port Data Sampling (MLPDS / RIDL) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html | CVE-2018-12130 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Fill Buffer Data Sampling (MFBDS / ZombieLoad) ]]
 a. [[ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11091.html | CVE-2019-11091 ]] - [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Data Sampling Uncacheable Memory (MDSUM) ]]

Tables of Contents:

Contents

  1. Introduction
  2. Related CPU Vulnerabilities (CVEs)
  3. CPU Vulnerabilities, HW / Firmware, Kernel and OS Mitigations
  4. QEMU/KVM ONLY - Mitigations and CPU Flags
  5. Spectre and Meltdown mitigation detection tool

Introduction

This document should be read together with the following articles:

And the references used here are, among the documents above, the following docs:

How to read this document ?

(i) You should read this!
(o) This is deeper information, you may ignore.
(X) This is a CPU vulnerability!
Info <!> This is a mitigation technique.
(./) This is a CPU flag to advertise Kernel and/or Hypervisor.

Notes:

  1. Sometimes the mitigation name is the acronym for the CPU flag, example: Info <!> Indirect Branch Prediction Barrier - (./) ibpb. And sometimes some CPU flag might mitigate more than 1 vulnerability.

  2. Downloading the HTML from the wiki (through the proper Download link at the top) and opening it locally will make it better for reading (no CSS themes). You can also print it to PDF if you'd like.

Also, do check articles dates and look for newer ones not yet updated in this document. Newer side channel attack techniques might have been discovered by the time this page was created. If you feel this page should be updated, please send us an e-mail at: ubuntu-server@lists.ubuntu.com mentioning what should be updated and why.

Related CPU Vulnerabilities (CVEs)

Side Channel Attacks - Spectre and Meltdown

  1. CVE-2017-5753 - Bounds Check Bypass (Variant 1 / Spectre)

  2. CVE-2017-5715 - Branch Target Injection (Variant 2 / Spectre)

  3. CVE-2017-5754 - Rogue Data Cache Load (Variant 3 / Meltdown)

Side Channel Attacks - Others

  1. CVE-2018-3665 - Lazy FP Save/Restore (LazyFP)

  2. CVE-2018-3693 - Bounds Check Bypass Store (Variant (or Spectre) 1.1 and 1.2 / BCBS)

  3. CVE-2018-3640 - Rogue System Register Read (RSRE / Variant 3a)

  4. CVE-2018-3639 - Speculative Store Bypass (SSB / Variant 4 / Spectre-NG)

L1 Terminal Fault (L1TF)

  1. CVE-2018-3615 - Intel SGX (Software Guard Extensions) (Foreshadow / L1TF)

  2. CVE-2018-3620 - Operating Systems and System Management Mode (Fault-OS / SMM) (L1TF)

  3. CVE-2018-3646 - Virtualization Extensions (L1TF)

Microarchitectural Data Sampling (MDS)

  1. CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS / Fallout)

  2. CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS / RIDL)

  3. CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS / ZombieLoad)

  4. CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

This CVE topic structure is used in the same order in all subsequent sections of this document.
The idea is to allow reader to map:

CPU Vulnerability

<->

Firmware/Kernel/OS Mitigation

<->

CPU Flags to Guest

CPU Vulnerabilities, HW / Firmware, Kernel and OS Mitigations

Side Channel Attacks - Spectre and Meltdown

  1. CVE-2017-5753 - Bounds Check Bypass (Variant 1 / Spectre)

    _user pointer sanitization
    To mitigate this exploit technique in the Linux kernel, we first identify instruction sequences that can be tricked into exploitable behavior. Since a sequence must fit a specific pattern and operate on untrusted data before any potential exploit, not all conditional branches are exploitable. Techniques such as static analysis or manual inspection can identify these sequences.

  2. CVE-2017-5715 - Branch Target Injection (Variant 2 / Spectre)


    The branch target injection exploit targets a processor’s 'indirect branch predictor'. Indirect branches are used very differently than the conditional branches that the first exploit may target. In Linux, indirect branches are used relatively rarely compared to conditional branches, but they are used in critical locations. In addition, the compiler may insert indirect branches without the programmer ever being aware.

    Since the compiler generates these branches, mitigation against this exploit is the most straightforward when the compiler can simply avoid generating vulnerable branch sequences. A software construct called retpoline can be deployed to help ensure that a given indirect branch is resistant to exploitation. The compiler, automatically, or the programmer, manually, can insert the retpoline logic in binary code. Retpoline deliberately steer the processor’s branch prediction logic to a trusted location, preventing a potential exploit from steering them elsewhere.

  3. CVE-2017-5754 - Rogue Data Cache Load (Variant 3 / Meltdown)

QEMU/KVM ONLY - Mitigations and CPU Flags

Spectre and Meltdown mitigation detection tool

rafaeldtinoco/QEMU-Vulneratilibites_and_Mitigations (last edited 2019-11-18 03:13:54 by rafaeldtinoco)