Meltdown And Spectre, One Year Later

About this time last year, reports surfaced about security attacks on today’s most popular microprocessors (μPs). Researchers called them Meltdown, Spectre gaining widespread attention. Today, however, the industry and especially μP vendors have made some progress toward stemming these vulnerabilities. Here is my analysis as we enter into 2019.[…]

https://semiengineering.com/meltdown-and-spectre-one-year-later/

Microarchitectural Attacks training at RuhrSec

 

Training by Ass.Prof. Dr. Daniel Gruss, Moritz Lipp, Michael Schwarz (TU Graz)

With the beginning of 2018, microarchitectural attacks received a lot of attention by the computer security community and other fields. Meltdown and Spectre break isolation between processes and security domains on a hardware level. In this training, we provide a hands-on experience on microarchitectural attacks. Starting with the basics, we first learn how caches work and then implement three very basic microarchitectural side-channel attacks. We start with Flush+Reload and use it to implement two different attacks; one on a cryptographic algorithm and one template attack. We also see how performance counters can reveal interesting information for microarchitectural attacks. After having learned how to mount Flush+Reload attacks on shared libraries, we go one step further and get rid of the requirement of shared memory step by step. For this purpose, we learn how to build eviction sets and implement an Evict+Reload attack. Continuing from there, we implement Prime+Probe, an attack which does not require any shared memory. Finally, we implement a Meltdown and a Spectre attack, based on the Flush+Reload implementation we already have implement in the first third of the course. This course teaches attendees where microarchitectural attack surface is created and how it can be exploited. This provides engineers with valuable knowledge for building more secure hardware and software resilient to these attacks.

https://www.ruhrsec.de/2019/index.html#talks

Keegan Ryan: Spectre on a Television

This past January, I ordered a new TV. […] The TV was manufactured by Sceptre Inc. (note the ‘C’ and ‘P’ switch) and was covered in SCEPTRE branding. My goal for this project was to perform a hardware-level attack against the TV and change the branding to SPECTRE as an homage to the microarchitectural attack. This project has nothing to do with exploiting speculative execution, but instead it demonstrates several common techniques NCC Group uses when analyzing embedded systems.[…]

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/december/spectre-on-a-television/

Hacking Your Way to a Custom TV Boot Screen

Spectre TV

GRSecurity releases Respectre (for Spectre)

[…]Respectre(TM) is a nod to the Spectre speculation attack and signifies that it (re)veals potential Spectre vulnerabilities, (re)spects the original intent of the code, and automatically (re)factors it via a compiler plugin to eliminate speculation-based side channels. All plugin-capable versions of the compiler commonly used to compile Linux are supported, and the plugin itself is architecture-independent. The initial release to grsecurity(R) customers focusing on Spectre v1 supports the ARMv7, AArch64, PPC64, x86, and x86_64 architectures. Special care was taken in designing the plugin to ensure both low impact to compilation time as well as negligible impact to runtime performance (measured as 0.3% in a kernel-focused stress test). The plugin incorporates advanced static analysis far beyond the level of any existing tools for any OS, and is the 4th largest plugin of the 14 available in the grsecurity(R) kernel patches. Work is already underway to enhance the static analysis of the plugin even further and add coverage for other similar Spectre types.[…]

https://www.grsecurity.net/respectre_announce.php

ACM SIG Arch: Reflections on trusting SGX

Reflections on trusting SGX
by Mark Silberstein
Sep 25, 2018

The security community will remember the year of 2018 as the year of speculative execution attacks. Meltdown and Spectre, the recent Foreshadow (L1TF in Intel’s terminology), and their variants demonstrate how the immense processor design complexity, perpetual drive for higher performance, and subtle hardware-software interactions — all collude to create a major system security earthquake that is shaking the whole industry. Foreshadow stands out in that it wreaks havoc on Intel SGX, Intel’s recent instruction set extension for building trusted execution environments, which has been envisioned as a stronghold of security in future computing systems. In this blog I highlight the important differences between Foreshadow and other speculative execution attacks, and raise a few questions that require much more than just a technical solution.[…]

https://www.sigarch.org/reflections-on-trusting-sgx/

 

BlueHat Israel video: Beyond Belief: The Case of Spectre and Meltdown

http://www.bluehatil.com/files/Beyond%20Belief%20-%20The%20Case%20of%20Spectre%20and%20Meltdown.pdf

https://gruss.cc/

https://meltdownattack.com/

Spectre & Meltdown vulnerability/mitigation checker for Linux

A shell script to tell if your system is vulnerable against the several “speculative execution” CVEs that were made public in 2018.

CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
CVE-2018-3640 [rogue system register read] aka ‘Variant 3a’
CVE-2018-3639 [speculative store bypass] aka ‘Variant 4’
CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 [L1 terminal fault] aka ‘Foreshadow & Foreshadow-

https://www.cnx-software.com/2018/08/17/check-spectre-meltdown-l1-terminal-fault-linux/amp/

https://github.com/speed47/spectre-meltdown-checker/

Two Spectre, Meltodown, and Rowhammer talks from Blackhat

https://mlq.me/download/bhusa2018_meltdown_slides.pdf

https://gruss.cc/files/us-18-Gruss-Another-Flip-In-The-Row.pdf

Microsoft Blackhat speculative execution slides posted

https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2018_08_BlackHatUSA/us-18-Fogh-Ertl-Wrangling-with-the-Ghost-An-Inside-Story-of-Mitigating-Speculative-Execution-Side-Channel-Vulnerabilities.pdf

NetSpectre

https://misc0110.net/web/files/netspectre.pdf

Red Hat: SPECTRE Variant 1 scanning tool

As part of Red Hat’s commitment to product security we have developed a tool internally that can be used to scan for variant 1 SPECTRE vulnerabilities. As part of our commitment to the wider user community, we are introducing this tool via this article. […] The tool currently only supports the x86_64 and AArch64 architectures. We do hope to add additional architectures in the future.[…]

https://access.redhat.com/blogs/766093/posts/3510331

https://people.redhat.com/~nickc/Spectre_Scanner/scanner.tar.xz

LLVM: Introduce a new pass to do Speculative Load Hardening (SLH) to mitigate Spectre variant 1

A new speculative load hardening pass was added for X86, aiming to mitigate Spectre variant #1

http://llvmweekly.org/issue/237

https://reviews.llvm.org/rL336990

 

Huawei: Security Advisory – Side-Channel Vulnerability Variants 3a and 4

SA No:huawei-sa-20180615-01-cpu
Initial Release Date: Jun 15, 2018
Last Release Date: Jul 17, 2018

Intel publicly disclosed new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown. These variants known as 3A (CVE-2018-3640)and 4 (CVE-2018-3639), local attackers may exploit these vulnerabilities to cause information leak on the affected system. (Vulnerability ID: HWPSIRT-2018-05139 and HWPSIRT-2018-05140).[…]

https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180615-01-cpu-en

IBM: UEFI fixes for Spectre variants 4 and 3a (CVE-2018-3639 CVE-2018-3640)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-released-unified-extensible-firmware-interface-uefi-fixes-in-response-to-spectre-variants-4-and-3a-cve-2018-3639-cve-2018-3640/

GCC: Mitigation against unsafe data speculation (CVE-2017-5753)

The patches I posted earlier this year for mitigating against
CVE-2017-5753 (Spectre variant 1) attracted some useful feedback, from
which it became obvious that a rethink was needed. This mail, and the
following patches attempt to address that feedback and present a new
approach to mitigating against this form of attack surface.[…]

https://gcc.gnu.org/ml/gcc-patches/2018-07/msg00423.html

 

ACM SIGArch: Speculating about speculation: on the (lack of) security guarantees of Spectre-V1 mitigations

Spectre and Meltdown opened the Pandora box of a new class of speculative execution attacks that defeat standard memory protection mechanisms. These attacks are not theoretical, they pose a real and immediate security threat, and have been reportedly exploited by cybercriminals.[…]

https://www.sigarch.org/speculating-about-speculation-on-the-lack-of-security-guarantees-of-spectre-v1-mitigations/