Uncategorized

IBM: UEFI fixes for Spectre variants 4 and 3a (CVE-2018-3639 CVE-2018-3640)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-released-unified-extensible-firmware-interface-uefi-fixes-in-response-to-spectre-variants-4-and-3a-cve-2018-3639-cve-2018-3640/

Standard
Uncategorized

GCC: Mitigation against unsafe data speculation (CVE-2017-5753)

The patches I posted earlier this year for mitigating against
CVE-2017-5753 (Spectre variant 1) attracted some useful feedback, from
which it became obvious that a rethink was needed. This mail, and the
following patches attempt to address that feedback and present a new
approach to mitigating against this form of attack surface.[…]

https://gcc.gnu.org/ml/gcc-patches/2018-07/msg00423.html

 

Standard
Uncategorized

ACM SIGArch: Speculating about speculation: on the (lack of) security guarantees of Spectre-V1 mitigations

Spectre and Meltdown opened the Pandora box of a new class of speculative execution attacks that defeat standard memory protection mechanisms. These attacks are not theoretical, they pose a real and immediate security threat, and have been reportedly exploited by cybercriminals.[…]

https://www.sigarch.org/speculating-about-speculation-on-the-lack-of-security-guarantees-of-spectre-v1-mitigations/

 

Standard
Uncategorized

SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation

Submitted on 13 Jun 2018

Speculative execution which is used pervasively in modern CPUs can leave side effects in the processor caches and other structures even when the speculated instructions do not commit and their direct effect is not visible. The recent Meltdown and Spectre attacks have shown that this behavior can be exploited to expose privileged information to an unprivileged attacker. In particular, the attack forces the speculative execution of a code gadget that will carry out the illegal read, which eventually gets squashed, but which leaves a side-channel trail that can be used by the attacker to infer the value. Several attack variations are possible, allowing arbitrary exposure of the full kernel memory to an unprivileged attacker. In this paper, we introduce a new model (SafeSpec) for supporting speculation in a way that is immune to side-channel leakage necessary for attacks such as Meltdown and Spectre. In particular, SafeSpec stores side effects of speculation in a way that is not visible to the attacker while the instructions are speculative. The speculative state is then either committed to the main CPU structures if the branch commits, or squashed if it does not, making all direct side effects of speculative code invisible. The solution must also address the possibility of a covert channel from speculative instructions to committed instructions before these instructions are committed. We show that SafeSpec prevents all three variants of Spectre and Meltdown, as well as new variants that we introduce. We also develop a cycle accurate model of modified design of an x86-64 processor and show that the performance impact is negligible. We build prototypes of the hardware support in a hardware description language to show that the additional overhead is small. We believe that SafeSpec completely closes this class of attacks, and that it is practical to implement.

https://arxiv.org/abs/1806.05179

Standard
Uncategorized

FreeBSD 11.2R released, with speculative execution and UEFI updates

The latest version of FreeBSD is out, and has a few speculative execution and UEFI changes, including:

https://www.freebsd.org/releases/11.2R/relnotes.html

[arm64] The bsdinstall(8) installer has been updated to default to UEFI-only boot. [r322254]
(Sponsored by The FreeBSD Foundation)

The efibootmgr(8) utility has been added, which is used to manipulate the EFI boot manager. [r332126]
(Sponsored by Netflix)

https://www.freebsd.org/cgi/man.cgi?query=efibootmgr&sektion=8&manpath=freebsd-release-ports

The cpucontrol(8) utility has been updated to include a new flag, -e, which is used to re-evaluate reported CPU features after applying firmware updates. [r327871]
Note: The cpucontrol(8) -e flag should only be used after microcode update have been applied to all CPUs in the system, otherwise system instability may be experienced if processor features are not identical across the system.

https://www.freebsd.org/cgi/man.cgi?query=cpucontrol&sektion=8&manpath=freebsd-release-ports

FreeBSD-SA-18:03.speculative_execution 14 March 2018.  Speculative Execution Vulnerabilities
Note: This advisory addresses the most significant issues for FreeBSD 11.x on amd64 CPUs. We expect to update this advisory to include i386 and other CPUs.

https://www.freebsd.org/security/advisories/FreeBSD-SA-18:03.speculative_execution.asc

Standard