Last Update: September 10, 2018
In early January 2018, issues known as Meltdown and Spectre were reported as CPU vulnerabilities. Because these vulnerabilities affect many CPUs, such as those manufactured by Intel, AMD, and ARM, and therefore affect many information systems, related information was published from various security vendors, researchers and medias. HIRT-PUB18001 introduces the issues associated with Meltdown and Spectre.
[Update] At the end of May 2018, CPU Vulnerability Variant issues were reported.
[Update] At the middle of June 2018, CPU Vulnerability Variant issues were reported.
[Update] At the middle of July 2018, CPU Vulnerability Variant issues were reported.
[Update] At the middle of August 2018, CPU Vulnerability Variant issues were reported.
Many articles about Meltdown and Spectre use the words "speculative execution".
About Speculative Execution
In order to take maximum advantage of high-speed CPUs, PC are equipped with functionality such as out-of-order execution, which processes instructions as they are able to be processed rather than processing them in order, and branch prediction, which predicts the next choice to be made based on processing history, and performs the predicted processing in advance. This type of functionality is referred to by the general term "speculative execution". Because speculative execution involves performing work in advance, it is effective in increasing the efficiency of processing. However, irregular situations also occur in which the results are ineffective or in which instructions that do not need to be processed are executed, and the results of the processing performed in advance become unnecessary. Exploits such as Meltdown and Spectre can abuse vulnerabilities in this situation. The vulnerabilities came about because the security mechanisms that have existed up to this point did not take into account operations performed during these irregular situations.
Next, we will examine the issues associated with Meltdown and Spectre.
Meltdown utilizes the functionality that processes instructions as they are able to be processed rather than processing them in order (out-of-order execution) to process data that cannot be accessed without the appropriate permissions, and to execute processing that utilizes such data. By doing so, Meltdown enables information related to data that cannot be accessed without the appropriate permissions to be stored in cache memory, which can be accessed even without permission (Figure 1). Meltdown causes a problem because it allows the execution of processing of data that should not be processed.
![Figure 1: [Meltdown] CVE-2017-5754: Rogue Data Cache Load](images/18001-01.png)
Figure 1: [Meltdown] CVE-2017-5754: Rogue Data Cache Load
Spectre takes two approaches, both of which utilize the functionality that predicts the next choice to be made based on processing history, and performs the predicted processing in advance (branch prediction). The first approach accesses areas that cannot be accessed without the appropriate permissions while the CPU is checking whether access is being made to areas that should be inaccessible, thereby storing, in cache memory, information related to the data in the inaccessible areas (Figure 2). The other approach exploits the functionality that predicts the memory addresses of branches based on the processing history in order to induce the prediction of the memory addresses of incorrect branches, thereby reading data in areas that should be inaccessible (Figure 3).
![Figure 2: [Spectre] CVE-2017-5753: Bounds Check Bypass](images/18001-02.png)
Figure 2: [Spectre] CVE-2017-5753: Bounds Check Bypass
![Figure 3: [Spectre] CVE-2017-5715: Branch Target Injection](images/18001-03.png)
Figure 3: [Spectre] CVE-2017-5715: Branch Target Injection
RSRE (Variant 3a) is a similar issue of Meltdown. An attacker with local user access may be able to use timing side-channel analysis to determine the values stored in system registers.
SSB, SpectreNG (Variant 4) is issue that systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may read an earlier value of the data.
Table 1: Impact
| Date Public | January 30, 2018 | ||
| Name | Meltdown Variant 3 |
Spectre Variant 1 |
Spectre Variant 2 |
| Vulnerability | Rogue Data Cache Load (CVE-2017-5754) | Bounds Check Bypass (CVE-2017-5753) | Branch Target Injection (CVE-2017-5715) |
| Impact | Leakage of information stored in memory | ||
| Severity | CVSS:2.0/AV:L/AC:M/Au:N/C:C/I:N/A:N CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |
||
| Affected CPU | Intel, IBM POWER | Intel, AMD, ARM, IBM POWER | |
| Scenarios where attackers may attempt to leverage these vulnerabilities | Circumvents the address space layout randomization function of the kernel. | Attacks against virtualized hosting environments. For example, an attacker might gain access to a host OS from a guest OS. Attacks via a web browser. For example, sensitive information stored by a web browser could be leaked. |
|
| Date Public | May 21, 2018 | June 13, 2018 | |
| Name | RSRE Variant 3a |
SSB, SpectreNG Variant 4 |
|
| Vulnerability | Rogue System Register Read (CVE-2018-3640) | Speculative Store Bypass (CVE-2018-3639) | Lazy FP state restore (CVE-2018-3665) |
| Impact | Leakage of information stored in memory | ||
| Severity | CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
||
| Affected CPU | Intel, AMD, ARM | Intel, AMD, ARM, IBM POWER | |
| Scenarios where attackers may attempt to leverage these vulnerabilities | |||
| Date Public | July 10, 2018 | ||
| Name | BCBS Spectre 1.1 |
Spectre 1.2 | |
| Vulnerability | Bounds Check Bypass Store (CVE-2018-3693) | Read-only Protection Bypass | |
| Impact | Leakage of information stored in memory | ||
| Severity | CVSS:2.0/AV:L/AC:M/Au:N/C:C/I:N/A:N CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |
||
| Affected CPU | Intel, AMD, ARM | ||
| Scenarios where attackers may attempt to leverage these vulnerabilities | |||
| Date Public | August 14, 2018 | ||
| Name | Foreshadow Foreshadow-SGX |
Foreshadow-OS | Foreshadow-VMM |
| Vulnerability | L1 Terminal Fault (L1TF) SGX (CVE-2018-3615) | L1 Terminal Fault (L1TF) OS/SMM (CVE-2018-3620) | L1 Terminal Fault (L1TF) VMM (CVE-2018-3646) |
| Impact | Leakage of information stored in memory | ||
| Severity | CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:P/A:N CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
||
| Affected CPU | Intel | ||
| Scenarios where attackers may attempt to leverage these vulnerabilities | |||
Table 2: Countermeasure approaches
| Date Public | May 21, 2018 | June 13, 2018 | ||
| Name | RSRE Variant 3a |
SSB, SpectreNG Variant 4 |
||
| Vulnerability | Rogue System Register Read (CVE-2018-3640) | Speculative Store Bypass (CVE-2018-3639) | Lazy FP state restore (CVE-2018-3665) | |
| Basic countermeasure approaches | ||||
| Firmware updates | Intel | INTEL-SA-00115: Q2 2018 Speculative Execution Side Channel Update | INTEL-SA-00145: Lazy FP state restore | |
| AMD | AMD Processor Security Updates | |||
| ARM | Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism | |||
| IBM POWER | Potential Impact on Processors in the POWER Family | |||
| OS updates | Windows | ADV180013 | ADV180012 | ADV180016 |
| Mac | ||||
| Red Hat | What is CVE-2018-3640? | Speculative Store Bypass explained: what it is, how it works | ||
| Android | Android Security Bulletin - January 2018 | |||
| Chrome | ||||
| Virtual environment updates | VMware | VMSA-2018-0012 | ||
| Red Hat | ||||
| Browser updates | Chrome | |||
| Firefox | ||||
| Safari | ||||
| IE/Edge | ||||
| Date Public | July 10, 2018 | |||
| Name | BCBS Spectre 1.1 |
Spectre 1.2 | ||
| Vulnerability | Bounds Check Bypass Store (CVE-2018-3693) | Read-only Protection Bypass | ||
| Basic countermeasure approaches | ||||
| Firmware updates | Intel | INTEL-OSS-10002 | ||
| AMD | ||||
| ARM | Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism | |||
| IBM POWER | ||||
| OS updates | Windows | ADV180002 | ||
| Mac | ||||
| Red Hat | CVE-2018-3693 | |||
| Android | ||||
| Chrome | ||||
| Virtual environment updates | VMware | |||
| Red Hat | ||||
| Browser updates | Chrome | |||
| Firefox | ||||
| Safari | ||||
| IE/Edge | ||||
| Date Public | August 14, 2018 | |||
| Name | Foreshadow Foreshadow-SGX |
Foreshadow-OS | Foreshadow-VMM | |
| Vulnerability | L1 Terminal Fault (L1TF) SGX (CVE-2018-3615) | L1 Terminal Fault (L1TF) OS/SMM (CVE-2018-3620) | L1 Terminal Fault (L1TF) VMM (CVE-2018-3646) | |
| Basic countermeasure approaches | ||||
| Firmware updates | Intel | INTEL-SA-00161: Q3 2018 Speculative Execution Side Channel Update | ||
| AMD | ||||
| ARM | ||||
| IBM POWER | ||||
| OS updates | Windows | ADV180018 | ||
| Mac | ||||
| Red Hat | L1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646 | |||
| Android | ||||
| Chrome | ||||
| Virtual environment updates | VMware | VMSA-2018-0021 | VMSA-2018-0020 | |
| Red Hat | L1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646 | |||
| Browser updates | Chrome | |||
| Firefox | ||||
| Safari | ||||
| IE/Edge | ||||
In order to resolve the Meltdown and Spectre issues, partial firmware updates are necessary. However, it is also possible to mitigate the threat by updating applications (such as browsers and virtual environments) and OSs, and it will be necessary to thus implement a defense-in-depth. In addition, however, we have received reports not only of the threat of cyberattacks, but also that the countermeasures result in degraded performance and issues with restarting devices. Therefore, operability must be sufficiently considered when implementing these particular vulnerability countermeasures. As a result, when considering the necessity and details of countermeasures (such as whether to update browsers, virtual environments, OSs, and firmware) and the implementation period, it is necessary to take the following into account: (1) the threat status of cyberattacks, (2) performance degradation as a result of countermeasures, and (3) system failures occurring as a result of countermeasures.
(1) The threat status of cyberattacks
The following types of cyberattacks are possible: Attacks against virtual hosting environments (such as access to a virtual hosting environment by accessing the host OS from a guest OS), and attacks via a web browser (such as leakage of sensitive information stored by a web browser. Countermeasures must be prioritized for environments in which one or both of these types of cyberattacks are possible. Although the AV-TEST Institute in Germany reports the discovery of 139 malware samples that exploit the issues dubbed Meltdown and Spectre.
(2) Performance degradation as a result of countermeasures
The actual impact of countermeasures on performance might vary greatly depending on workloads, hardware, devices, and system restrictions. It is important to achieve balance in the trade-off between security and performance, based on already-published materials about the effects of countermeasures on performance, and on the results of verification performed on the actual devices.
(3) System failures occurring as a result of countermeasures
The following failures, such as problems with restarting devices as the result of updates, have been reported. When responding to Meltdown and Spectre issues, it is also important from the perspective of ensuring operational continuity to consider system failures that occur as the result of countermeasures.
Followings are updates of Hitachi products and OEM products (indicated by an asterisk (*)).
hitachi-sec-2018-204: Speculative Execution CPU hardware vulnerable to side-channel attacks (Lazy FP state restore) [Japanese]
hitachi-sec-2018-203: Speculative Execution CPU hardware vulnerable to side-channel attacks (Bounds check bypass on stores) [Japanese]
Published Security Advisory HIRT-PUB18001.
Published Security Advisory HIRT-PUB18001 [Japanese].
hitachi-sec-2018-301: Speculative Execution CPU hardware vulnerable to side-channel attacks [Japanese]
Notice on "side channel attack to the CPUs with speculative execution function"
This vulnerability has been assigned the following enumeration.
Masato Terada (HIRT) and Naoko Ohnishi (HIRT)
