Bug bounties pay off, uncovering two more side-channel flaws in the wake of Meltdown and Spectre — Rogue System Register Read and Speculative Store Buffer Bypass.

Timeline

As soon as Google Project Zero publicized Meltdown and Spectre, researchers started hunting down related flaws. For any hackers not motivated enough by the impact of identifying such a widespread issue, Intel and fellow tech giant Microsoft placed $250,000 bug bounties on the task.

By early May, the press was abuzz that in fact eight more side-channel flaws had been discovered and were on track toward public disclosure.

Rumors quickly followed on Reddit and elsewhere that Intel had intended to publicize these bugs earlier but was instead aiming for May 21 to go public.

Rogue System Register Read and Speculative Store Buffer Bypass

Right on time — but falling short of the rumored eight — two such flaws were revealed relating to the method that CPUs use to select memory locations, known as “Rogue System Register Read” (or “variant 3a”) and “Speculative Store Buffer Bypass” (or “variant 4”).

Credit for revealing the two new issues goes to Jann Horn at Google Project Zero and Ken Johnson at Microsoft, and all companies involved are praising the mutual cooperation practiced across competitors in responding. A coordinated disclosure effort by many of the major software and hardware companies allowed them to state their prospects at addressing the ill effects of these flaws. This effort showed how crucial coordination is to achieving satisfactory fixes to problems at such a deep level of computer architecture, as often both the processor and the software running on top of it must take action to mitigate such problems.

Vendors Take Action

Intel has shipped a beta microcode update to OEMs to address both issues, with the expectation that those manufacturers will distribute it in imminent BIOS patches. They have also pointed out that the fixes formerly issued to address January’s Spectre 1 vulnerability largely circumscribe the risk of Spectre 4.

AMD and Arm have stated that a subset of their products are susceptible to the SSB vulnerability only, and that they are providing updates containing a setting that can disable SSB functionality.

Red Hat has issued patches for many of their operating systems and other products, which will be fully effective once paired with processor updates.

Microsoft has issued advisories (for RSRD and SSBB), as well as a detailed end-user analysis of SSB, with recommendations to hang on until chipmakers patch their respective firmware/microcode.

Mechanisms and Mitigations

Under certain circumstances, when checking the availability of a given spot in memory, a process is allowed to see what, if anything, is already occupying that spot. By deliberately and repeatedly forcing such checks, then piecing together the fragments of information gathered, a program can reconstruct substantial data about a neighboring program from which it would otherwise be isolated. These checks can be obviated by letting certain processes simply execute consecutively rather than try to efficiently fill in holes in the schedule, which causes the governing program to run more slowly. The low-level toggle to force this optimization for security over speed is called the Speculative Store Bypass Disable bit (SSBD), and the decision to use it when and where available will come down to situation-specific constraints.

The Rogue System Register Read threat, universally regarded as a lesser evil, and only affecting a subset of the systems affected by Speculative Store Buffer Bypass, exposes the contents of memory registers that should be confined to high-privileged system components.

Many in the industry are quick to temper the potential panic over side-channel attacks like these by noting that they are only exploitable by a user with local access to a system. Additionally, applications like web browsers, whose security relies in part on their own runtime code, can impose memory segregation therein to increase the difficulty of exploitation.

 

Related Posts

Meltdown, Spectre Reach Beyond Intel as Vendors Release Patches: CPU information disclosure vulnerabilities affect AMD and Arm as well as Intel microprocessors

March Patch Tuesday and AMD Processor Vulnerability: Microsoft’s March Patch Tuesday includes CredSSP RCE vulnerability present in every version of Windows to date, and serious flaws announced in AMD processors

Intel Vulnerability at Processor Chip Level Will Affect Performance: The Intel vulnerability requires an OS–level patch to Linux, Windows and macOS, slowing down machines by up to 30 percent