Latest revision |
Your text |
Line 1: |
Line 1: |
| {{cve title|CVE-2017-5715 (Spectre, Variant 2)}} | | {{cve title|CVE-2017-5715 (Spectre, Variant 2)}} |
− | [[File:spectre-text.svg|200px|right]]
| + | '''CVE-2017-5715''' ('''Spectre''', '''Variant 2''', '''Branch Target Injection''') is a [[microprocessor]] vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to a wrong [[branch target]] being temporarily chosen, changing the cache states of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. |
− | '''[[cve id::CVE-2017-5715]]''' ('''Spectre''', '''Variant 2''', '''Branch Target Injection''') is a [[microprocessor]] vulnerability that allows an attacker to cause otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to a wrong [[branch target]] being temporarily chosen, resulting in {{cve|cve-2017-5753|Spectre Variant 1}} being executed, thus changing the cache states of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. For this attack to work, only [[speculatively execution]] is needed; the processor can still be [[in-order]]. | |
| | | |
| == Overview == | | == Overview == |
− | {{see also|cve/cve-2017-5753#Overview|l1=Spectre, Variant 1 § Overview}} | + | {{see also|cve/cve-2017-5753#Overview|l1=Spectre, Variant 2 § Overview}} |
| ''Branch Target Injection'' leverages the [[speculative execution]] behavior of the [[microprocessor]] in order to cause some code to expose more information than intended. This method influences the [[indirect branch]] [[branch predictor|predictor]] in the microprocessor to [[speculative execution|speculative]] execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values. | | ''Branch Target Injection'' leverages the [[speculative execution]] behavior of the [[microprocessor]] in order to cause some code to expose more information than intended. This method influences the [[indirect branch]] [[branch predictor|predictor]] in the microprocessor to [[speculative execution|speculative]] execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values. |
| | | |
− | A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively, the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing a direct branch to speculatively execute a segment of code. If the attacker carefully chooses code that effectively results in {{cve|cve-2017-5753|Spectre Variant 1}}, then the attacker can infer sensitive data from the victims' memory space. | + | A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing an direct branch to speculatively execute a segment of code that leaves behind a change in the microarchitecture, even after the state of the machine is restored to the state it has before the mis-prediction took. |
− | | |
− | == Example ==
| |
− | Consider simple [[C++]] {{c++|inheritance}} such as the example below:
| |
− | | |
− | <source lang=C++>
| |
− | class Shape {
| |
− | public:
| |
− | virtual void Draw() = 0;
| |
− | };
| |
− | | |
− | class Circle : public Shape {
| |
− | public:
| |
− | void Draw() override { … }
| |
− | };
| |
− | </source>
| |
− | | |
− | Where <code>Shape</code> is the {{c++|base class}} and <code>Circle</code> is a {{c++|derived class}}. Now consider the following code segment.
| |
− | | |
− | <source lang=C++>
| |
− | Shape* obj = new Circle;
| |
− | obj->Draw();
| |
− | </source>
| |
− | | |
− | In typical polymorphic code such as the example above, the target address of {{c++|virtual function}} <code>Draw()</code> cannot be determined at compile time, thus resulting in an indirect branch that must be resolved at run-time. During run-time, a dynamic lookup is performed to find the matching function. While this happening, the microprocessor guess the target address and right away starts to [[speculative execution|speculative execute]] that code.
| |
− | | |
− | The attacker needs to find code similar to the example above that when manipulated through the [[indirect branch|indirect]] [[branch predictor]], can lead the microprocessor to [[speculative execution|speculative execute]] code that results in in {{cve|cve-2017-5753|Spectre Variant 1}}. The attacker can then use the first variant of the attack to infer sensitive data from the victims memory space.
| |
− | | |
− | == Affected Processors ==
| |
− | Below is a list of known affected processors, alphabetized. This is '''NOT''' en exhaustive list but rather the ones we were able to verify.
| |
− | | |
− | {| class="wikitable"
| |
− | |-
| |
− | ! colspan="3" | List of Processors affected by Spectre, Variant 2
| |
− | |-
| |
− | ! Designer !! Processor/Architecture !! Related Notes
| |
− | |-
| |
− | | rowspan="6" | [[Apple]] || {{apple|Swift|l=arch}} ({{apple|A6}}/{{apple|A6X}}) || rowspan="6" | [https://support.apple.com/en-us/HT201222 Post]<br>[https://support.apple.com/en-us/HT208331 Post]
| |
− | |-
| |
− | | {{apple|Cyclone|l=arch}} ({{apple|A7}})
| |
− | |-
| |
− | | {{apple|Typhoon|l=arch}} ({{apple|A8}}/{{apple|A8X}})
| |
− | |-
| |
− | | {{apple|Twister|l=arch}} ({{apple|A9}}/{{apple|A9X}})
| |
− | |-
| |
− | | {{apple|Hurricane|l=arch}} ({{apple|A10}}/{{apple|A10X}})
| |
− | |-
| |
− | | {{apple|Monsoon|l=arch}} ({{apple|A11}}/{{apple|A11X}})
| |
− | |-
| |
− | | rowspan="5"| [[AMD]] || {{amd|Bulldozer|l=arch}} || rowspan="5" | [https://www.amd.com/en/corporate/speculative-execution Post]
| |
− | |-
| |
− | | {{amd|Piledriver|l=arch}}
| |
− | |-
| |
− | | {{amd|Steamroller|l=arch}}
| |
− | |-
| |
− | | {{amd|Excavator|l=arch}}
| |
− | |-
| |
− | | {{amd|Zen|l=arch}}
| |
− | |-
| |
− | | rowspan="10" | [[ARM Holdings|ARM]] || {{armh|Cortex-R7|l=arch}} || rowspan="10" | [https://developer.arm.com/support/security-update Post]
| |
− | |-
| |
− | | {{armh|Cortex-R8|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A8|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A9|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A15|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A17|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A57|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A72|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A73|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A75|l=arch}}
| |
− | |-
| |
− | | rowspan="3" | [[Fujitsu]] || [[SPARC64 X+]] || rowspan="3" | [http://support.ts.fujitsu.com/content/SideChannelAnalysisMethod.asp Post]
| |
− | |-
| |
− | | [[SPARC64 XIfx]]
| |
− | |-
| |
− | | [[SPARC64 XII]]
| |
− | |-
| |
− | | rowspan="10" | [[IBM]] || {{ibm|PowerPC 970}}
| |
− | |-
| |
− | | {{ibm|POWER6|l=arch}}
| |
− | |-
| |
− | | {{ibm|POWER7|l=arch}} || rowspan="5" | [https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ Post]<br>[http://www-01.ibm.com/support/docview.wss?uid=isg3T1026811 Security Bulletin]
| |
− | |-
| |
− | | {{ibm|POWER7+|l=arch}}
| |
− | |-
| |
− | | {{ibm|POWER8|l=arch}}
| |
− | |-
| |
− | | {{ibm|POWER8+|l=arch}}
| |
− | |-
| |
− | | {{ibm|POWER9|l=arch}}
| |
− | |-
| |
− | | {{ibm|z12|l=arch}} || rowspan="3" |
| |
− | |-
| |
− | | {{ibm|z13|l=arch}}
| |
− | |-
| |
− | | {{ibm|z14|l=arch}}
| |
− | |-
| |
− | | rowspan="13" | [[Intel]] || {{intel|Nehalem|l=arch}} || rowspan="2" |
| |
− | |-
| |
− | | {{intel|Westmere|l=arch}}
| |
− | |-
| |
− | |{{intel|Sandy Bridge|l=arch}} || rowspan="11" | [https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Post]
| |
− | |-
| |
− | | {{intel|Ivy Bridge|l=arch}}
| |
− | |-
| |
− | | {{intel|Haswell|l=arch}}
| |
− | |-
| |
− | | {{intel|Broadwell|l=arch}}
| |
− | |-
| |
− | | {{intel|Skylake|l=arch}}
| |
− | |-
| |
− | | {{intel|Kaby Lake|l=arch}}
| |
− | |-
| |
− | | {{intel|Coffee Lake|l=arch}}
| |
− | |-
| |
− | | {{intel|Silvermont|l=arch}}
| |
− | |-
| |
− | | {{intel|Airmont|l=arch}}
| |
− | |-
| |
− | | {{intel|Goldmont|l=arch}}
| |
− | |-
| |
− | | {{intel|Goldmont Plus|l=arch}}
| |
− | |-
| |
− | | rowspan="2" | {{mipstech|-|MIPS}} || {{mipstech|P5600}} || rowspan="2" | [https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/ Post]
| |
− | |-
| |
− | | {{mipstech|P6600}}
| |
− | |-
| |
− | | [[Motorola]] || {{motorola|PowerPC 74xx}} || rowspan="3" | [https://tenfourfox.blogspot.co.at/2018/01/actual-field-testing-of-spectre-on.html Post]
| |
− | |}
| |
− | {{expand list}}
| |
− | | |
− | == See also ==
| |
− | * {{cve|CVE-2017-5753}}, Spectre, Variant 1
| |
− | * {{cve|CVE-2017-5754}}, Meltdown, Variant 3
| |
− | | |
− | == References ==
| |
− | * Kocher, Paul, et al. "[https://arxiv.org/abs/1801.01203 Spectre Attacks: Exploiting Speculative Execution]." arXiv preprint arXiv:1801.01203 (2018).
| |
− | * "CVE-2017-5715", https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
| |
− | | |
− | == Documents ==
| |
− | * [[:File:intel-ref-336983-001.pdf|White Paper: Intel Analysis of Speculative Execution Side Channels]]
| |
− | | |
| | | |
| [[category:cve]] | | [[category:cve]] |