Difference between revisions of "cve/cve-2017-5715"

Latest revision as of 08:59, 27 February 2019

CVE-2017-5715 (Spectre, Variant 2, Branch Target Injection) is a microprocessor vulnerability that allows an attacker to cause otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to a wrong branch target being temporarily chosen, resulting in Spectre Variant 1 being executed, thus changing the cache states of the microarchitecture, thereby leaking information through side-channel timing analysis. For this attack to work, only speculatively execution is needed; the processor can still be in-order.

Overview[edit]

See also: Spectre, Variant 1 § Overview

Branch Target Injection leverages the speculative execution behavior of the microprocessor in order to cause some code to expose more information than intended. This method influences the indirect branch predictor in the microprocessor to speculative execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values.

A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively, the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing a direct branch to speculatively execute a segment of code. If the attacker carefully chooses code that effectively results in Spectre Variant 1, then the attacker can infer sensitive data from the victims' memory space.

Example[edit]

Consider simple C++ inheritance such as the example below:

class Shape {
 public:
  virtual void Draw() = 0;
};

class Circle : public Shape {
 public:
  void Draw() override { … }
};

Where Shape is the base class and Circle is a derived class. Now consider the following code segment.

Shape* obj = new Circle;
obj->Draw();

In typical polymorphic code such as the example above, the target address of virtual function Draw() cannot be determined at compile time, thus resulting in an indirect branch that must be resolved at run-time. During run-time, a dynamic lookup is performed to find the matching function. While this happening, the microprocessor guess the target address and right away starts to speculative execute that code.

The attacker needs to find code similar to the example above that when manipulated through the indirect branch predictor, can lead the microprocessor to speculative execute code that results in in Spectre Variant 1. The attacker can then use the first variant of the attack to infer sensitive data from the victims memory space.

Affected Processors[edit]

Below is a list of known affected processors, alphabetized. This is NOT en exhaustive list but rather the ones we were able to verify.

List of Processors affected by Spectre, Variant 2
Designer	Processor/Architecture	Related Notes
Apple	Swift (A6/A6X)	Post Post
	Cyclone (A7)
	Typhoon (A8/A8X)
	Twister (A9/A9X)
	Hurricane (A10/A10X)
	Monsoon (A11/A11X)
AMD	Bulldozer	Post
	Piledriver
	Steamroller
	Excavator
	Zen
ARM	Cortex-R7	Post
	Cortex-R8
	Cortex-A8
	Cortex-A9
	Cortex-A15
	Cortex-A17
	Cortex-A57
	Cortex-A72
	Cortex-A73
	Cortex-A75
Fujitsu	SPARC64 X+	Post
	SPARC64 XIfx
	SPARC64 XII
IBM	PowerPC 970
	POWER6
	POWER7	Post Security Bulletin
	POWER7+
	POWER8
	POWER8+
	POWER9
	z12
	z13
	z14
Intel	Nehalem
	Westmere
	Sandy Bridge	Post
	Ivy Bridge
	Haswell
	Broadwell
	Skylake
	Kaby Lake
	Coffee Lake
	Silvermont
	Airmont
	Goldmont
	Goldmont Plus
MIPS	P5600	Post
MIPS	P6600	Post
Motorola	PowerPC 74xx	Post

This list is incomplete; you can help by expanding it.

References[edit]

Kocher, Paul, et al. "Spectre Attacks: Exploiting Speculative Execution." arXiv preprint arXiv:1801.01203 (2018).
"CVE-2017-5715", https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715

Documents[edit]

White Paper: Intel Analysis of Speculative Execution Side Channels

@@ Line 1: / Line 1: @@
 {{cve title|CVE-2017-5715 (Spectre, Variant 2)}}
 [[File:spectre-text.svg|200px|right]]
-'''[[cve id::CVE-2017-5715]]''' ('''Spectre''', '''Variant 2''', '''Branch Target Injection''') is a [[microprocessor]] vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to a wrong [[branch target]] being temporarily chosen, resulting in {{cve|cve-2017-5753|Spectre Variant 1}} being executed, thus changing the cache states of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. For this attack to work, only [[speculatively execution]] is needed; the processor can still be [[in-order]].
+'''[[cve id::CVE-2017-5715]]''' ('''Spectre''', '''Variant 2''', '''Branch Target Injection''') is a [[microprocessor]] vulnerability that allows an attacker to cause otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to a wrong [[branch target]] being temporarily chosen, resulting in {{cve|cve-2017-5753|Spectre Variant 1}} being executed, thus changing the cache states of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. For this attack to work, only [[speculatively execution]] is needed; the processor can still be [[in-order]].
 == Overview ==
@@ Line 7: / Line 7: @@
 ''Branch Target Injection'' leverages the [[speculative execution]] behavior of the [[microprocessor]] in order to cause some code to expose more information than intended. This method influences the [[indirect branch]] [[branch predictor|predictor]] in the microprocessor to [[speculative execution|speculative]] execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values.
-A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing an direct branch to speculatively execute a segment of code. If the attacker carefully chooses code that effectively result in {{cve|cve-2017-5753|Spectre Variant 1}}, then the attacker can infer sensitive data from the victims memory space.
+A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively, the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing a direct branch to speculatively execute a segment of code. If the attacker carefully chooses code that effectively results in {{cve|cve-2017-5753|Spectre Variant 1}}, then the attacker can infer sensitive data from the victims' memory space.
 == Example ==
@@ Line 36: / Line 36: @@
 == Affected Processors ==
-Below is a list of known affected processors, alphabetized. This is '''NOT''' en exhaustive list but rather the ones we were able to verify!
+Below is a list of known affected processors, alphabetized. This is '''NOT''' en exhaustive list but rather the ones we were able to verify.
 {| class="wikitable"

WikiChip

The Fuse Coverage

Social Media

Companies

Microarchitectures

Technology Nodes

Intel

AMD

ARM

Cavium

Samsung

Intel

AMD

Ampere

Apple

Cavium

HiSilicon

MediaTek

NXP

Qualcomm

Renesas