From WikiChip
Difference between revisions of "cve/cve-2017-5753"
< cve

Line 1: Line 1:
 
{{cve title|CVE-2017-5753 (Spectre, Variant 1)}}
 
{{cve title|CVE-2017-5753 (Spectre, Variant 1)}}
'''CVE-2017-5753''' ('''Spectre''', '''Variant 1''', '''Bounds Check Bypass''') is a [[microprocessor]] vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to [[bounds checks]] being temporarily bypassed, changing the cache states of the [[microarchitecture]], thereby leaking information.  
+
'''CVE-2017-5753''' ('''Spectre''', '''Variant 1''', '''Bounds Check Bypass''') is a [[microprocessor]] vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to [[bounds checks]] being temporarily bypassed, changing the cache states of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]].  
  
 
== Overview ==
 
== Overview ==

Revision as of 11:59, 25 January 2018

CVE-2017-5753 (Spectre, Variant 1, Bounds Check Bypass) is a microprocessor vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to bounds checks being temporarily bypassed, changing the cache states of the microarchitecture, thereby leaking information through side-channel timing analysis.

Overview

Bounds Check Bypass leverages the speculative execution behavior of the microprocessor in order to cause some code to expose more information than intended. This methods requires an attacker to identify a possible confused deputy segment of code that's used to check whether an input is in bounds. For example:

if (input < array_size) {      // make sure the input (unsigned int) is not out of boundsd
    val = data[array[input]];  // read data
}

In the code above there is an input validation check that ensures that input doesn't go out of bounds. Once such code segment is identified, the attacker can then train the processor's branch predictor that the bounds check will likely be true. This is done by repeatedly invoking the code with valid input values.

Once set, the attacker can then invoke the same code with a value for input that is outside of bounds and with the value of array_size uncached. When this happens, the processor is going to guess that (just like before) the if statement will be true, speculatively executing val = data[array[input]]; using the malicious input value. In other words, the processor is being tricked into executing the wrong code path using an invalid input. The processor will then load the value from data into the cache at the address given by array[input] which is controlled the attacker.

Since the value of array_size was not cached, there is a delay from the time the processor starts executing val = data[array[input]]; until the value of array_size comes back to indicate that the processor speculated incorrectly. When this happens, the processor throws away the wrongly speculated instructions (the vulnerability calls transient instructions), but the change in cache state is not not reverted which can be detected and used to find a byte of the victim's memory.

This method can then be used repeatedly to read a larger part of memory.

Mounting an attack

New text document.svg This section is empty; you can help add the missing info by editing this page.