CVE-2017-5753 (Spectre, Variant 1, Bounds Check Bypass) is a microprocessor vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to bounds checks being temporarily bypassed, changing the cache states of the microarchitecture, thereby leaking information.
Overview
Bounds Check Bypass leverages the speculative execution behavior of the microprocessor in order to cause some code to expose more information than intended. This methods requires an attacker to identify a possible confused deputy segment of code that's used to check whether an input is in bounds. For example:
if (input < array_size) { // make sure the input (unsigned int) is not out of boundsd
val = data[array[input]]; // read data
}
In the code above there is an input validation check that ensures that input
doesn't go out of bounds. Once such code segment is identified, the attacker can then train the processor's branch predictor that the bounds check will likely be true. This is done by repeatedly invoking the code with valid input
values.
Once set, the attacker can then invoke the same code with a value for input
that is outside of bounds and with the value of array_size
uncached. When this happens, the processor is going to guess that (just like before) the if statement will be true, speculatively executing val = data[array[input]];
using the malicious input
value. In other words, the processor is being tricked into executing the wrong code path using an invalid input. The processor will then load the value from data
into the cache at the address given by array[input]
which is controlled the attacker.
Since the value of array_size
was not cached, there is a delay from the time the processor starts executing val = data[array[input]];
until the value of array_size
comes back to indicate that the processor speculated incorrectly. When this happens, the processor throws away the wrongly speculated instructions (the vulnerability calls transient instructions), but the change in cache state is not not reverted which can be detected and used to find a byte of the victim's memory.
This method can then be used repeatedly to read a larger part of memory.
Mounting an attack
This section is empty; you can help add the missing info by editing this page. |