Latest revision |
Your text |
Line 1: |
Line 1: |
| {{cve title|CVE-2017-5753 (Spectre, Variant 1)}} | | {{cve title|CVE-2017-5753 (Spectre, Variant 1)}} |
− | [[File:spectre-text.svg|200px|right]]
| + | '''CVE-2017-5753''' ('''Spectre''', '''Variant 1''', '''Bounds Check Bypass''') is a [[microprocessor]] vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to [[bounds checks]] being temporarily bypassed, changing the cache states of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. |
− | '''[[cve id::CVE-2017-5753]]''' ('''Spectre''', '''Variant 1''', '''Bounds Check Bypass''') is a [[microprocessor]] vulnerability that allows an attacker to cause otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to [[bounds checks]] being temporarily bypassed, changing the cache states of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. For this attack to work, only [[speculatively execution]] is needed; the processor can still be [[in-order]]. | |
− | | |
− | This attack can be use on top of {{cve|CVE-2017-5715}} (Spectre, Variant 2) in order to cause a correct program to lead to this (Variant 1) vulnerability by making the microprocessor take the wrong [[branch target]].
| |
| | | |
| == Overview == | | == Overview == |
Line 71: |
Line 68: |
| The attacker can then continue to do this whole procedure repeatedly to get the value of <code>secrete_data[1]</code>, then <code>secrete_data[2]</code>, etc until the entire content of the secrete data is indirectly leaked to the attacker. | | The attacker can then continue to do this whole procedure repeatedly to get the value of <code>secrete_data[1]</code>, then <code>secrete_data[2]</code>, etc until the entire content of the secrete data is indirectly leaked to the attacker. |
| | | |
− | === Breaking sandbox isolation === | + | === Leaking data from outside of a sandbox === |
− | Since the attack makes use of the very fundamental behavior of a modern microprocessor, it can be taken advantage in a more restrictive environment such as a [[sandbox]] (e.g., a [[browser]]). A specially constructed piece of [[JavaScript]] can running on a browser that has a [[JIT]] compiler can be used to leak the entire memory of its parent process (i.e. the browser, other tabs, and any other stored shared memory) using this method. This aspect of the vulnerability is particularly dangerous since [[JavaScript]] can be sent to an innocent web client via something as simple as an ad. | + | Since the attack makes use of the very fundamental behavior of a modern microprocessor, it can be taken advantage in a more restrictive environment such as a [[sandbox]] (e.g., a [[browser]]). A specially constructed piece of [[javascript]] can running on a browser that has a [[JIT]] compiler can be used to leak the entire memory of its parent process (i.e. the browser, other tabs, and any other stored shared memory) using this method. |
− | | |
− | ==== JavaScript ====
| |
− | The paper describing the attack (see [[#References]]) listed the following JavaScript snippet.
| |
− | | |
− | <source lang=JavaScript>
| |
− | if (index < simpleByteArray.length) {
| |
− | index = simpleByteArray[index | 0];
| |
− | index = (((index * TABLE1_STRIDE)|0) & (TABLE1_BYTES-1))|0;
| |
− | localJunk ^= probeTable[index|0]|0;
| |
− | }
| |
− | </source>
| |
− | | |
− | The cache status of <code>probeTable[byte * TABLE1_STRIDE]</code> can then be used by an attacker to [[side-channel analysis|infer the value]] of a given memory location.
| |
− | | |
− | == Affected Processors ==
| |
− | Below is a list of known affected processors, alphabetized. This is '''NOT''' en exhaustive list but rather the once we were able to verify!
| |
− | | |
− | {| class="wikitable"
| |
− | |-
| |
− | ! colspan="3" | List of Processors affected by Spectre, Variant 1
| |
− | |-
| |
− | ! Designer !! Processor/Architecture !! Related Notes
| |
− | |-
| |
− | | rowspan="6" | [[Apple]] || {{apple|Swift|l=arch}} ({{apple|A6}}/{{apple|A6X}}) || rowspan="6" | [https://support.apple.com/en-us/HT201222 Post]<br>[https://support.apple.com/en-us/HT208331 Post]
| |
− | |-
| |
− | | {{apple|Cyclone|l=arch}} ({{apple|A7}})
| |
− | |-
| |
− | | {{apple|Typhoon|l=arch}} ({{apple|A8}}/{{apple|A8X}})
| |
− | |-
| |
− | | {{apple|Twister|l=arch}} ({{apple|A9}}/{{apple|A9X}})
| |
− | |-
| |
− | | {{apple|Hurricane|l=arch}} ({{apple|A10}}/{{apple|A10X}})
| |
− | |-
| |
− | | {{apple|Monsoon|l=arch}} ({{apple|A11}}/{{apple|A11X}})
| |
− | |-
| |
− | | rowspan="5"| [[AMD]] || {{amd|Bulldozer|l=arch}} || rowspan="5" | [https://www.amd.com/en/corporate/speculative-execution Post]
| |
− | |-
| |
− | | {{amd|Piledriver|l=arch}}
| |
− | |-
| |
− | | {{amd|Steamroller|l=arch}}
| |
− | |-
| |
− | | {{amd|Excavator|l=arch}}
| |
− | |-
| |
− | | {{amd|Zen|l=arch}}
| |
− | |-
| |
− | | rowspan="10" | [[ARM Holdings|ARM]] || {{armh|Cortex-R7|l=arch}} || rowspan="10" | [https://developer.arm.com/support/security-update Post]
| |
− | |-
| |
− | | {{armh|Cortex-R8|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A8|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A9|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A15|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A17|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A57|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A72|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A73|l=arch}}
| |
− | |-
| |
− | | {{armh|Cortex-A75|l=arch}}
| |
− | |-
| |
− | | rowspan="3" | [[Fujitsu]] || [[SPARC64 X+]] || rowspan="3" | [http://support.ts.fujitsu.com/content/SideChannelAnalysisMethod.asp Post]
| |
− | |-
| |
− | | [[SPARC64 XIfx]]
| |
− | |-
| |
− | | [[SPARC64 XII]]
| |
− | |-
| |
− | | rowspan="10" | [[IBM]] || {{ibm|PowerPC 970}}
| |
− | |-
| |
− | | {{ibm|POWER6|l=arch}}
| |
− | |-
| |
− | | {{ibm|POWER7|l=arch}} || rowspan="5" | [https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ Post]<br>[http://www-01.ibm.com/support/docview.wss?uid=isg3T1026811 Security Bulletin]
| |
− | |-
| |
− | | {{ibm|POWER7+|l=arch}}
| |
− | |-
| |
− | | {{ibm|POWER8|l=arch}}
| |
− | |-
| |
− | | {{ibm|POWER8+|l=arch}}
| |
− | |-
| |
− | | {{ibm|POWER9|l=arch}}
| |
− | |-
| |
− | | {{ibm|z12|l=arch}} || rowspan="3" |
| |
− | |-
| |
− | | {{ibm|z13|l=arch}}
| |
− | |-
| |
− | | {{ibm|z14|l=arch}}
| |
− | |-
| |
− | | rowspan="13" | [[Intel]] || {{intel|Nehalem|l=arch}} || rowspan="2" |
| |
− | |-
| |
− | | {{intel|Westmere|l=arch}}
| |
− | |-
| |
− | |{{intel|Sandy Bridge|l=arch}} || rowspan="11" | [https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Post]
| |
− | |-
| |
− | | {{intel|Ivy Bridge|l=arch}}
| |
− | |-
| |
− | | {{intel|Haswell|l=arch}}
| |
− | |-
| |
− | | {{intel|Broadwell|l=arch}}
| |
− | |-
| |
− | | {{intel|Skylake|l=arch}}
| |
− | |-
| |
− | | {{intel|Kaby Lake|l=arch}}
| |
− | |-
| |
− | | {{intel|Coffee Lake|l=arch}}
| |
− | |-
| |
− | | {{intel|Silvermont|l=arch}}
| |
− | |-
| |
− | | {{intel|Airmont|l=arch}}
| |
− | |-
| |
− | | {{intel|Goldmont|l=arch}}
| |
− | |-
| |
− | | {{intel|Goldmont Plus|l=arch}}
| |
− | |-
| |
− | | rowspan="2" | {{mipstech|-|MIPS}} || {{mipstech|P5600}} || rowspan="2" | [https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/ Post]
| |
− | |-
| |
− | | {{mipstech|P6600}}
| |
− | |-
| |
− | | [[Motorola]] || {{motorola|PowerPC 74xx}} || rowspan="3" | [https://tenfourfox.blogspot.co.at/2018/01/actual-field-testing-of-spectre-on.html Post]
| |
− | |}
| |
− | {{expand list}}
| |
− | | |
− | == See also ==
| |
− | * {{cve|CVE-2017-5715}}, Spectre, Variant 2
| |
− | * {{cve|CVE-2017-5754}}, Meltdown, Variant 3
| |
− | | |
− | == References ==
| |
− | * Kocher, Paul, et al. "[https://arxiv.org/abs/1801.01203 Spectre Attacks: Exploiting Speculative Execution]." arXiv preprint arXiv:1801.01203 (2018).
| |
− | * "CVE-2017-5753", https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
| |
| | | |
− | == Documents ==
| |
− | * [[:File:intel-ref-336983-001.pdf|White Paper: Intel Analysis of Speculative Execution Side Channels]]
| |
| | | |
| [[category:cve]] | | [[category:cve]] |