Professional Documents
Culture Documents
Volume 8.
Wong Jin Kee et al., International Journal of Emerging No. 3,
Trends in March 2020Research, 8(3), March 2020, 741- 746
Engineering
International Journal of Emerging Trends in Engineering Research
Available Online at http://www.warse.org/IJETER/static/pdf/file/ijeter21832020.pdf
https://doi.org/10.30534/ijeter/2020/21832020
Wong Jin Kee1, Mohd Fadzil Abdul Kadir1*, Fauziah Ab Wahab1, Aznida Hayati Zakaria@Mohamad1,
Mohamad Afendee Mohamed1, Ahmad Faisal Amri Abidin@Bharun1
1
Faculty of Informatics and Computing, Universiti Sultan Zainal Abidin, Besut Campus, Malaysia
Speculative Execution [1, 2, 3] is a technique used by a As shown in Figure 2, caching is also a technique used to
processor to increase the performance by predicting the likely speed up the process from aspect of how the memory is
outcome and execute the predicted outcome instruction accessed. For a process from the processor to access the
prematurely as shown in Figure 1. The processor will start to memory in RAM to fetch data it might take a relatively long
calculate the math for all the branches while the program is time compared to access the cache memory.
still deciding between them. It is also an optimization
technique where the processor performs tasks that may not be The RAM located on a separate chips but the cache memory is
required. In the simple term, the work is done before the a small amount of memory located in the processor or also
process determine whether it is actually needed as this is to known as CPU memory which it can be accessed quicker. The
prevent the delay of the system performance if the work is cache memory is stored with all the data and information that
carried out after known that it might be needed. For example, needed by the processor that will be needed soon or often.
if the program decide that the process A is true then compute Besides, the results of the speculative execution are always
function X; if A is false then compute function Y, therefore, stored in this memory and this is a reason that speculative
execution will be performing faster [1, 2].
741
Wong Jin Kee et al., International Journal of Emerging Trends in Engineering Research, 8(3), March 2020, 741- 746
variants but each of the attack requires its own mitigation, possibilities for a separated security contexts code to influence
patches or protection against this attack. each other via branch prediction. In simple term, this variant
allows the interference from victim to attacker and vice versa
2.1 Variant 1: Bound Check Bypass (CVE-2017-5733) as shown in Figure 4 [15].
running the Intel Haswell Xeon CPU in the normal user mode the effective techniques and patches to mitigate the attacks.
but they can successfully read kernel memory from the Microsoft, Apple, Google, Firefox and Samsung has released
processor under some predefined condition. Google believed operating system patches for most version of their machine to
that this precondition is the targeted kernel memory must be prevent this attack from attacking their users, their patches
in the L1D cache [15]. However, this variant of attack is only was announced publicly at the starting of January 2018 [21].
works with the specific types of Intel processors [15]. Table 1 is the summary of the mitigation techniques to
mitigate the various variants of the vulnerabilities.
2.4 Variant 3a: Rogue System Register Cache
(CVE-2018-3640) Table 1: Mitigation Techniques for Meltdown and Spectre
Attacks [10]
Variants 1 and 2, known as Spectre and Variant 3, known as
Meltdown which is the processor vulnerabilities proposed by Type of Mitigation Technique
the Google Project Zero researched early of January 2018 [18]. Branch avoidance in Conditional move instruction
Recently, Microsoft and Google researchers have discovered favour of conditional permits conditional
Variant 3a and Variant 4 which is similar to Spectre variant moves. behaviour.
that takes advantages of speculative execution to retrieve No involve branches.
unauthorized data via side-channel attack. Variant 3a also Mitigate: Variant 1 Reasonable form of
known as Rogue System Register Read is a variation of mitigating.
Meltdown that allows the attacker to access to the system by Not use of data-value
local access to read sensitive data and system parameters by speculation.
using the side-channel analysis. Kernel Address Space Speculation barriers and Speculation barrier
Layout Randomization (KASLR) could be bypass once the code behaviours to limit instruction is used to prevent
attacker successfully exploited this vulnerability. This variant speculation. further speculative loads.
may affect AMD, ARM and Intel CPUs [19]. Load Fence (LFENCE) used
Mitigate: Variant 1, as a barrier to eliminate all
2.5 Variant 4: Speculative Store Bypass (CVE-2018-3639) Variant 2 outstanding speculation,
barrier can be placed follow by
Storing data and loading data from memory addresses is part software bounds check but be-
of the processes in the processor. There are buffering requests fore memory access. On AMD
to store and load the data from the memory addresses which processors, LFENCE is placed
uses the speculative execution to make sure the storing and before an indirect jump.
loading of data execute as quickly as possible to increase the Indirect Branch Prediction
system performance. Before the memory writes, the processor Barrier (IBPB) to limit
will check if any addresses used in the load was part of the indirect branch prediction
recent store to the same addresses to avoid error, if so, the after an explicit barrier.
speculative data will gets thrown out [20]. The problem is, Indirect Branch Restriction
this speculative occurs in a shared unsecured area so it is Set (IBRS) to restrict branch
possible for unauthorized users to see it. This allows speculation.
unauthorized disclosure of information to an attacker by local STOBP to protect
user access via a side-channel analysis also known as hyperthreads from
Speculative Store Bypass or SpectreNG. By tricking the branch-predictor
processor, attackers can steal data like passwords, and credit manipulation.
card numbers undetected [18]. Conditional Speculation
Dependency Barrier.
3. MITIGATION TECHNIQUES (CSBD) to prevent speculative
loads, stores, instructions
The vulnerabilities attack at the hardware level and it cannot prefetches and indirect
be patched or there is no specific fix for each of the branches.
vulnerabilities but there are techniques introduced by the Return Trampoline
vendors to mitigate the vulnerabilities. By mitigating means (Retpoline) techniques is in
the vulnerabilities will be minimized or to prevent it from introduced by Google to cause
being severe but not vulnerabilities will not be removed indirect jump to prevent
completely. Many major processors vendor such as Intel, branch prediction on Intel and
AMD and ARM have re- ported that the processors have AMD processors [22].
being affected more than one variant of vulnerabilities. The Explicit flushes of Architecture does not include
expert around world and the processor vendors has being architec tural and portable interfaces to flush the
working around the vulnerabilities to research and product microarchitectural state. branch-predictor state.
744
Wong Jin Kee et al., International Journal of Emerging Trends in Engineering Research, 8(3), March 2020, 741- 746
Recommend to clear untrusted vulnerabilities arises from the speculative execution can be
Mitigate: Variant 3 values from registers hen divided into three variant which is Spectre (Variant 1 and 2)
entering privileged mode or and Meltdown (Variant 3). Later, Variant 3a and 4 has been
sensitive code. discovered on 21 May 2018 by Microsoft and Google. Each of
Implicit flushes of AMD suggested flushing the the variant uses the advantage of the speculative execution to
microar chitectural branch-predictor table using a access to the protected memory by they access via a different
state. well-defined series of function ways where Variant 1 is accessed via bounds checking
calls. features, Variant 2 is accessed via branch target inject and
Mitigate: Variant 3 Used during entering to Variant 3 is accessed to kernel mode via the virtual memory
privileged modes to prevent from the user mode. Variant 3a allows the attackers to read
the behaviour of user space to the system parameters via local access using side-channel
influence kernel branch analysis. Variant 4 which is Speculative Store Bypass allows
prediction the attacker to read older memory values in the processor’s
Un-sharing user and Kernel Page Table Isolation stack or memory location using side-channel attack. Each of
kernel address spaces (KPTI) consists of the variant opens up the possibilities for dangerous attacks.
Side-channels Efficiently There are various patches and techniques have been
Mitigate: Variant 3 Removed (KAISER) that introduced by the vendor and computer expert to mitigate this
prevents the mapping to vulnerability. Each of the variant does not have a specific fix
kernel address space when to remove the vulnerability but it can only be managed by the
operating in user space [23]. patches to minimize the attack.
Supervisor Mode Execution
Protection (SMEP) in Intel ACKNOWLEDGEMENT
and AMD processor to prevent
the influence of speculation of Special thanks to the Centre for Research Excellence and
user instruction towards the Incubation Management (CREIM), Universiti Sultan Zainal
kernel mode. Abidin for providing research fund for this research project.
Supervisor Mode Access
Protection (SMAP) used to REFERENCES
prevent the speculated kernel 1. J. Fruhlinger. CSO: Spectre and Meltdown explained:
to access to the user data. What they are, how they work, what’s at risk,
Mitigate Rogue System This vulnerability is only via a https://www.csoonline.com/article/3247868/vulnerabilit
Register Read microcode or firmware update ies/spectre-and-
[24]. meltdown-explained-what-they-are-how-they-work-wha
Mitigate: Variant 3a ts-at-risk.html, last updated on 2018/01/15.
Mitigate Speculative Patches using Speculative 2. The ITS Crew. Spectre & Meltdown: Newly discovered
Store By pass Store Bypass Disable (SSBD) Vulnerabilities that affect almost all computing devices,
will be introduced by Intel and https://www.itstactical.com/digicom/security/spectre-me
Mitigate: Variant 4 AMD which this inhibit the ltdown-
Speculative Store Bypass thus newly-discovered-vulnerabilities-affect-almost-computi
elimination the risk of ng-devices/, last updated on 2018/02/14.
security. 3. J. Hruska. ExtremeTech: What is Speculative Execution,
Microsoft to develop, release https://www.extreme-
and deploy defence-in-depth tech.com/computing/261792-what-is-speculative-execut
mitigations [25]. ion, latest update on 2018/01/10.
4. P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg,
4. CONCLUSION M. Lipp, S. Mangard, T. Prescher, M. Schwarz, Y.
Yarom. Spectre Attacks: Ex- ploiting speculative
In this paper, we presented the review of the current security execution, Cornell University Library (Jan 2018).
vulnerabilities which is Meltdown and Spectre attacks. Both https://doi.org/10.1109/SP.2019.00002
the Meltdown and Spectre attack take the benefit of 5. Giorgi Maisuradze, Christian Rossow, Speculose:
speculative execution features in most of the modern CPU or Analyzing the Security Implications of Speculative
high-performance computers. The speculative execution will Execution in CPUs, Cornell University Library (January
supposed to be a feature to increase the performance of the 2018).
processors and provide parallel computing to shorten the 6. P. Bright. As predicted, more branch prediction
process pro- cessing time but the Meltdown and Spectre processor attacks are discovered,
exploitation is abusing it to access to the protected memory or https://arstechnica.com/gadgets/2018/03/its-not-just-spe
privileged memory to retrieve the protected data. The
745
Wong Jin Kee et al., International Journal of Emerging Trends in Engineering Research, 8(3), March 2020, 741- 746
746