Re: [Xen-devel] Xen Security Advisory 254 - Information leak via side effects of speculative execution

[Doug Goldstein]

I'm just adding some comments below on some updates that might be
helpful to add to help clarify things for interested parties. These
comments are driven purely based on the questions that I've had to field
from others.

- Since this advisory talks about 3 CVEs and then breaks the issue into
3 items SP1, SP2 and SP3 it would be helpful to directly map them to
their CVEs.
- There has been some confusion around mitigation and resolution where
people misunderstand the terms and therefore there might be some value
in providing some updates to provide some more clarity.

> 
> SP1, "Bounds-check bypass": Poison the branch predictor, such that
> operating system or hypervisor code is speculatively executed past
> boundary and security checks.  This would allow an attacker to, for
> instance, cause speculative code in the normal hypercall / emulation
> path to execute with wild array indexes.

please add CVE-2017-5753

> 
> SP2, "Branch Target Injection": Poison the branch predictor.
> Well-abstracted code often involves calling function pointers via
> indirect branches; reading these function pointers may involve a
> (slow) memory access, so the CPU attempts to guess where indirect
> branches will lead.  Poisoning this enables an attacker to
> speculatively branch to any code that exists in the hypervisor.

please add CVE-2017-5715


> 
> SP3, "Rogue Data Load": On some processors, certain pagetable
> permission checks only happen when the instruction is retired;
> effectively meaning that speculative execution is not subject to
> pagetable permission checks.  On such processors, an attacker can
> speculatively execute arbitrary code in userspace with, effectively,
> the highest privilege level.

please add CVE-2017-5754 and/or reference this is meltdown.

> 
> MITIGATION
> ==
> 
> There is no mitigation for SP1 and SP2.
> 
> SP3 can be mitigated by running guests in HVM or PVH mode.
> 
> For guests with legacy PV kernels which cannot be run in HVM mode, we
> have developed a "shim" hypervisor that allows PV guests to run in PVH
> mode.  Unfortunately, due to the accelerated schedule, this is not yet
> ready to release.  We expect to have it ready for 4.10, as well as PVH
> backports to 4.9 and 4.8, available over the next few days.
> 
> RESOLUTION
> ==
> 
> There is no available resolution for SP1 or SP3.

I believe there has been some confusion among some people about the
terms here. There are some people that understand "mitigation" as "what
can I do now to avoid this" and "resolution" as "what updates can I
apply". As a result they are misunderstanding here what the net result
is. Some clarifications could be that the PVH shim is the resolution for
the SP3 issue. However its not a fix for PV itself but instead changes
the very nature of how PV guests are started up.


-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] Xen Security Advisory 254 - Information leak via side effects of speculative execution

[George Dunlap]

On 01/03/2018 10:30 PM, Xen.org security team wrote:
> VULNERABLE SYSTEMS
> ==
> 
> Systems running all versions of Xen are affected.
> 
> For SP1 and SP2, both Intel and AMD are vulnerable.
> 
> For SP3, only Intel processors are vulnerable. Furthermore, only
> 64-bit PV guests can exploit SP3 against Xen.  PVH and 32-bit PV
> guests cannot exploit SP3.
> 
> We believe that ARM is affected, but unfortunately due to the
> accelerated schedule, we haven't been able to get concrete input from
> ARM.  We are asking ARM and will publish more information when it is
> available.

There was a question about devicemodel stub domains.  Devicemodel stub
domains run in PV mode, so is it still safer to run device models in a
stub domain than in domain 0?

The short answer is, yes, it is still safer to run stub domains than
otherwise.

If an attacker can gain control of the device model running in a stub
domain, it can indeed attempt to use these processor vulnerabilities to
read information from Xen.

However, if an attacker can gain control of a device model running in
domain 0 without deprivileging, the attacker can gain control of the
entire system.  Even with qemu deprivileging, the qemu process may be
able to execute speculative execution attacks against the hypervisor.

So although XSA-254 does affect device model stub domains, they are
still safer than not running with a stub domain.

 -George

___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] Xen Security Advisory 254 - Information leak via side effects of speculative execution

[Xen . org security team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Xen Security Advisory XSA-254

Information leak via side effects of speculative execution

ISSUE DESCRIPTION
=

Processors give the illusion of a sequence of instructions executed
one-by-one.  However, in order to most efficiently use cpu resources,
modern superscalar processors actually begin executing many
instructions in parallel.  In cases where instructions depend on the
result of previous instructions or checks which have not yet
completed, execution happens based on guesses about what the outcome
will be.  If the guess is correct, execution has been sped up.  If the
guess is incorrect, partially-executed instructions are cancelled and
architectural state changes (to registers, memory, and so on)
reverted; but the whole process is no slower than if no guess had been
made at all.  This is sometimes called "speculative execution".

Unfortunately, although architectural state is rolled back, there are
other side effects, such as changes to TLB or cache state, which are
not rolled back.  These side effects can subsequently be detected by
an attacker to determine information about what happened during the
speculative execution phase.  If an attacker can cause speculative
execution to access sensitive memory areas, they may be able to infer
what that sensitive memory contained.

Furthermore, these guesses can often be 'poisoned', such that attacker
can cause logic to reliably 'guess' the way the attacker chooses.
This advisory discusses three ways to cause speculative execution to
access sensitive memory areas (named here according to the
discoverer's naming scheme):

SP1, "Bounds-check bypass": Poison the branch predictor, such that
operating system or hypervisor code is speculatively executed past
boundary and security checks.  This would allow an attacker to, for
instance, cause speculative code in the normal hypercall / emulation
path to execute with wild array indexes.

SP2, "Branch Target Injection": Poison the branch predictor.
Well-abstracted code often involves calling function pointers via
indirect branches; reading these function pointers may involve a
(slow) memory access, so the CPU attempts to guess where indirect
branches will lead.  Poisoning this enables an attacker to
speculatively branch to any code that exists in the hypervisor.

SP3, "Rogue Data Load": On some processors, certain pagetable
permission checks only happen when the instruction is retired;
effectively meaning that speculative execution is not subject to
pagetable permission checks.  On such processors, an attacker can
speculatively execute arbitrary code in userspace with, effectively,
the highest privilege level.

More information is available here:
  https://meltdownattack.com/
  https://spectreattack.com/

Additional Xen-specific background:

64-bit Xen hypervisors on systems with less than 5TiB of RAM map all
of physical RAM, so code speculatively executed in a hypervisor
context can read all of system RAM.

When running PV guests, the guest and the hypervisor share the address
space; guest kernels run in a lower privilege level, and Xen runs in
the highest privilege level.  (HVM and PVH guests run in a separate
address space to the hypervisor.)  However, only 64-bit PV guests can
generate addresses large enough to point to hypervisor memory.

IMPACT
==

Xen guests may be able to infer the contents of arbitrary host memory,
including memory assigned to other guests.

An attacker's choice of code to speculatively execute (and thus the
ease of extracting useful information) goes up with the numbers.  For
SP1, or SP2 on systems where SMEP (supervisor mode execute protection)
is enabled: an attacker is limited to windows of code after bound
checks of user-supplied indexes.  For SP2 without SMEP, or SP3, an
attacker can write arbitrary code to speculatively execute.

NOTE ON TIMING
==

This vulnerability was originally scheduled to be made public on 9
January.  It was accelerated at the request of the discloser due to
one of the issues being made public.

VULNERABLE SYSTEMS
==

Systems running all versions of Xen are affected.

For SP1 and SP2, both Intel and AMD are vulnerable.

For SP3, only Intel processors are vulnerable. Furthermore, only
64-bit PV guests can exploit SP3 against Xen.  PVH and 32-bit PV
guests cannot exploit SP3.

We believe that ARM is affected, but unfortunately due to the
accelerated schedule, we haven't been able to get concrete input from
ARM.  We are asking ARM and will publish more information when it is
available.

MITIGATION
==

There is no mitigation for SP1 and SP2.

SP3 can be mitigated by running guests in HVM or PVH mode.

For guests with legacy PV kernels which cannot be run in HVM mode, we
have developed a "shim" hypervisor that allows PV guests to run in PVH
mode.  Unfortunately, due to the accelerated schedule, this is not yet
ready to release.  We expect