Shulou(Shulou.com)06/01 Report--

This article is about how to analyze CPU SSB/RSRE vulnerability warning. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

Overview of 0x00 vulnerabilities

On May 21, 2018, Microsoft officially announced the details of the new CPU vulnerability, Speculative Store Bypass (SSB), which belongs to one of the early warning Spectre-NG (Variant 4), which was jointly discovered by Ken Johnson of the MSRC team and Jann Horn of the Google Project Zero team. The vulnerability number is CVE-2018-3639. Currently, the Google Project Zero team has released the relevant poc code, and attackers can get old content in cpu or memory through v4.

At the same time, another CPU vulnerability, Rogue System Register Read (RSRE), is also disclosed, which belongs to Variant 3a in Spectre-NG, and the vulnerability number is CVE-2018-3640.

After evaluation, the 360-CERT team believes that the vulnerability risk level is important and recommends that it be updated after careful assessment.

0x01 vulnerability impact surface

The CPU of AMD,ARM,Intel manufacturers is affected to varying degrees.

At present,

Microsoft released a security update for the Spectre and Meltdown vulnerability at the beginning of the year to alleviate this vulnerability.

Mainstream browser manufacturers, Intel, RedHat, Xen and other basic service providers have also provided corresponding mitigation measures.

List of affected processors provided by Intel:

Intel ®Core ™i3 processor (45nm and 32nm)

Intel ®Core ™i5 processor (45nm and 32nm)

Intel ®Core ™i7 processor (45nm and 32nm)

Intel ®Core ™M processor family (45nm and 32nm)

2nd generation Intel ®Core ™processors

3rd generation Intel ®Core ™processors

4th generation Intel ®Core ™processors

5th generation Intel ®Core ™processors

6th generation Intel ®Core ™processors

7th generation Intel ®Core ™processors

8th generation Intel ®Core ™processors

Intel ®Core ™X-series Processor Family for Intel ®X99 platforms

Intel ®Core ™X-series Processor Family for Intel ®X299 platforms

Intel ®Xeon ®processor 3400 series

Intel ®Xeon ®processor 3600 series

Intel ®Xeon ®processor 5500 series

Intel ®Xeon ®processor 5600 series

Intel ®Xeon ®processor 6500 series

Intel ®Xeon ®processor 7500 series

Intel ®Xeon ®Processor E3 Family

Intel ®Xeon ®Processor E3 v2 Family

Intel ®Xeon ®Processor E3 v3 Family

Intel ®Xeon ®Processor E3 v4 Family

Intel ®Xeon ®Processor E3 v5 Family

Intel ®Xeon ®Processor E3 v6 Family

Intel ®Xeon ®Processor E5 Family

Intel ®Xeon ®Processor E5 v2 Family

Intel ®Xeon ®Processor E5 v3 Family

Intel ®Xeon ®Processor E5 v4 Family

Intel ®Xeon ®Processor E7 Family

Intel ®Xeon ®Processor E7 v2 Family

Intel ®Xeon ®Processor E7 v3 Family

Intel ®Xeon ®Processor E7 v4 Family

Intel ®Xeon ®Processor Scalable Family

Intel ®Atom ™Processor C Series (C3308, C3338, C3508, C3538, C3558, C3708, C3750, C3758, C3808, C3830, C3850, C3858, C3950, C3955, C3958)

Intel ®Atom ™Processor E Series

Intel ®Atom ™Processor A Series

Intel ®Atom ™Processor X Series (x5-E3930, x5-E3940, x7-E3950)

Intel ®Atom ™Processor T Series (T5500, T5700)

Intel ®Atom ™Processor Z Series

Intel ®Celeron ®Processor J Series (J3355, J3455, J4005, J4105)

Intel ®Celeron ®Processor N Series (N3450)

Intel ®Pentium ®Processor J Series (J4205)

Intel ®Pentium ®Processor N Series (N4000, N4100, N4200)

Intel ®Pentium ®Processor Silver Series (J5005, N5000)

Details of 0x02 vulnerability

Speculative Store Bypass (SSB)-details of CVE-2018-3639 vulnerability. An attacker can get old content in cpu or memory through v4. The vulnerability may occur in the following scenarios:

01: 88040F mov [rdi+rcx], al

02: 4C0FB6040E movzx r8,byte [rsi+rcx]

03: 49C1E00C shl r8,byte 0xc

04: 428B0402 mov eax, [rdx+r8]

If RDI and RSI point to the same address, it is assumed that the MOV instruction in line 1 may require extra time to execute under special circumstances (if the address expression that evaluates RDI+RCX is waiting for the previous instruction to execute). In this case, CPU may predict that MOVZX is independent of MOV and can be predicted before the execution of the MOV that holds the AL data. This may cause old data in RSI+RCX 's memory to be loaded into R8, causing the fourth line of code to use the wrong data.

The attack scenarios applicable to this vulnerability are as follows:

The effect of Poc is as follows:

Rogue System Register Read (RSRE)-CVE-2018-3640 vulnerability:

The vulnerability allows attackers with local user access to read the value of system registers through side channel attacks on microprocessors with predictive execution capabilities.

0x03 mitigation measures

Mitigation measures for Speculative Store Bypass (SSB)-CVE-2018-3639:

Use serialization instructions (such as LFENCE on x86/x64 and SSBB instruction on ARM) to mask prediction execution and mitigate SSB vulnerabilities

Upgrade microcode or firmware to fix this vulnerability in hardware

Mitigation measures for the CVE-2017-5753 (Spectre variant 1) vulnerability also apply to this vulnerability.

Impact of other mitigation measures on this vulnerability:

The above is how to analyze the early warning of CPU SSB/RSRE vulnerabilities. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.