Speculative Store Bypass

Processor security vulnerability

Speculative Store Bypass (SSB) (CVE-2018-3639) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities.^[1] It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ).^[2] After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG,^[3]^[4]^[5]^[6] it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".^[7]^[1]

Details

Speculative execution exploit Variant 4,^[8] is referred to as Speculative Store Bypass (SSB),^[1]^[9] and has been assigned CVE-2018-3639.^[7] SSB is named Variant 4, but it is the fifth variant in the Spectre-Meltdown class of vulnerabilities.^[7]

Steps involved in exploit:^[1]

"Slowly" store a value at a memory location
"Quickly" load that value from that memory location
Utilize the value that was just read to disrupt the cache in a detectable way

Impact and mitigation

Intel claims that web browsers that are already patched to mitigate Spectre Variants 1 and 2 are partially protected against Variant 4.^[7] Intel said in a statement that the likelihood of end users being affected was "low" and that not all protections would be on by default due to some impact on performance.^[10] The Chrome JavaScript team confirmed that effective mitigation of Variant 4 in software is infeasible, in part due to performance impact.^[11]

Intel is planning to address Variant 4 by releasing a microcode patch that creates a new hardware flag named Speculative Store Bypass Disable (SSBD).^[7]^[2]^[12] A stable microcode patch is yet to be delivered, with Intel suggesting that the patch will be ready "in the coming weeks"^{[needs update]}.^[7] Many operating system vendors will be releasing software updates to assist with mitigating Variant 4;^[13]^[2]^[14] however, microcode/firmware updates are required for the software updates to have an effect.^[13]

Speculative execution exploit variants

Summary of speculative execution variants^[15]^[7]^[16]^[17]
Vulnerability	CVE	Exploit name	Public vulnerability name	CVSS v2.0	CVSS v3.0
Spectre	2017-5753	Variant 1	Bounds Check Bypass (BCB)	4.7	5.6
Spectre	2017-5715	Variant 2	Branch Target Injection (BTI)	4.7	5.6
Meltdown	2017-5754	Variant 3	Rogue Data Cache Load (RDCL)	4.7	5.6
Spectre-NG	2018-3640	Variant 3a	Rogue System Register Read (RSRR^[18])	4.7	5.6
Spectre-NG	2018-3639	Variant 4	Speculative Store Bypass (SSB)	4.9	5.5
Spectre-NG	2018-3665		Lazy FP State Restore	4.7	5.6
Spectre-NG	2018-3693		Bounds Check Bypass Store (BCBS)	4.7	5.6
Foreshadow	2018-3615	Variant 5	L1 Terminal Fault (L1TF)	5.4	6.4
Foreshadow-NG	2018-3620			4.7	5.6
Foreshadow-NG	2018-3646			4.7	5.6

References

^ ^a ^b ^c ^d Bright, Peter (2018-05-22). "Predictable problems - New speculative-execution vulnerability strikes AMD, ARM, and Intel". Ars Technica. Archived from the original on 2018-05-26. Retrieved 2018-05-25.
^ ^a ^b ^c Ubuntu Community (2018-05-21). "Variant4". Archived from the original on 2018-05-22. Retrieved 2018-05-21.
^ Schmidt, Jürgen (2018-05-03). "Super-GAU für Intel: Weitere Spectre-Lücken im Anflug". c't - magazin für computertechnik (in German). Heise Online. Archived from the original on 2018-05-05. Retrieved 2018-05-03. Schmidt, Jürgen (2018-05-03). "Exclusive: Spectre-NG - Multiple new Intel CPU flaws revealed, several serious". c't - magazin für computertechnik. Heise Online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.
^ Fischer, Martin (2018-05-03). "Spectre-NG: Intel-Prozessoren von neuen hochriskanten Sicherheitslücken betroffen, erste Reaktionen von AMD und Intel". c't - magazin für computertechnik (in German). Heise Online. Archived from the original on 2018-05-05. Retrieved 2018-05-04.
^ Tung, Liam (2018-05-04). "Are 8 new 'Spectre-class' flaws about to be exposed? Intel confirms it's readying fixes". ZDNet. Archived from the original on 2018-05-22. Retrieved 2018-03-04.
^ Kumar, Mohit (2018-05-04). "8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs". The Hacker News. Archived from the original on 2018-05-05. Retrieved 2018-05-05.
^ ^a ^b ^c ^d ^e ^f ^g "Q2 2018 Speculative Execution Side Channel Update". Intel. 2018-05-21. Archived from the original on 2018-05-22. Retrieved 2018-05-21.
^ Warren, Tom (2018-05-21). "Google and Microsoft disclose new CPU flaw, and the fix can slow machines down - New firmware updates are on the way". The Verge. Archived from the original on 2018-05-26. Retrieved 2018-05-22.
^ Martindale, Jon (2018-05-22). "New Spectre-like bug could mean more performance-degrading patches". Digital Trends. Archived from the original on 2018-05-26. Retrieved 2018-05-22.
^ Newman, Lily Hay (2018-05-21). "After Meltdown and Spectre, Another Scary Chip Flaw Emerges". Wired. Archived from the original on 2018-05-26. Retrieved 2018-05-26.
^ "A year with Spectre: a V8 perspective". 2019-04-23. Retrieved 2019-04-23.
^ "Speculative Execution Side Channel Mitigations" (PDF). Revision 2.0. Intel. May 2018 [January 2018]. Document Number: 336996-002. Retrieved 2018-05-26.
^ ^a ^b "Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639". RedHat. 2018-05-21. Resolve tab. Archived from the original on 2018-05-22. Retrieved 2018-05-22.
^ Miller, Matt. "Analysis and mitigation of speculative store bypass (CVE-2018-3639)". Microsoft Security Response Center. Speculative store bypass disable (SSBD) section. Archived from the original on 2018-05-22. Retrieved 2018-05-21.
^ "Vulnerability Note VU#180049 - CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks". CERT. 2018-05-24 [2018-05-21]. Archived from the original on 2018-05-26. Retrieved 2018-05-26.
^ Windeck, Christof (2018-05-21). "CPU-Sicherheitslücken Spectre-NG: Updates rollen an Update". Heise Security (in German). Archived from the original on 2018-05-21. Retrieved 2018-05-21.
^ "NVD - Cve-2017-5753".
^ Sometimes misspelled "RSRE"

External links

Website detailing the Meltdown and Spectre vulnerabilities, hosted by Graz University of Technology
Google Project Zero write-up
Meltdown/Spectre Checker Gibson Research Corporation

Speculative execution security vulnerabilities

Variants

Bounds Check Bypass (Spectre, Variant 1)
Bounds Check Bypass Store (Spectre-NG)
Branch Target Injection (Spectre, Variant 2)
Downfall
Foreshadow
Lazy FP state restore (Spectre-NG)
Load value injection
Microarchitectural Data Sampling
Pacman
Retbleed
Rogue Data Cache Load (Meltdown, Variant 3)
Rogue System Register Read (Spectre-NG, Variant 3a)
Speculative Store Bypass (Spectre-NG, Variant 4)
Spoiler

Topics

Hacking in the 2010s

← 2000s

Timeline

2020s →

Major incidents

2010	Operation Aurora (publication of 2009 events) Australian cyberattacks Operation Olympic Games Operation ShadowNet Operation Payback
2011	Canadian government DigiNotar DNSChanger HBGary Federal Operation AntiSec PlayStation network outage RSA SecurID compromise
2012	LinkedIn hack Stratfor email leak Operation High Roller
2013	South Korea cyberattack Snapchat hack Cyberterrorism attack of June 25 2013 Yahoo! data breach Singapore cyberattacks
2014	Anthem medical data breach Operation Tovar 2014 celebrity nude photo leak 2014 JPMorgan Chase data breach 2014 Sony Pictures hack Russian hacker password theft 2014 Yahoo! data breach
2015	Office of Personnel Management data breach Hacking Team Ashley Madison data breach VTech data breach Ukrainian Power Grid Cyberattack SWIFT banking hack
2016	Bangladesh Bank robbery Hollywood Presbyterian Medical Center ransomware incident Commission on Elections data breach Democratic National Committee cyber attacks Vietnam Airport Hacks DCCC cyber attacks Indian Bank data breaches Surkov leaks Dyn cyberattack Russian interference in the 2016 U.S. elections 2016 Bitfinex hack
2017	SHAttered 2017 Macron e-mail leaks WannaCry ransomware attack Westminster data breach Petya and NotPetya 2017 Ukraine ransomware attacks Vault7 data breach Equifax data breach Deloitte breach Disqus breach
2018	Trustico Atlanta cyberattack SingHealth data breach
2019	Sri Lanka cyberattack Baltimore ransomware attack Bulgarian revenue agency hack WhatsApp snooping scandal Jeff Bezos phone hacking incident

Hacktivism

Advanced
persistent threats

Individuals

Major vulnerabilities
publicly disclosed

Evercookie (2010)
iSeeYou (2013)
Heartbleed (2014)
Shellshock (2014)
POODLE (2014)
Rootpipe (2014)
Row hammer (2014)
SS7 vulnerabilities (2014)
JASBUG (2015)
Stagefright (2015)
DROWN (2016)
Badlock (2016)
Dirty COW (2016)
Cloudbleed (2017)
Broadcom Wi-Fi (2017)
EternalBlue (2017)
DoublePulsar (2017)
Silent Bob is Silent (2017)
KRACK (2017)
ROCA vulnerability (2017)
BlueBorne (2017)
Meltdown (2018)
Spectre (2018)
EFAIL (2018)
Exactis (2018)
Speculative Store Bypass (2018)
Lazy FP state restore (2018)
TLBleed (2018)
SigSpoof (2018)
Foreshadow (2018)
Dragonblood (2019)
Microarchitectural Data Sampling (2019)
BlueKeep (2019)
Kr00k (2019)

Malware

2010	Bad Rabbit Black Energy 2 SpyEye Stuxnet
2011	Coreflood Alureon Duqu Kelihos Metulji botnet Stars
2012	Carna Dexter FBI Flame Mahdi Red October Shamoon
2013	CryptoLocker DarkSeoul
2014	Brambul Black Energy 3 Carbanak Careto DarkHotel Duqu 2.0 FinFisher Gameover ZeuS Regin
2015	Dridex Hidden Tear Rombertik TeslaCrypt
2016	Hitler Jigsaw KeRanger Necurs MEMZ Mirai Pegasus Petya and NotPetya X-Agent
2017	BrickerBot Kirk LogicLocker Rensenware Triton WannaCry XafeCopy
2018	VPNFilter
2019	Grum Joanap NetTraveler R2D2 Tinba Titanium ZeroAccess botnet