Micro-operations (μop/uop) cache attacks

Updated -

Overview

Red Hat is aware of certain microarchitectural (hardware) implementation issues involving micro-operations (μop/uop) cache affecting many modern microprocessors. An unprivileged attacker could potentially use these issues to bypass conventional system security restrictions to gain read access to a privileged system state that would otherwise be inaccessible. This issue is not shown to be a practical concern at this time as existing mitigations (noted below) provide some protection.

There are no known CVEs assigned to this issue. At this time, the research is shown to only affect the x86-64 family CPUs.

Background

Microarchitectural attacks continue to be an area of interest for security researchers, with additional side-channel attacks abused in novel ways. This side-channel attack discussed in this document works by abusing a low-level cache known as the micro-operations (μop/uop) cache.

Modern CPUs have an accepted ‘instruction set’ known as the CPU native instruction set. These native instructions are an abstraction from how the CPU works. When executing the native code, a stream of instructions can be re-organized or decoded into a simpler set of microinstructions optimized for the CPU’s specific internal topology. This attack is against the ‘cache’ of decoded microinstructions.

An attacker can execute a similar instruction set to determine if the decoded microinstructions were cached and then use this timing to infer the current state of another process's previous execution. This process is useful when inferring the execution path of a cryptographic algorithm as a timing attack. Attacks such as these are mitigated by industry best practice techniques for secure coding, including LFENCE instructions and constant-time code.

Resolution

Based on Intel's guidance, the existing best practices to mitigate side-channel and timing attacks protect against this issue. Such practices are already widely deployed in critical software such as the Linux kernel and cryptographic libraries, and this effort continues as new research is shared.

Part of Red Hat's commitment to open source is contributing code to upstream projects. This issue is currently being discussed by the upstream community, and Red Hat will take an approach that best serves the needs of both the upstream community and Red Hat customers.

Additional References