L1D cache eviction and vector register sampling

Solution In Progress - Updated -

Issue

Executive Summary

Red Hat is aware of a microarchitectural (hardware) implementation issue that could allow an unprivileged, local attacker to bypass conventional system security controls to allow read-only access to hardware registers similar to previous speculative execution attacks released earlier for microprocessors.

At this time, this specific flaw is only known to affect Intel-based processors. This flaw is hardware-based and requires firmware updates to remediate. At this time there are no firmware updates available; Intel is working to make firmware updates available. Red Hat will ship an updated microcode package when an update solving the issue becomes available for distribution.

Resolution

At this time there is no known mitigation available. Intel is planning to release a firmware update which will mitigate this flaw. Red Hat will include these firmware updates as part of the microcode_ctl package to be released after it has passed quality assurance requirements.

Root Cause

Background

Modern microprocessors translate machine instructions into micro-operations. Each micro-operation is handled by hardware sub components and uses numerous internal buffers and other data structures designed to hold interim copies of data during micro-operation processing as it is being copied to and from memory. Previous MDS vulnerabilities exploited three types of these buffers:

  • Store buffers
  • Fill buffers
  • Load ports

These internal structures were used as part of the CPU’s speculative execution approach to improve performance. New attack vectors were discovered that exploit micro-architectural timing flaws that can leak register or cache data through MDS/TAA style timing observation of these buffer contents.

Vector Register Data Sampling (CVE-2020-0548):

MDS mitigations clear the store buffer upon execution of the clear buffer instruction (VERW). Program instructions often delegate work to hardware subcomponents to complete. Such delegated work, which began before clear buffer instruction, subcomponents could complete after the clear buffer instruction and place the results in the store buffer after it was cleared. This makes the results of these instructions able to be inferred by using MDS/TAA exploit methods.

The specific delegated operations that were outstanding were SSE/AVX/AVX-512 register reads from another process or a CPU sibling.

Level 1 Cache Eviction sampling (CVE-2020-0549):

Modern CPUs use fast-access hardware cache to reduce the time required to access data from system memory. Most CPU architectures have caches for both instructions and data. The data caches frequently use a layered approach to organize cache hierarchically into levels. The higher level (more access time) cache is less frequently consulted as the system attempts to cache the results of memory requests in lower level (lesser access time) caches.

This particular flaw exploits a micro-architectural timing flaw corner case where data in-flight during the eviction process can end up in the fill buffers.

The fill buffer contents (which were expected to be blank) can be inferred using MDS or TAA attack methods by a local attacker.

See:

  • https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/
  • https://en.wikipedia.org/wiki/Vector_processor
  • https://software.intel.com/en-us/articles/introduction-to-intel-advanced-vector-extensions

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.