{"id":112,"date":"2018-01-13T23:19:58","date_gmt":"2018-01-13T23:19:58","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=112"},"modified":"2018-01-14T04:40:08","modified_gmt":"2018-01-14T04:40:08","slug":"spectre-cve-2017-5753-kernel-updates","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/01\/13\/spectre-cve-2017-5753-kernel-updates\/","title":{"rendered":"Spectre (CVE-2017-5753) kernel updates"},"content":{"rendered":"<p>As suggested by Intel in their\u00a0<a href=\"http:\/\/newsroom.intel.com\/wp-content\/uploads\/sites\/11\/2018\/01\/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf\">Intel Analysis of Speculative Execution Side Channels\u00a0 <\/a>whitepaper, the recommended mitigation for <a href=\"https:\/\/googleprojectzero.blogspot.com\/2018\/01\/reading-privileged-memory-with-side.html\">Spectre<\/a> (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-5753\">CVE-2017-5753<\/a>) is to use the <a href=\"http:\/\/www.felixcloutier.com\/x86\/LFENCE.html\">LFENCE<\/a> instruction (&#8220;LFENCE does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes&#8221;). This will stop the bounds check bypass method that relies on instructions being executed after a conditional branch instruction. As sometimes the CPU is executing instructions in advance (to save time), this method takes advantage of this feature to execute instructions while the CPU is trying to determine if an input is in bounds.<\/p>\n<p>Intel states that &#8220;[&#8230;]the use of an LFENCE instruction is recommended for this purpose. Serializing instructions, as well as the LFENCE instruction, will stop younger instructions from executing, even speculatively, before older instructions have retired but LFENCE is a better performance solution than other serializing instructions. An LFENCE instruction inserted after a bounds check will prevent younger operations from executing before the bound check retires.[&#8230;]&#8221;.<\/p>\n<p>Let&#8217;s see an example from the Linux kernel patches\/updates:<\/p>\n<figure id=\"attachment_117\" aria-describedby=\"caption-attachment-117\" style=\"width: 602px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-117\" src=\"http:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2018\/01\/linux_kernel_patch_spectre-300x138.png\" alt=\"\" width=\"602\" height=\"277\" srcset=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2018\/01\/linux_kernel_patch_spectre-300x138.png 300w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2018\/01\/linux_kernel_patch_spectre.png 679w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><figcaption id=\"caption-attachment-117\" class=\"wp-caption-text\">linux kernel diff<\/figcaption><\/figure>\n<p>Similarly, on the Windows kernel side:<\/p>\n<figure id=\"attachment_118\" aria-describedby=\"caption-attachment-118\" style=\"width: 611px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-118\" src=\"http:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2018\/01\/windows_kernel_patch_spectre-300x27.png\" alt=\"\" width=\"611\" height=\"55\" srcset=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2018\/01\/windows_kernel_patch_spectre-300x27.png 300w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2018\/01\/windows_kernel_patch_spectre-768x70.png 768w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2018\/01\/windows_kernel_patch_spectre-1024x93.png 1024w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2018\/01\/windows_kernel_patch_spectre.png 1037w\" sizes=\"auto, (max-width: 611px) 100vw, 611px\" \/><figcaption id=\"caption-attachment-118\" class=\"wp-caption-text\">windows kernel diff<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As suggested by Intel in their\u00a0Intel Analysis of Speculative Execution Side Channels\u00a0 whitepaper, the recommended mitigation for Spectre (CVE-2017-5753) is to use the LFENCE instruction (&#8220;LFENCE does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes&#8221;). This will stop the bounds check bypass method that relies [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[29,5,11,28,4],"class_list":["post-112","post","type-post","status-publish","format-standard","hentry","category-security","tag-cve-2017-5753","tag-exploit","tag-linux","tag-spectre","tag-windows"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"<p>As suggested by Intel in their\u00a0Intel Analysis of Speculative Execution Side Channels\u00a0 whitepaper, the recommended mitigation for Spectre (CVE-2017-5753) is to use the LFENCE instruction (&#8220;LFENCE does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes&#8221;). This will stop the bounds check bypass method that relies on instructions being executed after a conditional branch instruction. As sometimes the CPU is executing instructions in advance (to save time), this method takes advantage of this feature to execute instructions while the CPU is trying to determine if an input is in bounds. Intel&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/malwrforensics.com\/en\/category\/security\/\" rel=\"category tag\">Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=112"}],"version-history":[{"count":1,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/112\/revisions"}],"predecessor-version":[{"id":119,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/112\/revisions\/119"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}