Our team is working on the best approach to secure our customers' systems against the recently reported Spectre and Meltdown vulnerabilities. Our first step is to understand the problem and its mitigations. This post provides a roundup of discussions and work on the topic with a focus on mitigation for the Xen hypervisor.
Spectre (aka “Branch target injection”) includes:
SP1) speculative execution to perform bounds-check bypass (CVE-2017-5753)
SP2) utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively
SP3) third variant (CVE-2017-5754) rogue data cache load. Relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. Subsequent memory accesses may cause an allocation into the L1 data cache even when they reference otherwise inaccessible memory locations. As a result, an unprivileged local attacker could read privileged (kernel space) memory (including arbitrary physical memory locations on a host) by conducting targeted cache side-channel attacks.