Wednesday, August 7th 2019
SWAPGS: Another Speculative Side Channel Vulnerability
Yet another CPU vulnerability was discovered today, called SWAPGS, revealed under the code CVE-2019-1125, as it is referred to in the industry. The vulnerability was discovered twelve months ago and got privately reported to Intel by a security researcher. It's supposedly present on both AMD and Intel CPUs, but was only proven to work on Intel platforms by Bitdefender security researchers. Red Hat issued a statement which states that both platforms are affected and that users should upgrade their systems as soon as possible. Microsoft already implemented a fix with its "Patch Tuesday" update for last month, so if you updated your OS recently, you are already protected against SWAPGS.
AMD issued as statement as well, in which it says: "AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1."
How SWAPGS works
SWAPGS is a Spectre-type exploit, which takes advantage of the processor's branch prediction (predicting when to switch instruction sequence to improve performance). The processor speculates which instruction sequence is most likely to run next and prepares its internal states for that. When observing these instructions, possibly sensitive data could be revealed by observing timing results.
SWAPGS comes into play because it is an exploit similar to Spectre. It is named after x86-64 instruction called SWAPGS which swaps the GS register (only one of the segment registers which build a complete memory address), with a value intended to be used during kernel operations. Because of its nature, SWAPGS does not perform any kind correction on data it uses, thus an attack can be performed. During the swapping period, attacker can insert any value without getting errors or warning by the processor.
Mitigations
As you know, for Spectre and Meltdown, there aren't too many mitigations that are built into hardware, and the industry still largely depends on software/firmware-level mitigations that negatively affect performance. Only the most recent processor models from AMD and Intel have hardware mitigations. For now Microsoft already pushed the update to its Windows OSes and kernel patches for any *nix based OS should have been implemented as well.Performance impact of these patches is still unknown.
Update: Performance impact of the SWAPGS mitigation has been tested with the latest Linux kernel. Phoronix benchmarked Intel's Core i9 9900K and they found a 1-5% reduction in performance for synthetic benchmarks with a general reduction of 1% on average when accounting for all benchmarks. You can check out their performance results here.
Sources:
Red Hat, Phoronix
AMD issued as statement as well, in which it says: "AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1."
SWAPGS is a Spectre-type exploit, which takes advantage of the processor's branch prediction (predicting when to switch instruction sequence to improve performance). The processor speculates which instruction sequence is most likely to run next and prepares its internal states for that. When observing these instructions, possibly sensitive data could be revealed by observing timing results.
SWAPGS comes into play because it is an exploit similar to Spectre. It is named after x86-64 instruction called SWAPGS which swaps the GS register (only one of the segment registers which build a complete memory address), with a value intended to be used during kernel operations. Because of its nature, SWAPGS does not perform any kind correction on data it uses, thus an attack can be performed. During the swapping period, attacker can insert any value without getting errors or warning by the processor.
Mitigations
As you know, for Spectre and Meltdown, there aren't too many mitigations that are built into hardware, and the industry still largely depends on software/firmware-level mitigations that negatively affect performance. Only the most recent processor models from AMD and Intel have hardware mitigations. For now Microsoft already pushed the update to its Windows OSes and kernel patches for any *nix based OS should have been implemented as well.
Update: Performance impact of the SWAPGS mitigation has been tested with the latest Linux kernel. Phoronix benchmarked Intel's Core i9 9900K and they found a 1-5% reduction in performance for synthetic benchmarks with a general reduction of 1% on average when accounting for all benchmarks. You can check out their performance results here.
37 Comments on SWAPGS: Another Speculative Side Channel Vulnerability
www.amd.com/en/corporate/product-security
Both do indeed affect performance in mitigation. Unsure what you are taking issue with.
The post clearly implies Meltdown affects AMD.
Spectre is to Meltdown, what scratching a car is to exploding a car.
Can a third party weigh in?
The page you linked is a list of AMD's known and possible security issues. If you read it, the most recent entry states they do not believe the newest issue affects AMD processors in any way differently than Spectre did. AMD 3000 series has hardware Spectre mitigation built in, TPU states that here. We do know it affects all but the latest generations of Intel processors. Perhaps, if you think this is a black eye for AMD you should look at Intel's list of known security issues. Oh wait, they don't make it as easy to find a listing. That might be because it would be the size of the Library of Congress for just the past few years! If this is a black eye for AMD, it's a broken jaw for Intel. Then again since the security issues have piled up constantly for Intel since Spectre and Meltdown, at this point Intel wouldn't have a head left to hurt.
You might be just a bit confused about who is having security issues!
Imagine buying a sports car that calls the police if you operate it in the manner sold, except instead of police it unlocks its doors and starts for anyone, with your bank and other private data.
That said it does not mean they have less issues. They do not, frankly. They have a lot on their security plate right now.I wish people would stop parroting that myth... The attacks are timing based, incredibly clever, and certainly not something Intel needed to "enhance performance."Oh my god, that analogy is so... incorrect.
If you want a rough similar page to what AMD provides, just google "intel processor security issues intel.com" and profit on the link straight from intel. I see no reason to hold hands.
Still, I will:
newsroom.intel.com/press-kits/security-exploits-intel-products/#gs.ull9cr
newsroom.intel.com/microcodeSpeculative execution is how all IPC increases are done today... so yeah. But there is no choice there. Literally the only chips that don't execute speculatively are ARM/MIPS or atom class cpus.
As for losing performance, that's what patching an on-silicon vulnerability does.
Let us all read it backwards, shall we?The worst of them (Meltdown, among other things) only affects Intel.
And "fixing" that (not making assumptions about what will be where and when, because, wait for it, this increases IPC) also happens to hamper Intel's performance quite a bit.
What a coincidence.This is like talking about someone arrested for murder and saying that "it doesn't mean ze has less issues" than someone arrested for a drunk brawl.