Security Software

More Information on Transient Execution Findings

On November 13, 2018 researchers from Graz University of Technology, imec-DistriNet, KU Leuven, and College of William and Mary released a paper entitled A Systematic Evaluation of Transient Execution Attacks and Defenses. In this paper they document the following seven exploits related to Spectre and Meltdown:

Meltdown-PK – exploitation of Memory Protection Keys

Meltdown-BR (MPX/BND) – exploitation of Memory Protection Extensions

Spectre-PHT-CA-OP—exploitation of the pattern history table across address spaces

Spectre-PHT-SA-IP—exploitation of the pattern history table in the same address space

Spectre-PHT-SA-OP—exploitation of the pattern history table in a different branch address as the branch target

Spectre-BTB-SA-IP—exploitation of the branch target buffer in the same branch address as the branch target

Spectre-BTP-SA-OP—exploitation of the branch target buffer in a different branch address as the branch target

After careful assessment, Intel determined that existing software guidance for mitigating previously disclosed Spectre and Meltdown vulnerabilities provides protection against the exploits documented in this paper.

Meltdown-PK and Meltdown-BR Mitigations

Meltdown-PK is mitigated using address space isolation, as with speculative store bypass.

Future Intel processors will be able to mitigate Meltdown-PK using a combination of hardware support that also covers rogue data cache load (IA32_ARCH_CAPABILITIES[RDCL_NO]) and protection keys support (CPUID.7.0.ECX[3]), which can limit the memory addresses that could be revealed by these vulnerabilities.

Meltdown-BR is addressed by mitigations for bounds check bypass and bounds check bypass store, which is accomplished by modifying software to insert LFENCE or other serializing instructions to constrain speculation in confused deputy code. These instructions suffice regardless of whether the bounds checking is implemented using conditional branches or through the use of bound-checking instructions (BNDCL and BNDCU) that are part of the Intel® Memory Protection Extensions (Intel® MPX).

Spectre-related Mitigations

Previous disclosures of Spectre vulnerabilities name the exploits by the mechanism by which data can be accessed by a malicious actor. In the A Systematic Evaluation of Transient Execution Attacks and Defenses paper, the researchers instead have created an alternative classification system to identify the theoretically possible Spectre variants.

These variants do not identify any new microarchitectural structures that can be exploited, just new ways to train the microarchitectural structures. Existing mitigation strategies will continue to protect code as follows:

Spectre-PHT and Spectre-BTB can be mitigated through software-based approaches, including LFENCE, Indirect Branch Restricted Speculation (IBRS) and retpoline. Developers should review their code, identify secrets, and insert LFENCE appropriately, as advised for Bounds Check Bypass. Details on implementing IBRS and retpoline can be found under Branch Target Injection.

Stay Updated and Informed

Intel and the ecosystem have released microcode updates and software mitigations for Spectre and Meltdown, and these mitigations are effective for the exploits described in A Systematic Evaluation of Transient Execution Attacks and Defenses.

We will continue to provide software developer guidance when appropriate. Please check back for the latest information.


Was this article helpful?YesNo
0% of users found this helpful

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available​ updates.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright Intel Corporation 2020.