Wednesday, August 7th 2019

SWAPGS: Another Speculative Side Channel Vulnerability

Yet another CPU vulnerability was discovered today, called SWAPGS, revealed under the code CVE-2019-1125, as it is referred to in the industry. The vulnerability was discovered twelve months ago and got privately reported to Intel by a security researcher. It's supposedly present on both AMD and Intel CPUs, but was only proven to work on Intel platforms by Bitdefender security researchers. Red Hat issued a statement which states that both platforms are affected and that users should upgrade their systems as soon as possible. Microsoft already implemented a fix with its "Patch Tuesday" update for last month, so if you updated your OS recently, you are already protected against SWAPGS.

AMD issued as statement as well, in which it says: "AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1."
How SWAPGS works
SWAPGS is a Spectre-type exploit, which takes advantage of the processor's branch prediction (predicting when to switch instruction sequence to improve performance). The processor speculates which instruction sequence is most likely to run next and prepares its internal states for that. When observing these instructions, possibly sensitive data could be revealed by observing timing results.

SWAPGS comes into play because it is an exploit similar to Spectre. It is named after x86-64 instruction called SWAPGS which swaps the GS register (only one of the segment registers which build a complete memory address), with a value intended to be used during kernel operations. Because of its nature, SWAPGS does not perform any kind correction on data it uses, thus an attack can be performed. During the swapping period, attacker can insert any value without getting errors or warning by the processor.

Mitigations
As you know, for Spectre and Meltdown, there aren't too many mitigations that are built into hardware, and the industry still largely depends on software/firmware-level mitigations that negatively affect performance. Only the most recent processor models from AMD and Intel have hardware mitigations. For now Microsoft already pushed the update to its Windows OSes and kernel patches for any *nix based OS should have been implemented as well. Performance impact of these patches is still unknown.

Update: Performance impact of the SWAPGS mitigation has been tested with the latest Linux kernel. Phoronix benchmarked Intel's Core i9 9900K and they found a 1-5% reduction in performance for synthetic benchmarks with a general reduction of 1% on average when accounting for all benchmarks. You can check out their performance results here. Sources: Red Hat, Phoronix
Add your own comment

37 Comments on SWAPGS: Another Speculative Side Channel Vulnerability

#26
jaggerwild
Zareek
Are you being facetious?
Did you not see the link, it goes to all AMD issue's........I'll post it again. AMD advertised there CPU overclocking but with the RGB Cooler there is no head room, unless you have subzero cooling you got took! Nune of that is a lie, post up your awesome overclocking?
https://www.amd.com/en/corporate/product-security
Posted on Reply
#27
R-T-B
medi01
Indeed:
Did you miss Spectre too in that statement?

Both do indeed affect performance in mitigation. Unsure what you are taking issue with.
Posted on Reply
#28
medi01
R-T-B
Did you miss Spectre too in that statement?
Are you pretending to be obtuse or is this for real?
The post clearly implies Meltdown affects AMD.

Spectre is to Meltdown, what scratching a car is to exploding a car.
Posted on Reply
#29
R-T-B
medi01
Are you pretending to be obtuse or is this for real?
The post clearly implies Meltdown affects AMD.
It doesn't? I only read it as mentioning them due to being discovered in the same whitepaper.

Can a third party weigh in?
Posted on Reply
#30
Zareek
jaggerwild
Did you not see the link, it goes to all AMD issue's........I'll post it again. AMD advertised there CPU overclocking but with the RGB Cooler there is no head room, unless you have subzero cooling you got took! Nune of that is a lie, post up your awesome overclocking?
https://www.amd.com/en/corporate/product-security
I'm going to be nice because maybe you have been fed some very convincing false data by someone or someplace you really trust. The page you are linking says nothing about processors not hitting 4.6Mhz . I'm pretty sure AMD didn't release an x86 chip that ran at 4.6Mhz. AMD is however, selling the 3900X and it does boost to 4.6Ghz on a single core. As with all processors adequate cooling is required. Please link something legitimate if you've read otherwise.

The page you linked is a list of AMD's known and possible security issues. If you read it, the most recent entry states they do not believe the newest issue affects AMD processors in any way differently than Spectre did. AMD 3000 series has hardware Spectre mitigation built in, TPU states that here. We do know it affects all but the latest generations of Intel processors. Perhaps, if you think this is a black eye for AMD you should look at Intel's list of known security issues. Oh wait, they don't make it as easy to find a listing. That might be because it would be the size of the Library of Congress for just the past few years! If this is a black eye for AMD, it's a broken jaw for Intel. Then again since the security issues have piled up constantly for Intel since Spectre and Meltdown, at this point Intel wouldn't have a head left to hurt.

You might be just a bit confused about who is having security issues!
Posted on Reply
#31
Steevo
Ferrum Master
It almost seems like some force is driving it.

After a year my CPU will need an upgrade just because it is patched like a stiff mummy and won't perform just because of these issues. Kinda win situation for manufacturers.
That force is greed, Intel designed chips with huge security holes to improve performance in order that their competition would be disadvantaged, while failing to disclose the security issues built into their logic hardware.


Imagine buying a sports car that calls the police if you operate it in the manner sold, except instead of police it unlocks its doors and starts for anyone, with your bank and other private data.
Posted on Reply
#32
R-T-B
Zareek
Oh wait, they don't make it as easy to find a listing.
They actually document their issues and fixes quite a bit better than AMD, in my experience.

That said it does not mean they have less issues. They do not, frankly. They have a lot on their security plate right now.

Steevo
Intel designed chips with huge security holes to improve performance in order that their competition would be disadvantaged, while failing to disclose the security issues built into their logic hardware
I wish people would stop parroting that myth... The attacks are timing based, incredibly clever, and certainly not something Intel needed to "enhance performance."

Steevo
Imagine buying a sports car that calls the police if you operate it in the manner sold, except instead of police it unlocks its doors and starts for anyone, with your bank and other private data.
Oh my god, that analogy is so... incorrect.
Posted on Reply
#33
Tomorrow
R-T-B
They actually document their issues and fixes quite a bit better than AMD, in my experience.
Where? AMD link was posted earlier. Please post Intel's link if you say they document their issues better than AMD.
R-T-B
I wish people would stop parroting that myth... The attacks are timing based, incredibly clever, and certainly not something Intel needed to "enhance performance.
Yet they do lose performance every time one of these holes is patched. They may have not intentionally set out to disregard security to gain performance but they were negligent when designing their architectures and relying too heavily on speculative execution as a magic way to speed up operations.
Posted on Reply
#34
R-T-B
Tomorrow
Please post Intel's link if you say they document their issues better than AMD.
It's pretty well known in bios modding communities that they map their microcode to fixes. Good luck finding that with AMD.

If you want a rough similar page to what AMD provides, just google "intel processor security issues intel.com" and profit on the link straight from intel. I see no reason to hold hands.

Still, I will:

https://newsroom.intel.com/press-kits/security-exploits-intel-products/#gs.ull9cr

https://newsroom.intel.com/microcode

Tomorrow
they were negligent when designing their architectures and relying too heavily on speculative execution as a magic way to speed up operations.
Speculative execution is how all IPC increases are done today... so yeah. But there is no choice there. Literally the only chips that don't execute speculatively are ARM/MIPS or atom class cpus.

As for losing performance, that's what patching an on-silicon vulnerability does.
Posted on Reply
#35
Tomorrow
Half a year out of date. Microcode PDF is more than a year old.
Posted on Reply
#36
medi01
R-T-B
It doesn't? I only read it...
Yeah, if you "only read it" backwards, it doesn't.
Let us all read it backwards, shall we?

R-T-B
I wish people would stop parroting that myth... The attacks are timing based, incredibly clever, and...
The worst of them (Meltdown, among other things) only affects Intel.
And "fixing" that (not making assumptions about what will be where and when, because, wait for it, this increases IPC) also happens to hamper Intel's performance quite a bit.

What a coincidence.

R-T-B
That said it does not mean they have less issues.
This is like talking about someone arrested for murder and saying that "it doesn't mean ze has less issues" than someone arrested for a drunk brawl.
Posted on Reply
#37
R-T-B
medi01
This is like talking about someone arrested for murder and saying...
Not really, no. That's insane hyperbole.
medi01
What a coincidence.
How any on-silicon software fix works, not a coincidence.

medi01
The worst of them (Meltdown, among other things) only affects Intel.
Intel is also by far the most researched, so yeah.

medi01
Yeah, if you "only read it" backwards, it doesn't.
I don't read backwards.
Posted on Reply
Add your own comment