- Joined
- Aug 19, 2017
- Messages
- 3,233 (1.12/day)
Yet another CPU vulnerability was discovered today, called SWAPGS, revealed under the code CVE-2019-1125, as it is referred to in the industry. The vulnerability was discovered twelve months ago and got privately reported to Intel by a security researcher. It's supposedly present on both AMD and Intel CPUs, but was only proven to work on Intel platforms by Bitdefender security researchers. Red Hat issued a statement which states that both platforms are affected and that users should upgrade their systems as soon as possible. Microsoft already implemented a fix with its "Patch Tuesday" update for last month, so if you updated your OS recently, you are already protected against SWAPGS.
AMD issued as statement as well, in which it says: "AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1."
How SWAPGS works
SWAPGS is a Spectre-type exploit, which takes advantage of the processor's branch prediction (predicting when to switch instruction sequence to improve performance). The processor speculates which instruction sequence is most likely to run next and prepares its internal states for that. When observing these instructions, possibly sensitive data could be revealed by observing timing results.
SWAPGS comes into play because it is an exploit similar to Spectre. It is named after x86-64 instruction called SWAPGS which swaps the GS register (only one of the segment registers which build a complete memory address), with a value intended to be used during kernel operations. Because of its nature, SWAPGS does not perform any kind correction on data it uses, thus an attack can be performed. During the swapping period, attacker can insert any value without getting errors or warning by the processor.
Mitigations
As you know, for Spectre and Meltdown, there aren't too many mitigations that are built into hardware, and the industry still largely depends on software/firmware-level mitigations that negatively affect performance. Only the most recent processor models from AMD and Intel have hardware mitigations. For now Microsoft already pushed the update to its Windows OSes and kernel patches for any *nix based OS should have been implemented as well.Performance impact of these patches is still unknown.
Update: Performance impact of the SWAPGS mitigation has been tested with the latest Linux kernel. Phoronix benchmarked Intel's Core i9 9900K and they found a 1-5% reduction in performance for synthetic benchmarks with a general reduction of 1% on average when accounting for all benchmarks. You can check out their performance results here.
View at TechPowerUp Main Site
AMD issued as statement as well, in which it says: "AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1."
How SWAPGS works
SWAPGS is a Spectre-type exploit, which takes advantage of the processor's branch prediction (predicting when to switch instruction sequence to improve performance). The processor speculates which instruction sequence is most likely to run next and prepares its internal states for that. When observing these instructions, possibly sensitive data could be revealed by observing timing results.
SWAPGS comes into play because it is an exploit similar to Spectre. It is named after x86-64 instruction called SWAPGS which swaps the GS register (only one of the segment registers which build a complete memory address), with a value intended to be used during kernel operations. Because of its nature, SWAPGS does not perform any kind correction on data it uses, thus an attack can be performed. During the swapping period, attacker can insert any value without getting errors or warning by the processor.
Mitigations
As you know, for Spectre and Meltdown, there aren't too many mitigations that are built into hardware, and the industry still largely depends on software/firmware-level mitigations that negatively affect performance. Only the most recent processor models from AMD and Intel have hardware mitigations. For now Microsoft already pushed the update to its Windows OSes and kernel patches for any *nix based OS should have been implemented as well.
Update: Performance impact of the SWAPGS mitigation has been tested with the latest Linux kernel. Phoronix benchmarked Intel's Core i9 9900K and they found a 1-5% reduction in performance for synthetic benchmarks with a general reduction of 1% on average when accounting for all benchmarks. You can check out their performance results here.
View at TechPowerUp Main Site
