Intel and Partners Discuss GPZ Variant 4 Speculative Store Bypass

Today Intel and industry partners disclosed a new vulnerability CVE-2018-3639, which is another side channel attack variant. This new CVE is being called “Variant 4” or Speculative Store Buffer Bypass or Speculative Store Bypass depending on who is discussing the vulnerability. We have a few resources to keep you up to date but Intel says it has released microcode mitigations to OEMs already and so we should see another round of BIOS updates in the near future. This entire line of issues, starting with Spectre and Meltdown is essentially due to the design of speculative execution outlined in a paper decades ago that the industry has followed since. That means that we are likely to see more variants of this in the future.

Resources to learn more about Variant 4 / Speculative Store Bypass

RedHat has a fairly awesome video about the speculative store buffer bypass which is worth watching on YouTube if you have a few minutes.

Also from Intel this impacts desktop CPUs as well as just about every recent Xeon, including the latest Intel Xeon Scalable CPUs. Here is the information from Intel and a quick blurb from the company:

About Variant 4

Like the other GPZ variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. In this case, the researchers demonstrated Variant 4 in a language-based runtime environment.  While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers.

Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today. However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.

We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option.  In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client¹ and server² test systems.

This same update also includes microcode that addresses Variant 3a (Rogue System Register Read), which was previously documented publicly by Arm (ARMH)* in January. We have not observed any meaningful performance impact on client or server benchmarks with the Variant 3a mitigation.³ We’ve bundled these two microcode updates together to streamline the process for our industry partners and customers. This is something you will see us continue, as we recognize that a more predictable and consolidated update process will be helpful to the entire ecosystem.

(Source: Intel)