Microarchitectural Data Sampling refers to a group of speculative sidechannels vulnerabilities. They consist of: * CVE-2018-12126 - MSBDS - Microarchitectural Store Buffer Data Sampling * CVE-2018-12127 - MLPDS - Microarchitectural Load Port Data Sampling * CVE-2018-12130 - MFBDS - Microarchitectural Fill Buffer Data Sampling * CVE-2019-11091 - MDSUM - Microarchitectural Data Sampling Uncacheable Memory These issues pertain to the Load Ports, Store Buffers and Fill Buffers in the pipeline. The Load Ports are used to service all memory reads. The Store Buffers service all in-flight speculative writes (including IO Port writes), while the Fill Buffers service all memory writes which are post-retirement, and no longer speculative. Under certain circumstances, a later load which takes a fault or assist (an internal condition to processor e.g. setting a pagetable Access or Dirty bit) may be forwarded stale data from these buffers during speculative execution, which may then be leaked via a sidechannel. MDSUM (Uncacheable Memory) is a special case of the other three. Previously, the use of uncacheable memory was believed to be safe against speculative sidechannels. An attacker, which could include a malicious untrusted user process on a trusted guest, or an untrusted guest, can sample the content of recently-used memory operands and IO Port writes. This can include data from: A previously executing context (process, or guest, or hypervisor/toolstack) at the same privilege level. A higher privilege context (kernel, hypervisor, SMM) which interrupted the attacker's execution. Vulnerable data is that on the same physical core as the attacker. This includes, when hyper-threading is enabled, adjacent threads. An attacker cannot use this vulnerability to target specific data. An attack would likely require sampling over a period of time and the application of statistical methods to reconstruct interesting data.
Tag: Microarchitectural Data Sampling
ASA-2019-00277 – VMware: Operating System-Specific Mitigations for MDS vulnerabilities
A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms within the Guest Operating System (Intra-VM) via MDS vulnerabilities. There are two known attack vector categories for MDS at the Virtual Machine level: Sequential-context attack vector (Intra-VM): a malicious local user of a Virtual Machine can potentially infer recently accessed data of a previous context otherwise protected by architectural mechanisms in the context of the same Virtual Machine. Concurrent-context attack vector (Intra-VM): a malicious local user of a Virtual Machine can potentially infer recently accessed data of a concurrently executing context on the other logical processor of the Hyper-Threading-enabled processor core in the context of the same Virtual Machine.
ASA-2019-00276 – VMware: Hypervisor-Assisted Guest Mitigations for MDS vulnerabilities
A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms within the Guest Operating System (Intra-VM) via MDS vulnerabilities. Virtual Machines hosted by VMware Hypervisors running on 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake) are not affected by MDS vulnerabilities. There are two known attack vector categories for MDS at the Virtual Machine level: Sequential-context attack vector (Intra-VM): a malicious local user of a Virtual Machine can potentially infer recently accessed data of a previous context otherwise protected by architectural mechanisms in the context of the same Virtual Machine. Concurrent-context attack vector (Intra-VM): a malicious local user of a Virtual Machine can potentially infer recently accessed data of a concurrently executing context on the other logical processor of the Hyper-Threading-enabled processor core in the context of the same Virtual Machine.
ASA-2019-00275 – VMware: Hypervisor-Specific Mitigations for MDS vulnerabilities
vCenter Server, ESXi, Workstation, and Fusion updates include Hypervisor-Specific Mitigations for MDS speculative execution vulnerabilities. A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms from another virtual machine or the hypervisor itself via MDS vulnerabilities. There are two known attack vector variants for MDS at the Hypervisor level: Sequential-context attack vector (Inter-VM): a malicious VM can potentially infer recently accessed data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core. Concurrent-context attack vector (Inter-VM): a malicious VM can potentially infer recently accessed data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading-enabled processor core.
ASA-2019-00272 – FreeBSD: Microarchitectural Data Sampling (MDS)
Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser).