In the long line of Meltdown and Spectre vulnerabilities, Bitdefender responsibly disclosed a new variant named “SWAPGS” at the BlackHat security conference. Bitdefender researchers have been working with Intel for more than a year prior to public disclosure. Microsoft and other operating system vendors have also been involved, and recently issued patches. The vulnerability has been desigated CVE-2019-1125 and rated as “moderate” severity.
What Is SWAPGS?
SWAPGS is a Spectre Variant 1 family of vulnerability, that utilizes side-channel analysis of timing results to determine the contents of protected memory addresses, in this case, kernel memory. A CPU register “GS” is used to store the “Thread Local Storage” memory addresses pointers, but serves as an memory offset value (in 64-bit mode) for “PER_CPU” when in kernel mode. This means that a userspace program can set a register value that is used when in the CPU flips into kernel mode. SWAPGS is primitive instruction that helps transition from userspace to kernel mode, but it does not validate the values it uses. There are circumstances under which a GS register swap may not be needed. When testing for these conditions, there’s branches that potentially speculatively execute code using the (maliciously-set) GS memory offset, giving an opportunity to use timing results to determine the targeted memory location’s contents.
Since this deals with the userspace and kernel space and the usage of registers by the OS and userspace applications, it’s more appropriately resolved at an Operating System level, rather than designing hardware mitigations resolve the issue.
The nature of this attack, as is common with Spectre variants, gives insight into kernel memory, providing access to information such as passwords, security keys, etc. through userspace applications such as standard executables or potentially even with javascript running in a browser.
What CPUs Are Affected?
All x86_64 Intel CPUs since 2012, which starts with Ivy Bridge, are affected, even if you have all previous Meltdown and Spectre mitigations.
AMD stated “because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS,” they are not impacted by this vulnability. However, there is one scenario that they are potentially vulnerable to, but existing mitigations for Spectre Variant 1 has already addressed it.
Operating System Patches
Microsoft Windows silently issued a security update on July 9th to address the vulnerability.
The Linux kernel patch was committed to the mainline code in git on August 6th.
Apple MacOS is not thought to be vulnerable at this time, presumably due to not utilizing the SWAPGS instruction.
Performance Impact
Michael Larabel over at Phoronix has conducted some Linux-based performance impact testing and concluded minor impact of around 1% or less performance loss in most cases, with edge cases around 5%. It is untested what the exact impacts are under Windows.
