Speculative Store Bypass

See also: Speculative execution CPU vulnerabilities

Speculative Store Bypass (SSB) (CVE-2018-3639) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities.^[1] It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ).^[2] After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG,^[3][4][5][6] it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".^[7][1]

Details

Speculative execution exploit Variant 4,^[8] is referred to as Speculative Store Bypass (SSB),^[1][9] and has been assigned CVE-2018-3639.^[7] SSB is named Variant 4, but it is the fifth variant in the Spectre-Meltdown class of vulnerabilities.^[7]

Steps involved in exploit:^[1]

1. "Slowly" store a value at a memory location
2. "Quickly" load that value from that memory location
3. Utilize the value that was just read to disrupt the cache in a detectable way

Impact and mitigation

Intel claims that web browsers that are already patched to mitigate Spectre Variants 1 and 2 are partially protected against Variant 4.^[7] Intel said in a statement that the likelihood of end users being affected was "low" and that not all protections would be on by default due to some impact on performance.^[10] The Chrome JavaScript team confirmed that effective mitigation of Variant 4 in software is infeasible, in part due to performance impact.^[11]

Intel is planning to address Variant 4 by releasing a microcode patch that creates a new hardware flag named Speculative Store Bypass Disable (SSBD).^[7][2][12] A stable microcode patch is yet to be delivered, with Intel suggesting that the patch will be ready "in the coming weeks".^{[needs update][7]} Many operating system vendors will be releasing software updates to assist with mitigating Variant 4;^[13][2][14] however, microcode/firmware updates are required for the software updates to have an effect.^[13]

Speculative execution exploit variants

Summary of speculative execution variants^{[15][7][16][17]}

Vulnerability	CVE	Exploit name	Public vulnerability name	CVSS v2.0	CVSS v3.0
Spectre	2017-5753	Variant 1	Bounds Check Bypass (BCB)	4.7	5.6
Spectre	2017-5715	Variant 2	Branch Target Injection (BTI)	4.7	5.6
Meltdown	2017-5754	Variant 3	Rogue Data Cache Load (RDCL)	4.7	5.6
Spectre-NG	2018-3640	Variant 3a	Rogue System Register Read (RSRR[18])	4.7	5.6
Spectre-NG	2018-3639	Variant 4	Speculative Store Bypass (SSB)	4.9	5.5
Spectre-NG	2018-3665		Lazy FP State Restore	4.7	5.6
Spectre-NG	2018-3693		Bounds Check Bypass Store (BCBS)	4.7	5.6
Foreshadow	2018-3615	Variant 5	L1 Terminal Fault (L1TF)	5.4	6.4
Foreshadow-NG	2018-3620			4.7	5.6
Foreshadow-NG	2018-3646			4.7	5.6