On 9 June, Anthony Steinhauser, an engineer at Google, made some urgent posts to the Linux kernel mailing list. In them, he pointed out that hardware bugs in Intel and AMD chips are leaving servers vulnerable to Spectre exploits--even after the kernel is patched. Fortunately, a fix for this problem is being developed by the KernelCare team. First patches will be available by the end of the week of 22 June.
Chip Flaws Leave Servers Exposed
Spectre vulnerabilities leave servers exposed to speculative-execution attacks. That is attacks that make servers perform unnecessary operations that expose confidential data, then leak it through an unprotected side channel. Steinhauser noted that logic flaws in Intel and AMD x86 processors render current Spectre patches ineffective against these sorts of attacks.
To protect against these attacks, he wrote, the manufacturers optimized their Speculative Store Bypass Disable (SSBD) defence. They opted for this defence because it was less expensive than the alternative, a model-specific register (MSR) write operation. Their decision has become problematic because their chips’ logic flaw enables the SSBD optimization to be used to disable SSBD itself.
A related problem pointed out by Steinhauser is that another Spectre defence, Indirect Branch Prediction Barrier (IBPB), can be force-disabled by Linux in certain situations. Also, he wrote that the settings used to avoid these situations don’t work:
"Currently, it is possible to enable indirect branch speculation even after it was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the PR_GET_SPECULATION_CTRL command gives afterwards an incorrect result (force-disabled when it is in fact enabled)."
Fixes Are On The Way
The KernelCare operations team is currently working on a new patch that will address these hardware bugs. They’re familiar with Spectre vulnerabilities and are writing their own patch code in accordance with their research on what Steinhauser discovered.
Once the team has written patch code that it considers effective, it will reproduce the SSBD and IBPB exploits, then test the code to make sure it protects against them. Once it’s confident that the code resolves these security issues while causing no problems of its own, the team will upload it to KernelCare patch servers and distribute it to clients.
The new patch is expected to be ready by the end of the week of 22 June.
If you have additional questions about how KernelCare protects servers against these hardware-based vulnerabilities, feel free to contact the KernelCare team.