Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism

Updated on 18/Jan/2018

Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.

Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed. This is the issue addressed here and in the Cache Speculation Side-channels whitepaper.

It is important to note that this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads.

The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism. A definitive list of the small subset of Arm-designed processors that are susceptible can be found below.

What are the attack mechanisms?

There are three main variants of the exploits, as detailed by Google in their blogpost, that explain in detail the mechanisms:

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

In addition, Arm has included information on a related variant to 3, noted as 3a, in the table below.

Follow the steps below to determine if there is any vulnerability for your devices and, if vulnerable, then the mitigation mechanisms.

Step 1

Check the table below to determine if you have an affected processor.

  • Only affected cores are listed, all other Arm cores are NOT affected.
  • No indicates not affected by the particular variant.
  • Yes indicates affected by the particular variant but has a mitigation (unless otherwise stated).

Processor

Variant 1

Variant 2

Variant 3

Variant 3a

Cortex-R7

Yes*

Yes*

No

No

Cortex-R8

Yes*

Yes*

No

No

Cortex-A8

Yes (under review)

Yes

No

No

Cortex-A9

Yes

Yes

No

No

Cortex-A15

Yes (under review)

Yes

No

Yes

Cortex-A17

Yes

Yes

No

No

Cortex-A57

Yes

Yes

No

Yes

Cortex-A72

Yes

Yes

No

Yes

Cortex-A73

Yes

Yes

No

No

Cortex-A75

Yes

Yes

Yes

No

* Note for Cortex-R cores: The common usage model for Cortex-R is in non-open environments where applications or processes are strictly controlled and hence not exploitable.

Step 2

What about future Arm Cortex processors?

All future Arm Cortex processors will be resilient to this style of attack or allow mitigation through kernel patches.

Arm recommends that the software mitigations described in the Cache Speculation Side-channels whitepaper be deployed where protection against malicious applications is required.  Arm's expert Security Response Team will continue to research any potential mitigations working closely with our customers and partners.  Please refer to the FAQ for additional information.