Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism

Updated on 02/Feb/2018

Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.

Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed. This is the issue addressed here and in the Cache Speculation Side-channels whitepaper.

It is important to note that this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads.

The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism. A definitive list of the small subset of Arm-designed processors that are susceptible can be found below.


Cache Speculation Side-channels whitepaper

Download

What are the attack mechanisms?

There are three main variants of the exploits, as detailed by Google in their blogpost, that explain in detail the mechanisms:

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

In addition, Arm has included information on a related variant to 3, noted as 3a, in the table below.

Follow the steps below to determine if there is any vulnerability for your devices and, if vulnerable, then the mitigation mechanisms.

Step 1

Check the table below to determine if you have an affected processor.

  • Only affected cores are listed, all other Arm cores are NOT affected.
  • No indicates not affected by the particular variant.
  • Yes indicates affected by the particular variant but has a mitigation (unless otherwise stated).

Processor

Variant 1

Variant 2

Variant 3

Variant 3a

Cortex-R7

Yes*

Yes*

No

No

Cortex-R8

Yes*

Yes*

No

No

Cortex-A8

Yes (under review)

Yes

No

No

Cortex-A9

Yes

Yes

No

No

Cortex-A15

Yes (under review)

Yes

No

Yes

Cortex-A17

Yes

Yes

No

No

Cortex-A57

Yes

Yes

No

Yes

Cortex-A72

Yes

Yes

No

Yes

Cortex-A73

Yes

Yes

No

No

Cortex-A75

Yes

Yes

Yes

No

* Note for Cortex-R cores: The common usage model for Cortex-R is in non-open environments where applications or processes are strictly controlled and hence not exploitable.

Step 2

  • If you are running Linux, please follow the directions below according to the variant identified in the table.

  • If you are running Android, please check with Google for the detail of supported kernel versions.

  • If you are running another OS, please contact the OS vendor for details and refer to For non-Linux operating system below.

  • For JIT development, check the generated code and replace with new instruction sequences as detailed in the Cache Speculation Side-channels whitepaper.


For Linux

Variant 1

Action required:

Variant 2

The mitigation will vary by processor micro-architecture:

For Cortex-A57 and Cortex-A72:

For Cortex-A73:

For Cortex-A75:

For Cortex-A8, Cortex-A9, and Cortex-A15, please apply the patches available at https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/log/?h=kpti

Variant 3

For Cortex-A75:

Variant 3a

For Cortex-A15, Cortex-A57, and Cortex-A72:

For non-Linux operating systems

Variant 2

The mitigation will vary by processor micro-architecture:

For Cortex-R8, Cortex-A9, and Cortex-A17, invalidate the branch predictor using a BPIALL instruction.

For Cortex-A8:

  • Invalidate the branch predictor using a BPIALL instruction.
  • Set ACTRL[6] to 1 during early processor initialization.

For Cortex-A15:

  • Set ACTLR[0]==1 from early initialization of the processor.
  • Invalidate the branch predictor by performing an ICIALLU instruction.

For Cortex-A57 and Cortex-A72:

  • Do one of the following:
    • Disable the current stage 1 MMU, execute an ISB, re-enable the MMU and execute an ISB. This must be done in an area of memory where the VA and the IPA (or PA if there is only one stage of translation) are the same.
    • Do an ERET from EL3 where SCTLR_EL3.M==1 to S-EL1 where SCTLR_EL1.M=0 followed by an SMC back to EL3.

For Cortex-A73:

  • In AArch32: Invalidate the branch predictor using a BPIALL instruction.
  • In AArch64: Switch into AArch32, then perform a BPIALL - this can be done by calling Secure EL1 code, which is typically using AArch32, to do the BPIALL.

For Cortex-A75:

  • In AArch32: Invalidate the branch predictor using a BPIALL instruction.
  • In AArch64: Switch into AArch32, then perform a BPIALL - this can be done by calling Secure EL1 code, which is typically using AArch32, to do the BPIALL.

What about future Arm Cortex processors?

All future Arm Cortex processors will be resilient to this style of attack or allow mitigation through kernel patches.

Arm recommends that the software mitigations described in the Cache Speculation Side-channels whitepaper be deployed where protection against malicious applications is required.  Arm's expert Security Response Team will continue to research any potential mitigations working closely with our customers and partners.  Please refer to the FAQ for additional information.


Arm security update change history

Date Page Section Change notes
2 February 2018 https://developer.arm.com/support/security-update/frequently-asked-questions Is Google's Retpoline considered effective for mitigating Variant 2 vulnerability on Arm based systems?
Will compilers provide mitigations for Variant 2?
Added new FAQs.
31 January 2018 https://developer.arm.com/support/security-update/frequently-asked-questions Are software mitigations available, and will I get them? Added new Firmware interfaces for mitigating CVE-2017-5715 System Software on Arm Systems specification file.