QEMU / HW - Vulnerabilities & Mitigations Explained

Read the full document HERE as discourse does not support all HTML features the document has.

NOTE: It is very likely that this document is NOT fully updated with latest HW mitigations and techniques found. With that in mind, use this as an initial source of information and increase your knowledge with more recent security vulnerabilities as they are discovered and advertised in other security information sources.

This document should be read together with the following articles:

• Security Team Spectre (Variant 1 and 2) and Meltdown (Variant 3) Knowledge Base Article

• Security Team Lazy Floating Point Knowledge Base Article (LazyFP)

• Security Team Bounds Check Bypass Store Article (Spectre 1.1 / BCBS)

• Security Team Variant 4 Knowledge Base Article (Variant 4)

• Security Team L1TF Knowledge Base Article (L1TF)

• Security Team MDS Knowledge Base Article (MDS)

• Security Team Mitigation Controls Knowledge Base Article

And the references used here are, among the documents above, the following docs:

• Intel Speculative Execution Side Channel Mitigations (Rev 3.0)

• Intel Analysis of Speculative Execution Side Channels (Rev 4.0)

• Intel Deep Dive Mitigation Overview Side Channel Exploits Linux

• Intel Deep Dive Analysis for L1 Terminal Fault

• Intel Software Guidance for L1 Terminal Fault

• Intel Deep Dive Analysis Microarchitectural Data Sampling

• Using Intel Compilers to Mitigate Speculative Execution Side Channel Issues

• Wikipedia: Kernel Page-Table Isolation

• Wikipedia: Lazy FP state restore

• QEMU Spectre and Meltdown Update

• QEMU Spectre and Meltdown New Update

• Berrange CPU Model Configuration for QEMU/KVM on X86 hosts

• Kernel Admin Guide on HW vulnerabilities - MDS

• Kernel Admin Guide on HW vulnerabilities - MDS

Related CPU Vulnerabilities (CVEs)

1. Side Channel Attacks - Spectre and Meltdown

• CVE-2017-5753 - Bounds Check Bypass (Variant 1 / Spectre)

• CVE-2017-5715 - Branch Target Injection (Variant 2 / Spectre)

• CVE-2017-5754 - Rogue Data Cache Load (Variant 3 / Meltdown)

2. Side Channel Attacks - Others

• CVE-2018-3665 - Lazy FP Save/Restore (LazyFP)

• CVE-2018-3693 - Bounds Check Bypass Store (Variant (or Spectre) 1.1 and 1.2 / BCBS)

• CVE-2018-3640 - Rogue System Register Read (RSRE / Variant 3a)

• CVE-2018-3639 - Speculative Store Bypass (SSB / Variant 4 / Spectre-NG)

3. L1 Terminal Fault (L1TF)

• CVE-2018-3615 - Intel SGX (Software Guard Extensions) (Foreshadow / L1TF)

• CVE-2018-3620 - Operating Systems and System Management Mode (Fault-OS / SMM) (L1TF)

• CVE-2018-3646 - Virtualization Extensions (L1TF)

4. Microarchitectural Data Sampling (MDS)

• CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS / Fallout)

• CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS / RIDL)

• CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS / ZombieLoad)

• CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)