Windows 10: New Speculative Execution Side-Channel Vunerability (Variant 4)

Page 1 of 3 123 LastLast
  1.    21 May 2018 #1

    New Speculative Execution Side-Channel Vunerability (Variant 4)

    Addressing New Research for Side-Channel Analysis

    Details and Mitigation Information for Variant 4

    By Leslie Culbertson

    Following Google Project Zero’s (GPZ)* disclosure of speculative execution-based side-channel analysis methods in January, Intel has continued working with researchers across the industry to understand whether similar methods could be used in other areas. We know that new categories of security exploits often follow a predictable lifecycle, which can include new derivatives of the original exploit.

    Expecting that this category of side-channel exploits would be no different, one of the steps we took earlier this year was expanding our bug bounty program to support and accelerate the identification of new methods. The response to that program has been encouraging, and we are thankful for the continued partnership we have with the research community.

    More: Security Exploits and Intel Products (Press Kit) | Security Research Findings (

    As part of this ongoing work, today Intel and other industry partners are providing details and mitigation information for a new derivative of the original vulnerabilities impacting us and other chipmakers. This new derivative is called Variant 4, and it’s being disclosed jointly by GPZ and Microsoft’s Security Response Center (MSRC).*

    In the spirit of Intel’s security first pledge, I want to explain what this new variant is and how customers can protect themselves. As I do this, let me start by saying that we have not seen any reports of this method being used in real-world exploits. Moreover, there are multiple ways for consumers and IT professionals to safeguard their systems against potential exploits, including browser-based mitigations that have already been deployed and are available for use today.

    About Variant 4

    Like the other GPZ variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. In this case, the researchers demonstrated Variant 4 in a language-based runtime environment. While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers.

    Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today. However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.

    We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client1 and server2 test systems.

    This same update also includes microcode that addresses Variant 3a (Rogue System Register Read), which was previously documented publicly by Arm* in January. We have not observed any meaningful performance impact on client or server benchmarks with the Variant 3a mitigation.3 We’ve bundled these two microcode updates together to streamline the process for our industry partners and customers. This is something you will see us continue, as we recognize that a more predictable and consolidated update process will be helpful to the entire ecosystem.

    Read More:

    See also:

    Last edited by Brink; 28 May 2018 at 18:03.
      My ComputerSystem Spec

  2.    22 May 2018 #1

    Current protection against Spectre Variant 1 (found in Windows and in web browsers) only partially protects against Variant 4 (Speculative Store Bypass). It sounds like the reason mitigation will be disabled by default in the new microcode update is because the performance hit will be high for most processors.
    Last edited by Ground Sloth; 22 May 2018 at 08:43.
      My ComputerSystem Spec

  3. Posts : 51
    Windows 10 Pro 64-bit OEM
       22 May 2018 #2

    This is starting to get a little out of hand. How much is enough. Time they are done with this patching. My i5 6600K will loose 20% performance. It's starting to peeve me off.
      My ComputerSystem Spec

  4.    22 May 2018 #3

    Yep, bored of it. I think it gets blown slightly out of hand anyway.

    I'm not updating my BIOS or doing this and that anymore. It's bad enough dealing with all the windows updates (or in fact updates across all our home devices whether it be apple, microsoft, playstation, xbox, android etc etc) getting pushed everytime the wind changes. Now we've got this microcode nonsense to deal with. Changing the BIOS (which my apple id account hates as it thinks I'm logging into a new machine and adding slots when I use iTunes or iCloud for Windows after a BIOS change). More time faffing about with stuff most evenings than actually using the things. And our ultra expensive processors potentially reduced to early pentium performance with all this. Kudos to this forum and the members for keeping everything informed but I'm going to stop trying to keep ontop of this now i think
      My ComputerSystem Spec

  5. Faith's Avatar
    Posts : 434
    Windows 10 Home April 2018 Update 64-bit
       22 May 2018 #4


      My ComputerSystem Spec

  6.    22 May 2018 #5

    According to the Ubuntu Wiki, the performance impact that results from enabling SSBD (Speculative Store Bypass Disable) is "notable." But it will only be enabled for certain types of programs that need the extra protection. It won't be enabled system-wide. I imagine Microsoft will do the same thing.

    SecurityTeam/KnowledgeBase/Variant4 - Ubuntu Wiki
    Last edited by Ground Sloth; 22 May 2018 at 10:08.
      My ComputerSystem Spec

  7.    23 May 2018 #6

    I guess we will have all these security updates forced on us anyway...
    (At least at software level).
      My ComputerSystem Spec

  8. Brink's Avatar
    Posts : 32,329
    64-bit Windows 10 Pro build 18242
       23 May 2018 #7
      My ComputersSystem Spec

  9.   My ComputerSystem Spec

  10. storageman's Avatar
    Posts : 430
    Windows 10 Pro 1803 17134.137
       23 May 2018 #9

    After reading those links (and the previous ones from the first of the year), it apparent that the hardware engineers have lost focus. It looks like they want to make logic decisions that should be left to the software programmer: EG

    Quote from :

    To illustrate how this might occur, it may help to consider the following simple example. In this example, RDI and RSI are assumed to be equal to the same address on the architectural path.

    01: 88040F mov [rdi+rcx],al
    02: 4C0FB6040E movzx r8,byte [rsi+rcx]
    03: 49C1E00C shl r8,byte 0xc
    04: 428B0402 mov eax,[rdx+r8]
    In this example, the MOV instruction on line 1 may take additional time to execute (e.g. if the computation of the address expression for RDI+RCX is waiting on prior instructions to execute). If this occurs, the CPU may predict that the MOVZX is not dependent on the MOV and may speculatively execute it ahead of the MOV that performs the store. This can result in stale data from the memory located at RSI+RCX being loaded into R8 and fed to a dependent load on line 4. If the byte value in R8 is sensitive, then it may be observed through a side channel by leveraging a cache-based disclosure primitive such as FLUSH+RELOAD (if RDX refers to shared memory) or PRIME+PROBE. The CPU will eventually detect the misprediction and discard that state that was computed, but the data that was accessed during speculation may have created residual side effects in the cache by this point that can then be measured to infer the value that was loaded into R8.
      My ComputersSystem Spec

Page 1 of 3 123 LastLast

Related Threads
Source: Speculative Execution Bounty Launch MSRC
Source: Mitigating speculative execution side channel hardware vulnerabilities Defense See also: Microsoft Announcing Speculative Execution Bounty Program Launch - Windows 10 Forums
Source: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer - Microsoft Edge Dev Blog See also update: Cumulative Update KB4056892 Windows 10 v1709 Build 16299.192 - Windows 10 Forums
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 23:56.
Find Us