Skip to content

Instantly share code, notes, and snippets.

@tenpoku1000

tenpoku1000/side_channel.md

Last active April 29, 2024 05:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tenpoku1000/8d31abef480f6d7ea58f501c29855162 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tenpoku1000/8d31abef480f6d7ea58f501c29855162 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. tenpoku1000 revised this gist Apr 29, 2024. 1 changed file with 68 additions and 1 deletion.
    69 changes: 68 additions & 1 deletion side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -213,7 +213,7 @@ https://www.intel.com/content/www/us/en/developer/articles/technical/software-se
    Processors Affected: Special Register Buffer Data Sampling
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-srbds.html

    ## (16) CVE-2020-8694/CVE-2020-8695 With Great Power comes Great Leakage(PLATYPUS)
    ## (16) CVE-2020-8694/CVE-2020-8695 PLATYPUS:With Great Power comes Great Leakage

    PLATYPUS: With Great Power comes Great Leakage
    https://platypusattack.com/
    @@ -224,6 +224,73 @@ https://www.intel.com/content/www/us/en/developer/articles/technical/software-se
    INTEL-SA-00389
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html

    ## (17) CVE-2022-24436 Hertzbleed Attack:Frequency Throttling Side Channel Guidance

    Hertzbleed Attack
    https://www.hertzbleed.com/

    Frequency Throttling Side Channel Guidance
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/frequency-throttling-side-channel-guidance.html

    INTEL-SA-00698
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00698.html

    暗号実装における周波数サイドチャネル攻撃のソフトウェア・ガイダンス
    https://www.isus.jp/wp-content/uploads/pdf/887_frequency-throttling-side-channel-guidance.pdf

    ## (18) CVE-2022-0001/CVE-2022-0002 BHI:Branch History Injection and Intra-mode Branch Target Injection

    Branch History Injection and Intra-mode Branch Target Injection
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.html

    Branch History Injection and Intra-mode Branch Target Injection
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

    INTEL-SA-00598
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html

    ブランチヒストリーインジェクション〜シン・すべてがNになる〜 - エンタングルメントosugi3yのブログ
    https://osugi3y.hatenablog.com/entry/2022/03/13/121244

    ## (19) CVE-2022-29901 Retbleed:Return Stack Buffer Underflow

    Retbleed - Wikipedia
    https://en.wikipedia.org/wiki/Retbleed

    Retbleed: Arbitrary Speculative Code Execution with Return Instructions - Computer Security Group
    https://comsec.ethz.ch/research/microarch/retbleed/

    Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 /...
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html

    INTEL-SA-00702
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html

    ## (20) CVE-2022-40982 Downfall:Gather Data Sampling

    Downfall (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Downfall_(security_vulnerability)

    Downfall
    https://downfall.page/

    Gather Data Sampling
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/gather-data-sampling.html

    INTEL-SA-00828
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html

    【再掲】【海外記事】 Gather Data Sampling|ささだんご🎋🍡
    https://note.com/sasadango_0503/n/n60651542019b

    ## (21) CVE-2023-28746 Register File Data Sampling(RFDS)

    Register File Data Sampling
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html

    INTEL-SA-00898
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html

    ## 参考資料

    Transient execution CPU vulnerability - Wikipedia
  2. tenpoku1000 revised this gist Apr 29, 2024. 1 changed file with 6 additions and 1 deletion.
    7 changes: 6 additions & 1 deletion side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,13 +1,18 @@

    # 投機的実行サイドチャネルハードウェア脆弱性

    2024/04/27 更新
    2024/04/29 更新

    ## 影響を受けるプロセッサ

    Affected Processors: Transient Execution Attacks & Related Security...
    https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

    ## ソフトウェア・セキュリティ・ガイダンス

    Software Security Guidance from Intel
    https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/overview.html

    ## システム管理者向けのガイダンス

    Guidance for System Administrators to Mitigate Transient Execution...
  3. tenpoku1000 revised this gist Apr 27, 2024. 1 changed file with 7 additions and 7 deletions.
    14 changes: 7 additions & 7 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -51,8 +51,8 @@ https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/

    ## (2) CVE-2017-5715 Variant 2 Spectre v2:Branch Target Injection

    Mitigating Spectre variant 2 with Retpoline on Windows - Microsoft Tech Community
    https://techcommunity.microsoft.com/t5/windows-kernel-internals-blog/mitigating-spectre-variant-2-with-retpoline-on-windows/ba-p/295618
    Mitigating Spectre variant 2 with Retpoline on Windows - Microsoft Community Hub
    https://techcommunity.microsoft.com/t5/windows-os-platform-blog/mitigating-spectre-variant-2-with-retpoline-on-windows/ba-p/295618

    Retpoline: A Branch Target Injection Mitigation
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html
    @@ -65,8 +65,8 @@ https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
    Kernel page-table isolation - Wikipedia
    https://en.wikipedia.org/wiki/Kernel_page-table_isolation

    KVA Shadow: Mitigating Meltdown on Windows Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/
    KVA Shadow: Mitigating Meltdown on Windows | MSRC Blog | Microsoft Security Response Center
    https://msrc.microsoft.com/blog/2018/03/kva-shadow-mitigating-meltdown-on-windows/

    ## (3a) CVE-2018-3640 Variant 3a Spectre-NG v3a:Rogue System Register Read

    @@ -78,8 +78,8 @@ https://www.intel.com/content/www/us/en/developer/articles/technical/software-se
    Speculative Store Bypass / CVE-2018-3639 / INTEL-SA-00115
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/speculative-store-bypass.html

    Analysis and mitigation of speculative store bypass (CVE-2018-3639) Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/
    Analysis and mitigation of speculative store bypass (CVE-2018-3639) | MSRC Blog | Microsoft Security Response Center
    https://msrc.microsoft.com/blog/2018/05/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/

    ## (5) CVE-2018-3615 Foreshadow, CVE-2018-3620 Foreshadow-OS, CVE-2018-3646 Foreshadow-VMM:L1 Terminal Fault(L1TF)

    @@ -138,7 +138,7 @@ https://t.co/6BqBFDPYrt
    / Twitter https://twitter.com/mhiramat/status/1007528520208211970

    Cyberus Technology - Intel LazyFP vulnerability: Exploiting lazy FPU state switching
    https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html
    https://web.archive.org/web/20230930185339/https://www.cyberus-technology.de/posts/intel-lazyfp-vulnerability/

    x86/fpu: Hard-disable lazy FPU mode · torvalds/linux@ca6938a
    https://github.com/torvalds/linux/commit/ca6938a1cd8a1c5e861a99b67f84ac166fc2b9e7#diff-6a01d6e7c8d7d23cfa48026e616275e8
  4. tenpoku1000 revised this gist Apr 27, 2024. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -81,15 +81,15 @@ https://www.intel.com/content/www/us/en/developer/articles/technical/software-se
    Analysis and mitigation of speculative store bypass (CVE-2018-3639) – Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/

    ## (5) CVE-2018-3615/CVE-2018-3620/CVE-2018-3646 L1 Terminal Fault(L1TF)
    ## (5) CVE-2018-3615 Foreshadow, CVE-2018-3620 Foreshadow-OS, CVE-2018-3646 Foreshadow-VMM:L1 Terminal Fault(L1TF)

    Foreshadow - Wikipedia
    https://en.wikipedia.org/wiki/Foreshadow

    L1 Terminal Fault
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-l1-terminal-fault.html

    ## (6) CVE-2018-12126/CVE-2018-12127/CVE-2018-12130/CVE-2019-11091 Microarchitectural Data Sampling
    ## (6) CVE-2018-12126 Fallout(MSBDS), CVE-2018-12127 RIDL(MLPDS), CVE-2018-12130 RIDL/ZombieLoad(MFBDS), CVE-2019-11091 RIDL(MDSUM):Microarchitectural Data Sampling

    Microarchitectural Data Sampling - Wikipedia
    https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling
  5. tenpoku1000 revised this gist Apr 27, 2024. 1 changed file with 17 additions and 12 deletions.
    29 changes: 17 additions & 12 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,7 @@

    # 投機的実行サイドチャネルハードウェア脆弱性

    2022/05/07 更新
    2024/04/27 更新

    ## 影響を受けるプロセッサ

    @@ -41,15 +41,15 @@ https://www.intel.com/content/www/us/en/developer/articles/technical/software-se
    Indirect Branch Predictor Barrier
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-predictor-barrier.html

    ## (1) CVE-2017-5753 Variant 1 Bounds Check Bypass
    ## (1) CVE-2017-5753 Variant 1 Spectre v1: Bounds Check Bypass

    Analyzing Potential Bounds Check Bypass Vulnerabilities
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/analyzing-bounds-check-bypass-vulnerabilities.html

    Spectre mitigations in MSVC - C++ Team Blog
    https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/

    ## (2) CVE-2017-5715 Variant 2 Branch Target Injection
    ## (2) CVE-2017-5715 Variant 2 Spectre v2:Branch Target Injection

    Mitigating Spectre variant 2 with Retpoline on Windows - Microsoft Tech Community
    https://techcommunity.microsoft.com/t5/windows-kernel-internals-blog/mitigating-spectre-variant-2-with-retpoline-on-windows/ba-p/295618
    @@ -68,20 +68,20 @@ https://en.wikipedia.org/wiki/Kernel_page-table_isolation
    KVA Shadow: Mitigating Meltdown on Windows – Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/

    ## (3a) CVE-2018-3640 Variant 3a Rogue System Register Read
    ## (3a) CVE-2018-3640 Variant 3a Spectre-NG v3a:Rogue System Register Read

    Rogue System Register Read / CVE-2018-3640 / INTEL-SA-00115
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/rogue-system-register-read.html

    ## (4) CVE-2018-3639 Variant 4 Speculative Store Bypass
    ## (4) CVE-2018-3639 Variant 4 Spectre-NG v4:Speculative Store Bypass

    Speculative Store Bypass / CVE-2018-3639 / INTEL-SA-00115
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/speculative-store-bypass.html

    Analysis and mitigation of speculative store bypass (CVE-2018-3639) – Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/

    ## (5) CVE-2018-3615/CVE-2018-3620/CVE-2018-3646 L1 Terminal Fault
    ## (5) CVE-2018-3615/CVE-2018-3620/CVE-2018-3646 L1 Terminal Fault(L1TF)

    Foreshadow - Wikipedia
    https://en.wikipedia.org/wiki/Foreshadow
    @@ -97,7 +97,7 @@ https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling
    Microarchitectural Data Sampling
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html

    ## (7) CVE-2019-11135 Transactional Asynchronous Abort
    ## (7) CVE-2019-11135 RIDL/ZombieLoad v2:Transactional Asynchronous Abort(TAA)

    Intel® Transactional Synchronization Extensions (Intel® TSX)...
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-tsx-asynchronous-abort.html
    @@ -118,7 +118,7 @@ https://www.intel.com/content/www/us/en/developer/articles/news/more-information
    CPUの新たな脆弱性 SPOILERの論文を読む - FPGA開発日記
    https://msyksphinz.hatenablog.com/entry/2019/03/11/040000

    ## (10) CVE-2018-3665 Lazy FPU Save/Restore
    ## (10) CVE-2018-3665 Spectre-NG:Lazy FPU Save/Restore

    INTEL-SA-00145
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
    @@ -153,7 +153,7 @@ mov命令なんて知らなかったなー、みたいな気持ちになる。
    全然メリットにならないというかむしろ遅くなったりするんですよねえ」
    / Twitter https://twitter.com/takehiro_t/status/1158335098564956160

    ## (11) CVE-2020-0549 L1D Eviction Sampling
    ## (11) CVE-2020-0549 RIDL/CacheOut/ZombieLoad:L1D Eviction Sampling(L1DES)

    CacheOut
    https://cacheoutattack.com/
    @@ -164,15 +164,15 @@ https://www.intel.com/content/www/us/en/developer/articles/technical/software-se
    Processors Affected: L1D Eviction Sampling
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-l1d-eviction-sampling.html

    ## (12) CVE-2020-0548 Vector Register Sampling
    ## (12) CVE-2020-0548 RIDL:Vector Register Sampling(VRS)

    Vector Register Sampling / CVE-2020-0548 , CVE 2020-8696 /...
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/vector-register-sampling.html

    Processors Affected: Vector Register Sampling
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-vector-register-sampling.html

    ## (13) CVE-2020-0551 Load Value Injection
    ## (13) CVE-2020-0551 Load Value Injection(LVI)

    LVI: Hijacking Transient Execution with Load Value Injection
    https://lviattack.eu/
    @@ -197,7 +197,7 @@ https://www.intel.com/content/www/us/en/developer/articles/technical/software-se
    Processors Affected: Snoop-assisted L1 Data Sampling
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-snoop-assisted-l1d-sampling.html

    ## (15) CVE-2020-0543 Special Register Buffer Data Sampling(SRBDS)
    ## (15) CVE-2020-0543 CROSSTalk:Special Register Buffer Data Sampling(SRBDS)

    Special Register Buffer Data Sampling
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/special-register-buffer-data-sampling.html
    @@ -219,3 +219,8 @@ https://www.intel.com/content/www/us/en/developer/articles/technical/software-se
    INTEL-SA-00389
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html

    ## 参考資料

    Transient execution CPU vulnerability - Wikipedia
    https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability

  6. tenpoku1000 revised this gist May 7, 2022. 1 changed file with 43 additions and 43 deletions.
    86 changes: 43 additions & 43 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,61 +1,61 @@

    # 投機的実行サイドチャネルハードウェア脆弱性

    2021/09/21 更新
    2022/05/07 更新

    ## 影響を受けるプロセッサ

    Affected Processors: Transient Execution Attacks & Related Security Issues by CPU
    https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model
    Affected Processors: Transient Execution Attacks & Related Security...
    https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

    ## システム管理者向けのガイダンス

    Guidance for System Administrators to Mitigate Transient Execution...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/best-practices/sysadmin-guidance-transient-execution-side-channel.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/sysadmin-guidance-transient-execution-side-channel.html

    ## セキュア・コーディング

    Loading Microcode from the OS
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/secure-coding/loading-microcode-os.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html

    Security Best Practices for Side Channel Resistance
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/secure-coding/security-best-practices-side-channel-resistance.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/security-best-practices-side-channel-resistance.html

    Guidelines for Mitigating Timing Side Channels Against Cryptographic...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/secure-coding/mitigate-timing-side-channel-crypto-implementation.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/mitigate-timing-side-channel-crypto-implementation.html

    How to Assess the Risk of Your Application
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/secure-coding/how-assess-risk-your-application.html
    https://www.intel.com/content/www/us/en/developer/articles/training/software-security-guidance/secure-coding/how-assess-risk-your-application.html

    ## 脆弱性対策として追加された CPUID/MSR

    CPUID Enumeration and Architectural MSRs
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/cpuid-enumeration-and-architectural-msrs.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/cpuid-enumeration-and-architectural-msrs.html

    Indirect Branch Restricted Speculation
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html

    Single Thread Indirect Branch Predictors
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html

    Indirect Branch Predictor Barrier
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/indirect-branch-predictor-barrier.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-predictor-barrier.html

    ## (1) CVE-2017-5753 Variant 1 Bounds Check Bypass

    Analyzing Potential Bounds Check Bypass Vulnerabilities
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/analyzing-bounds-check-bypass-vulnerabilities.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/analyzing-bounds-check-bypass-vulnerabilities.html

    Spectre mitigations in MSVC | C++ Team Blog
    Spectre mitigations in MSVC - C++ Team Blog
    https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/

    ## (2) CVE-2017-5715 Variant 2 Branch Target Injection

    Mitigating Spectre variant 2 with Retpoline on Windows - Microsoft Tech Community - 295618
    https://techcommunity.microsoft.com/t5/windows-kernel-internals/mitigating-spectre-variant-2-with-retpoline-on-windows/ba-p/295618
    Mitigating Spectre variant 2 with Retpoline on Windows - Microsoft Tech Community
    https://techcommunity.microsoft.com/t5/windows-kernel-internals-blog/mitigating-spectre-variant-2-with-retpoline-on-windows/ba-p/295618

    Retpoline: A Branch Target Injection Mitigation
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html

    ## (3) CVE-2017-5754 Variant 3 Meltdown:Rogue Data Cache Load

    @@ -65,55 +65,55 @@ https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
    Kernel page-table isolation - Wikipedia
    https://en.wikipedia.org/wiki/Kernel_page-table_isolation

    KVA Shadow: Mitigating Meltdown on Windows - Microsoft Security Response Center
    KVA Shadow: Mitigating Meltdown on Windows Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/

    ## (3a) CVE-2018-3640 Variant 3a Rogue System Register Read

    Rogue System Register Read / CVE-2018-3640 / INTEL-SA-00115
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/rogue-system-register-read.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/rogue-system-register-read.html

    ## (4) CVE-2018-3639 Variant 4 Speculative Store Bypass

    Speculative Store Bypass / CVE-2018-3639 / INTEL-SA-00115
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/speculative-store-bypass.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/speculative-store-bypass.html

    Analysis and mitigation of speculative store bypass (CVE-2018-3639) - Microsoft Security Response Center
    Analysis and mitigation of speculative store bypass (CVE-2018-3639) Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/

    ## (5) CVE-2018-3615/CVE-2018-3620/CVE-2018-3646 L1 Terminal Fault

    Foreshadow (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Foreshadow_(security_vulnerability)
    Foreshadow - Wikipedia
    https://en.wikipedia.org/wiki/Foreshadow

    L1 Terminal Fault
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/intel-analysis-l1-terminal-fault.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-l1-terminal-fault.html

    ## (6) CVE-2018-12126/CVE-2018-12127/CVE-2018-12130/CVE-2019-11091 Microarchitectural Data Sampling

    Microarchitectural Data Sampling - Wikipedia
    https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling

    Microarchitectural Data Sampling (Fallout/Zombieload/RIDL)
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html
    Microarchitectural Data Sampling
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html

    ## (7) CVE-2019-11135 Transactional Asynchronous Abort

    Intel® Transactional Synchronization Extensions (Intel® TSX)...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/intel-tsx-asynchronous-abort.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-tsx-asynchronous-abort.html

    ## (8) CVE-2019-1125 Spectre SWAPGS gadget vulnerability

    Speculative Behavior of SWAPGS and Segment Registers
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/speculative-behavior-swapgs-and-segment-registers.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/speculative-behavior-swapgs-and-segment-registers.html

    ## (9) CVE-2019-0162 Spoiler

    Spoiler (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Spoiler_(security_vulnerability)

    More Information on Spoiler
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/bulletins/more-information-spoiler.html
    https://www.intel.com/content/www/us/en/developer/articles/news/more-information-spoiler.html

    CPUの新たな脆弱性 SPOILERの論文を読む - FPGA開発日記
    https://msyksphinz.hatenablog.com/entry/2019/03/11/040000
    @@ -159,62 +159,62 @@ CacheOut
    https://cacheoutattack.com/

    L1D Eviction Sampling / CVE-2020-0549 / INTEL-SA-00329
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/l1d-eviction-sampling.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/l1d-eviction-sampling.html

    Processors Affected: L1D Eviction Sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-l1d-eviction-sampling.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-l1d-eviction-sampling.html

    ## (12) CVE-2020-0548 Vector Register Sampling

    Vector Register Sampling / CVE-2020-0548 , CVE 2020-8696 /...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/vector-register-sampling.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/vector-register-sampling.html

    Processors Affected: Vector Register Sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-vector-register-sampling.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-vector-register-sampling.html

    ## (13) CVE-2020-0551 Load Value Injection

    LVI: Hijacking Transient Execution with Load Value Injection
    https://lviattack.eu/

    An Optimized Mitigation Approach for Load Value Injection
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/best-practices/optimized-mitigation-approach-load-value-injection.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/optimized-mitigation-approach-load-value-injection.html

    Load Value Injection
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/load-value-injection.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/load-value-injection.html

    Processors Affected: Load Value Injection
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-load-value-injection.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-load-value-injection.html

    ## (14) CVE-2020-0550 Snoop-assisted L1 Data Sampling

    Snoop-assisted L1 Data Sampling / CVE-2020-0550 / INTEL-SA-00330
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/snoop-assisted-l1-data-sampling.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/snoop-assisted-l1-data-sampling.html

    Snoop-Assisted L1 Data Sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/snoop-assisted-l1-data-sampling.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/snoop-assisted-l1-data-sampling.html

    Processors Affected: Snoop-assisted L1 Data Sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-snoop-assisted-l1d-sampling.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-snoop-assisted-l1d-sampling.html

    ## (15) CVE-2020-0543 Special Register Buffer Data Sampling(SRBDS)

    Special Register Buffer Data Sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/special-register-buffer-data-sampling.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/special-register-buffer-data-sampling.html

    SRBDS Mitigation Impact on Intel® Secure Key
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/best-practices/srbds-mitigation-impact-intel-secure-key.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/srbds-mitigation-impact-intel-secure-key.html

    Processors Affected: Special Register Buffer Data Sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-srbds.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-srbds.html

    ## (16) CVE-2020-8694/CVE-2020-8695 With Great Power comes Great Leakage(PLATYPUS)

    PLATYPUS: With Great Power comes Great Leakage
    https://platypusattack.com/

    Running Average Power Limit Energy Reporting CVE-2020-8694,...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/running-average-power-limit-energy-reporting.html
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/running-average-power-limit-energy-reporting.html

    INTEL-SA-00389
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
  7. tenpoku1000 revised this gist Sep 20, 2021. 1 changed file with 46 additions and 45 deletions.
    91 changes: 46 additions & 45 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,7 @@

    # 投機的実行サイドチャネルハードウェア脆弱性

    2021/04/08 更新
    2021/09/21 更新

    ## 影響を受けるプロセッサ

    @@ -10,41 +10,41 @@ https://software.intel.com/security-software-guidance/processors-affected-transi

    ## システム管理者向けのガイダンス

    Guidance for System Administrators to Mitigate Transient Execution Side Channel Issues
    https://software.intel.com/security-software-guidance/best-practices/guidance-system-administrators-mitigate-transient-execution-side-channel-issues
    Guidance for System Administrators to Mitigate Transient Execution...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/best-practices/sysadmin-guidance-transient-execution-side-channel.html

    ## セキュア・コーディング

    Loading Microcode from the OS
    https://software.intel.com/security-software-guidance/secure-coding/loading-microcode-os
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/secure-coding/loading-microcode-os.html

    Security Best Practices for Side Channel Resistance
    https://software.intel.com/security-software-guidance/secure-coding/security-best-practices-side-channel-resistance
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/secure-coding/security-best-practices-side-channel-resistance.html

    Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations
    https://software.intel.com/security-software-guidance/secure-coding/guidelines-mitigating-timing-side-channels-against-cryptographic-implementations
    Guidelines for Mitigating Timing Side Channels Against Cryptographic...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/secure-coding/mitigate-timing-side-channel-crypto-implementation.html

    How to Assess the Risk of Your Application
    https://software.intel.com/security-software-guidance/secure-coding/how-assess-risk-your-application
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/secure-coding/how-assess-risk-your-application.html

    ## 脆弱性対策として追加された CPUID/MSR

    CPUID Enumeration and Architectural MSRs
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-cpuid-enumeration-and-architectural-msrs
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/cpuid-enumeration-and-architectural-msrs.html

    Indirect Branch Restricted Speculation
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculation
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html

    Single Thread Indirect Branch Predictors
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-single-thread-indirect-branch-predictors
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html

    Indirect Branch Predictor Barrier
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-predictor-barrier
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/indirect-branch-predictor-barrier.html

    ## (1) CVE-2017-5753 Variant 1 Bounds Check Bypass

    Analyzing Potential Bounds Check Bypass Vulnerabilities
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-analyzing-potential-bounds-check-bypass-vulnerabilities
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/analyzing-bounds-check-bypass-vulnerabilities.html

    Spectre mitigations in MSVC | C++ Team Blog
    https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/
    @@ -55,7 +55,7 @@ Mitigating Spectre variant 2 with Retpoline on Windows - Microsoft Tech Communit
    https://techcommunity.microsoft.com/t5/windows-kernel-internals/mitigating-spectre-variant-2-with-retpoline-on-windows/ba-p/295618

    Retpoline: A Branch Target Injection Mitigation
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-retpoline-branch-target-injection-mitigation
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html

    ## (3) CVE-2017-5754 Variant 3 Meltdown:Rogue Data Cache Load

    @@ -70,13 +70,13 @@ https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-win

    ## (3a) CVE-2018-3640 Variant 3a Rogue System Register Read

    Rogue System Register Read
    https://software.intel.com/security-software-guidance/advisory-guidance/rogue-system-register-read
    Rogue System Register Read / CVE-2018-3640 / INTEL-SA-00115
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/rogue-system-register-read.html

    ## (4) CVE-2018-3639 Variant 4 Speculative Store Bypass

    Speculative Store Bypass
    https://software.intel.com/security-software-guidance/advisory-guidance/speculative-store-bypass
    Speculative Store Bypass / CVE-2018-3639 / INTEL-SA-00115
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/speculative-store-bypass.html

    Analysis and mitigation of speculative store bypass (CVE-2018-3639) - Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/
    @@ -86,34 +86,34 @@ https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculativ
    Foreshadow (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Foreshadow_(security_vulnerability)

    L1 Terminal Fault | 01.org API
    https://software.intel.com/security-software-guidance/api-app/deep-dives/deep-dive-intel-analysis-l1-terminal-fault
    L1 Terminal Fault
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/intel-analysis-l1-terminal-fault.html

    ## (6) CVE-2018-12126/CVE-2018-12127/CVE-2018-12130/CVE-2019-11091 Microarchitectural Data Sampling

    Microarchitectural Data Sampling - Wikipedia
    https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling

    Microarchitectural Data Sampling
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-intel-analysis-microarchitectural-data-sampling
    Microarchitectural Data Sampling (Fallout/Zombieload/RIDL)
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html

    ## (7) CVE-2019-11135 Transactional Asynchronous Abort

    Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort
    Intel® Transactional Synchronization Extensions (Intel® TSX)...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/intel-tsx-asynchronous-abort.html

    ## (8) CVE-2019-1125 Spectre SWAPGS gadget vulnerability

    Speculative Behavior of SWAPGS and Segment Registers
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-intel-analysis-speculative-behavior-swapgs-and-segment-registers
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/speculative-behavior-swapgs-and-segment-registers.html

    ## (9) CVE-2019-0162 Spoiler

    Spoiler (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Spoiler_(security_vulnerability)

    More Information on Spoiler
    https://software.intel.com/security-software-guidance/bulletins/more-information-spoiler
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/bulletins/more-information-spoiler.html

    CPUの新たな脆弱性 SPOILERの論文を読む - FPGA開発日記
    https://msyksphinz.hatenablog.com/entry/2019/03/11/040000
    @@ -158,63 +158,64 @@ mov命令なんて知らなかったなー、みたいな気持ちになる。
    CacheOut
    https://cacheoutattack.com/

    L1D Eviction Sampling
    https://software.intel.com/security-software-guidance/advisory-guidance/l1d-eviction-sampling
    L1D Eviction Sampling / CVE-2020-0549 / INTEL-SA-00329
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/l1d-eviction-sampling.html

    Processors Affected: L1D Eviction Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-l1d-eviction-sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-l1d-eviction-sampling.html

    ## (12) CVE-2020-0548 Vector Register Sampling

    Vector Register Sampling
    https://software.intel.com/security-software-guidance/advisory-guidance/vector-register-sampling
    Vector Register Sampling / CVE-2020-0548 , CVE 2020-8696 /...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/vector-register-sampling.html

    Processors Affected: Vector Register Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-vector-register-sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-vector-register-sampling.html

    ## (13) CVE-2020-0551 Load Value Injection

    LVI: Hijacking Transient Execution with Load Value Injection
    https://lviattack.eu/

    An Optimized Mitigation Approach for Load Value Injection
    https://software.intel.com/security-software-guidance/best-practices/optimized-mitigation-approach-load-value-injection
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/best-practices/optimized-mitigation-approach-load-value-injection.html

    Load Value Injection
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-load-value-injection
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/load-value-injection.html

    Processors Affected: Load Value Injection
    https://software.intel.com/security-software-guidance/resources/processors-affected-load-value-injection
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-load-value-injection.html

    ## (14) CVE-2020-0550 Snoop-assisted L1 Data Sampling

    Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/advisory-guidance/snoop-assisted-l1-data-sampling
    Snoop-assisted L1 Data Sampling / CVE-2020-0550 / INTEL-SA-00330
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/snoop-assisted-l1-data-sampling.html

    Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-snoop-assisted-l1-data-sampling
    Snoop-Assisted L1 Data Sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/snoop-assisted-l1-data-sampling.html

    Processors Affected: Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-snoop-assisted-l1-data-sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-snoop-assisted-l1d-sampling.html

    ## (15) CVE-2020-0543 Special Register Buffer Data Sampling(SRBDS)

    Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-special-register-buffer-data-sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/special-register-buffer-data-sampling.html

    SRBDS Mitigation Impact on Intel® Secure Key
    https://software.intel.com/security-software-guidance/best-practices/srbds-mitigation-impact-intel-secure-key
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/best-practices/srbds-mitigation-impact-intel-secure-key.html

    Processors Affected: Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-special-register-buffer-data-sampling
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/resources/processors-affected-srbds.html

    ## (16) CVE-2020-8694/CVE-2020-8695 With Great Power comes Great Leakage(PLATYPUS)

    PLATYPUS: With Great Power comes Great Leakage
    https://platypusattack.com/

    Running Average Power Limit Energy Reporting
    https://software.intel.com/security-software-guidance/advisory-guidance/running-average-power-limit-energy-reporting
    Running Average Power Limit Energy Reporting CVE-2020-8694,...
    https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/running-average-power-limit-energy-reporting.html

    INTEL-SA-00389
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html

  8. tenpoku1000 revised this gist Apr 7, 2021. 1 changed file with 6 additions and 1 deletion.
    7 changes: 6 additions & 1 deletion side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,12 @@

    # 投機的実行サイドチャネルハードウェア脆弱性

    2020/11/11 更新
    2021/04/08 更新

    ## 影響を受けるプロセッサ

    Affected Processors: Transient Execution Attacks & Related Security Issues by CPU
    https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model

    ## システム管理者向けのガイダンス

  9. tenpoku1000 revised this gist Nov 11, 2020. 1 changed file with 26 additions and 1 deletion.
    27 changes: 26 additions & 1 deletion side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,13 +1,27 @@

    # 投機的実行サイドチャネルハードウェア脆弱性

    2020/09/16 更新
    2020/11/11 更新

    ## システム管理者向けのガイダンス

    Guidance for System Administrators to Mitigate Transient Execution Side Channel Issues
    https://software.intel.com/security-software-guidance/best-practices/guidance-system-administrators-mitigate-transient-execution-side-channel-issues

    ## セキュア・コーディング

    Loading Microcode from the OS
    https://software.intel.com/security-software-guidance/secure-coding/loading-microcode-os

    Security Best Practices for Side Channel Resistance
    https://software.intel.com/security-software-guidance/secure-coding/security-best-practices-side-channel-resistance

    Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations
    https://software.intel.com/security-software-guidance/secure-coding/guidelines-mitigating-timing-side-channels-against-cryptographic-implementations

    How to Assess the Risk of Your Application
    https://software.intel.com/security-software-guidance/secure-coding/how-assess-risk-your-application

    ## 脆弱性対策として追加された CPUID/MSR

    CPUID Enumeration and Architectural MSRs
    @@ -188,3 +202,14 @@ https://software.intel.com/security-software-guidance/best-practices/srbds-mitig

    Processors Affected: Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-special-register-buffer-data-sampling

    ## (16) CVE-2020-8694/CVE-2020-8695 With Great Power comes Great Leakage(PLATYPUS)

    PLATYPUS: With Great Power comes Great Leakage
    https://platypusattack.com/

    Running Average Power Limit Energy Reporting
    https://software.intel.com/security-software-guidance/advisory-guidance/running-average-power-limit-energy-reporting

    INTEL-SA-00389
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
  10. tenpoku1000 revised this gist Sep 16, 2020. 1 changed file with 10 additions and 10 deletions.
    20 changes: 10 additions & 10 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -70,25 +70,25 @@ https://en.wikipedia.org/wiki/Foreshadow_(security_vulnerability)
    L1 Terminal Fault | 01.org API
    https://software.intel.com/security-software-guidance/api-app/deep-dives/deep-dive-intel-analysis-l1-terminal-fault

    ## (5) CVE-2018-12126/CVE-2018-12127/CVE-2018-12130/CVE-2019-11091 Microarchitectural Data Sampling
    ## (6) CVE-2018-12126/CVE-2018-12127/CVE-2018-12130/CVE-2019-11091 Microarchitectural Data Sampling

    Microarchitectural Data Sampling - Wikipedia
    https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling

    Microarchitectural Data Sampling
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-intel-analysis-microarchitectural-data-sampling

    ## (6) CVE-2019-11135 Transactional Asynchronous Abort
    ## (7) CVE-2019-11135 Transactional Asynchronous Abort

    Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort

    ## (7) CVE-2019-1125 Spectre SWAPGS gadget vulnerability
    ## (8) CVE-2019-1125 Spectre SWAPGS gadget vulnerability

    Speculative Behavior of SWAPGS and Segment Registers
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-intel-analysis-speculative-behavior-swapgs-and-segment-registers

    ## (8) CVE-2019-0162 Spoiler
    ## (9) CVE-2019-0162 Spoiler

    Spoiler (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Spoiler_(security_vulnerability)
    @@ -99,7 +99,7 @@ https://software.intel.com/security-software-guidance/bulletins/more-information
    CPUの新たな脆弱性 SPOILERの論文を読む - FPGA開発日記
    https://msyksphinz.hatenablog.com/entry/2019/03/11/040000

    ## (9) CVE-2018-3665 Lazy FPU Save/Restore
    ## (10) CVE-2018-3665 Lazy FPU Save/Restore

    INTEL-SA-00145
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
    @@ -134,7 +134,7 @@ mov命令なんて知らなかったなー、みたいな気持ちになる。
    全然メリットにならないというかむしろ遅くなったりするんですよねえ」
    / Twitter https://twitter.com/takehiro_t/status/1158335098564956160

    ## (10) CVE-2020-0549 L1D Eviction Sampling
    ## (11) CVE-2020-0549 L1D Eviction Sampling

    CacheOut
    https://cacheoutattack.com/
    @@ -145,15 +145,15 @@ https://software.intel.com/security-software-guidance/advisory-guidance/l1d-evic
    Processors Affected: L1D Eviction Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-l1d-eviction-sampling

    ## (11) CVE-2020-0548 Vector Register Sampling
    ## (12) CVE-2020-0548 Vector Register Sampling

    Vector Register Sampling
    https://software.intel.com/security-software-guidance/advisory-guidance/vector-register-sampling

    Processors Affected: Vector Register Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-vector-register-sampling

    ## (12) CVE-2020-0551 Load Value Injection
    ## (13) CVE-2020-0551 Load Value Injection

    LVI: Hijacking Transient Execution with Load Value Injection
    https://lviattack.eu/
    @@ -167,7 +167,7 @@ https://software.intel.com/security-software-guidance/deep-dives/deep-dive-load-
    Processors Affected: Load Value Injection
    https://software.intel.com/security-software-guidance/resources/processors-affected-load-value-injection

    ## (13) CVE-2020-0550 Snoop-assisted L1 Data Sampling
    ## (14) CVE-2020-0550 Snoop-assisted L1 Data Sampling

    Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/advisory-guidance/snoop-assisted-l1-data-sampling
    @@ -178,7 +178,7 @@ https://software.intel.com/security-software-guidance/deep-dives/deep-dive-snoop
    Processors Affected: Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-snoop-assisted-l1-data-sampling

    ## (14) CVE-2020-0543 Special Register Buffer Data Sampling(SRBDS)
    ## (15) CVE-2020-0543 Special Register Buffer Data Sampling(SRBDS)

    Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-special-register-buffer-data-sampling
  11. tenpoku1000 revised this gist Sep 16, 2020. 1 changed file with 0 additions and 3 deletions.
    3 changes: 0 additions & 3 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -188,6 +188,3 @@ https://software.intel.com/security-software-guidance/best-practices/srbds-mitig

    Processors Affected: Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-special-register-buffer-data-sampling

    Processors Affected: Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-special-register-buffer-data-sampling
  12. tenpoku1000 revised this gist Sep 16, 2020. 1 changed file with 45 additions and 43 deletions.
    88 changes: 45 additions & 43 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,29 +1,31 @@

    # 投機的実行サイドチャネルハードウェア脆弱性

    2020/09/16 更新

    ## システム管理者向けのガイダンス

    Guidance for System Administrators to Mitigate Transient Execution Side Channel Issues
    https://software.intel.com/security-software-guidance/insights/guidance-system-administrators-mitigate-transient-execution-side-channel-issues
    https://software.intel.com/security-software-guidance/best-practices/guidance-system-administrators-mitigate-transient-execution-side-channel-issues

    ## 脆弱性対策として追加された CPUID/MSR

    Deep Dive: CPUID Enumeration and Architectural MSRs
    https://software.intel.com/security-software-guidance/insights/deep-dive-cpuid-enumeration-and-architectural-msrs
    CPUID Enumeration and Architectural MSRs
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-cpuid-enumeration-and-architectural-msrs

    Deep Dive: Indirect Branch Restricted Speculation
    https://software.intel.com/security-software-guidance/insights/deep-dive-indirect-branch-restricted-speculation
    Indirect Branch Restricted Speculation
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculation

    Deep Dive: Single Thread Indirect Branch Predictors
    https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors
    Single Thread Indirect Branch Predictors
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-single-thread-indirect-branch-predictors

    Deep Dive: Indirect Branch Predictor Barrier
    https://software.intel.com/security-software-guidance/insights/deep-dive-indirect-branch-predictor-barrier
    Indirect Branch Predictor Barrier
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-predictor-barrier

    ## (1) CVE-2017-5753 Variant 1 Bounds Check Bypass

    Deep Dive: Analyzing Potential Bounds Check Bypass Vulnerabilities
    https://software.intel.com/security-software-guidance/insights/deep-dive-analyzing-potential-bounds-check-bypass-vulnerabilities
    Analyzing Potential Bounds Check Bypass Vulnerabilities
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-analyzing-potential-bounds-check-bypass-vulnerabilities

    Spectre mitigations in MSVC | C++ Team Blog
    https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/
    @@ -33,8 +35,8 @@ https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/
    Mitigating Spectre variant 2 with Retpoline on Windows - Microsoft Tech Community - 295618
    https://techcommunity.microsoft.com/t5/windows-kernel-internals/mitigating-spectre-variant-2-with-retpoline-on-windows/ba-p/295618

    Deep Dive: Retpoline: A Branch Target Injection Mitigation
    https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-target-injection-mitigation
    Retpoline: A Branch Target Injection Mitigation
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-retpoline-branch-target-injection-mitigation

    ## (3) CVE-2017-5754 Variant 3 Meltdown:Rogue Data Cache Load

    @@ -50,15 +52,12 @@ https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-win
    ## (3a) CVE-2018-3640 Variant 3a Rogue System Register Read

    Rogue System Register Read
    https://software.intel.com/security-software-guidance/software-guidance/rogue-system-register-read

    Instructions Affected by Rogue System Register Read
    https://software.intel.com/security-software-guidance/insights/instructions-affected-rogue-system-register-read
    https://software.intel.com/security-software-guidance/advisory-guidance/rogue-system-register-read

    ## (4) CVE-2018-3639 Variant 4 Speculative Store Bypass

    Speculative Store Bypass
    https://software.intel.com/security-software-guidance/software-guidance/speculative-store-bypass
    https://software.intel.com/security-software-guidance/advisory-guidance/speculative-store-bypass

    Analysis and mitigation of speculative store bypass (CVE-2018-3639) - Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/
    @@ -68,34 +67,34 @@ https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculativ
    Foreshadow (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Foreshadow_(security_vulnerability)

    Deep Dive: Intel Analysis of L1 Terminal Fault | 01.org API
    https://software.intel.com/security-software-guidance/api-app/insights/deep-dive-intel-analysis-l1-terminal-fault
    L1 Terminal Fault | 01.org API
    https://software.intel.com/security-software-guidance/api-app/deep-dives/deep-dive-intel-analysis-l1-terminal-fault

    ## (5) CVE-2018-12126/CVE-2018-12127/CVE-2018-12130/CVE-2019-11091 Microarchitectural Data Sampling

    Microarchitectural Data Sampling - Wikipedia
    https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling

    Deep Dive: Intel Analysis of Microarchitectural Data Sampling
    https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling
    Microarchitectural Data Sampling
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-intel-analysis-microarchitectural-data-sampling

    ## (6) CVE-2019-11135 Transactional Asynchronous Abort

    Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort
    https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort
    Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort

    ## (7) CVE-2019-1125 Spectre SWAPGS gadget vulnerability

    Deep Dive: Intel Analysis of Speculative Behavior of SWAPGS and Segment Registers
    https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-speculative-behavior-swapgs-and-segment-registers
    Speculative Behavior of SWAPGS and Segment Registers
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-intel-analysis-speculative-behavior-swapgs-and-segment-registers

    ## (8) CVE-2019-0162 Spoiler

    Spoiler (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Spoiler_(security_vulnerability)

    More Information on Spoiler
    https://software.intel.com/security-software-guidance/insights/more-information-spoiler
    https://software.intel.com/security-software-guidance/bulletins/more-information-spoiler

    CPUの新たな脆弱性 SPOILERの論文を読む - FPGA開発日記
    https://msyksphinz.hatenablog.com/entry/2019/03/11/040000
    @@ -141,51 +140,54 @@ CacheOut
    https://cacheoutattack.com/

    L1D Eviction Sampling
    https://software.intel.com/security-software-guidance/software-guidance/l1d-eviction-sampling
    https://software.intel.com/security-software-guidance/advisory-guidance/l1d-eviction-sampling

    Processors Affected: L1D Eviction Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-l1d-eviction-sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-l1d-eviction-sampling

    ## (11) CVE-2020-0548 Vector Register Sampling

    Vector Register Sampling
    https://software.intel.com/security-software-guidance/software-guidance/vector-register-sampling
    https://software.intel.com/security-software-guidance/advisory-guidance/vector-register-sampling

    Processors Affected: Vector Register Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-vector-register-sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-vector-register-sampling

    ## (12) CVE-2020-0551 Load Value Injection

    LVI: Hijacking Transient Execution with Load Value Injection
    https://lviattack.eu/

    An Optimized Mitigation Approach for Load Value Injection
    https://software.intel.com/security-software-guidance/insights/optimized-mitigation-approach-load-value-injection
    https://software.intel.com/security-software-guidance/best-practices/optimized-mitigation-approach-load-value-injection

    Deep Dive: Load Value Injection
    https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection
    Load Value Injection
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-load-value-injection

    Processors Affected: Load Value Injection
    https://software.intel.com/security-software-guidance/insights/processors-affected-load-value-injection
    https://software.intel.com/security-software-guidance/resources/processors-affected-load-value-injection

    ## (13) CVE-2020-0550 Snoop-assisted L1 Data Sampling

    Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/software-guidance/snoop-assisted-l1-data-sampling
    https://software.intel.com/security-software-guidance/advisory-guidance/snoop-assisted-l1-data-sampling

    Deep Dive: Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/insights/deep-dive-snoop-assisted-l1-data-sampling
    Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-snoop-assisted-l1-data-sampling

    Processors Affected: Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-snoop-assisted-l1-data-sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-snoop-assisted-l1-data-sampling

    ## (14) CVE-2020-0543 Special Register Buffer Data Sampling(SRBDS)

    Deep Dive: Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/insights/deep-dive-special-register-buffer-data-sampling
    Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/deep-dives/deep-dive-special-register-buffer-data-sampling

    SRBDS Mitigation Impact on Intel® Secure Key
    https://software.intel.com/security-software-guidance/insights/srbds-mitigation-impact-intel-secure-key
    https://software.intel.com/security-software-guidance/best-practices/srbds-mitigation-impact-intel-secure-key

    Processors Affected: Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-special-register-buffer-data-sampling

    Processors Affected: Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-special-register-buffer-data-sampling
    https://software.intel.com/security-software-guidance/resources/processors-affected-special-register-buffer-data-sampling
  13. tenpoku1000 revised this gist Jul 15, 2020. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -52,6 +52,9 @@ https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-win
    Rogue System Register Read
    https://software.intel.com/security-software-guidance/software-guidance/rogue-system-register-read

    Instructions Affected by Rogue System Register Read
    https://software.intel.com/security-software-guidance/insights/instructions-affected-rogue-system-register-read

    ## (4) CVE-2018-3639 Variant 4 Speculative Store Bypass

    Speculative Store Bypass
  14. tenpoku1000 revised this gist Jun 11, 2020. 1 changed file with 16 additions and 0 deletions.
    16 changes: 16 additions & 0 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,11 @@

    # 投機的実行サイドチャネルハードウェア脆弱性

    ## システム管理者向けのガイダンス

    Guidance for System Administrators to Mitigate Transient Execution Side Channel Issues
    https://software.intel.com/security-software-guidance/insights/guidance-system-administrators-mitigate-transient-execution-side-channel-issues

    ## 脆弱性対策として追加された CPUID/MSR

    Deep Dive: CPUID Enumeration and Architectural MSRs
    @@ -170,3 +175,14 @@ https://software.intel.com/security-software-guidance/insights/deep-dive-snoop-a

    Processors Affected: Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-snoop-assisted-l1-data-sampling

    ## (14) CVE-2020-0543 Special Register Buffer Data Sampling(SRBDS)

    Deep Dive: Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/insights/deep-dive-special-register-buffer-data-sampling

    SRBDS Mitigation Impact on Intel® Secure Key
    https://software.intel.com/security-software-guidance/insights/srbds-mitigation-impact-intel-secure-key

    Processors Affected: Special Register Buffer Data Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-special-register-buffer-data-sampling
  15. tenpoku1000 revised this gist Mar 12, 2020. 1 changed file with 11 additions and 0 deletions.
    11 changes: 11 additions & 0 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -159,3 +159,14 @@ https://software.intel.com/security-software-guidance/insights/deep-dive-load-va

    Processors Affected: Load Value Injection
    https://software.intel.com/security-software-guidance/insights/processors-affected-load-value-injection

    ## (13) CVE-2020-0550 Snoop-assisted L1 Data Sampling

    Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/software-guidance/snoop-assisted-l1-data-sampling

    Deep Dive: Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/insights/deep-dive-snoop-assisted-l1-data-sampling

    Processors Affected: Snoop-assisted L1 Data Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-snoop-assisted-l1-data-sampling
  16. tenpoku1000 revised this gist Mar 11, 2020. 1 changed file with 14 additions and 0 deletions.
    14 changes: 14 additions & 0 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -145,3 +145,17 @@ https://software.intel.com/security-software-guidance/software-guidance/vector-r

    Processors Affected: Vector Register Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-vector-register-sampling

    ## (12) CVE-2020-0551 Load Value Injection

    LVI: Hijacking Transient Execution with Load Value Injection
    https://lviattack.eu/

    An Optimized Mitigation Approach for Load Value Injection
    https://software.intel.com/security-software-guidance/insights/optimized-mitigation-approach-load-value-injection

    Deep Dive: Load Value Injection
    https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection

    Processors Affected: Load Value Injection
    https://software.intel.com/security-software-guidance/insights/processors-affected-load-value-injection
  17. tenpoku1000 revised this gist Jan 28, 2020. 1 changed file with 19 additions and 0 deletions.
    19 changes: 19 additions & 0 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -126,3 +126,22 @@ mov命令なんて知らなかったなー、みたいな気持ちになる。
    「@uchan_nos このせいで最近はFPU lazy context switchとかが
    全然メリットにならないというかむしろ遅くなったりするんですよねえ」
    / Twitter https://twitter.com/takehiro_t/status/1158335098564956160

    ## (10) CVE-2020-0549 L1D Eviction Sampling

    CacheOut
    https://cacheoutattack.com/

    L1D Eviction Sampling
    https://software.intel.com/security-software-guidance/software-guidance/l1d-eviction-sampling

    Processors Affected: L1D Eviction Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-l1d-eviction-sampling

    ## (11) CVE-2020-0548 Vector Register Sampling

    Vector Register Sampling
    https://software.intel.com/security-software-guidance/software-guidance/vector-register-sampling

    Processors Affected: Vector Register Sampling
    https://software.intel.com/security-software-guidance/insights/processors-affected-vector-register-sampling
  18. tenpoku1000 revised this gist Jan 20, 2020. 1 changed file with 6 additions and 1 deletion.
    7 changes: 6 additions & 1 deletion side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -31,7 +31,7 @@ https://techcommunity.microsoft.com/t5/windows-kernel-internals/mitigating-spect
    Deep Dive: Retpoline: A Branch Target Injection Mitigation
    https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-target-injection-mitigation

    ## (3) CVE-2017-5754 Variant 3 Meltdown:rogue data cache load
    ## (3) CVE-2017-5754 Variant 3 Meltdown:Rogue Data Cache Load

    Meltdown (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
    @@ -42,6 +42,11 @@ https://en.wikipedia.org/wiki/Kernel_page-table_isolation
    KVA Shadow: Mitigating Meltdown on Windows - Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/

    ## (3a) CVE-2018-3640 Variant 3a Rogue System Register Read

    Rogue System Register Read
    https://software.intel.com/security-software-guidance/software-guidance/rogue-system-register-read

    ## (4) CVE-2018-3639 Variant 4 Speculative Store Bypass

    Speculative Store Bypass
  19. tenpoku1000 revised this gist Jan 19, 2020. 1 changed file with 45 additions and 0 deletions.
    45 changes: 45 additions & 0 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -76,3 +76,48 @@ https://software.intel.com/security-software-guidance/insights/deep-dive-intel-t
    Deep Dive: Intel Analysis of Speculative Behavior of SWAPGS and Segment Registers
    https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-speculative-behavior-swapgs-and-segment-registers

    ## (8) CVE-2019-0162 Spoiler

    Spoiler (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Spoiler_(security_vulnerability)

    More Information on Spoiler
    https://software.intel.com/security-software-guidance/insights/more-information-spoiler

    CPUの新たな脆弱性 SPOILERの論文を読む - FPGA開発日記
    https://msyksphinz.hatenablog.com/entry/2019/03/11/040000

    ## (9) CVE-2018-3665 Lazy FPU Save/Restore

    INTEL-SA-00145
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html

    Lazy FPU Save/Restore (CVE-2018-3665) - Red Hat Customer Portal
    https://access.redhat.com/ja/solutions/3489521

    NetBSD 8.0がSpectre V2/V4、Meltdown、Lazy FPUの軽減などを提供
    https://www.infoq.com/jp/news/2018/07/netbsd-8-released/

    まさみさん⋈語りたいさんはTwitterを使っています:
    「Linuxは3.7以降ならeagerfpu=onのブートパラメタで回避可能だし、
    4.6以降はデフォルトでeagerfpu有効。
    lazyfpuは殆どパフォーマンス的に意味がなかったらしい。
    https://t.co/6BqBFDPYrt
    コミット。 https://t.co/amgTkvEo9d」
    / Twitter https://twitter.com/mhiramat/status/1007528520208211970

    Cyberus Technology - Intel LazyFP vulnerability: Exploiting lazy FPU state switching
    https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html

    x86/fpu: Hard-disable lazy FPU mode · torvalds/linux@ca6938a
    https://github.com/torvalds/linux/commit/ca6938a1cd8a1c5e861a99b67f84ac166fc2b9e7#diff-6a01d6e7c8d7d23cfa48026e616275e8

    うー@技術書典8Day1う31さんはTwitterを使っています:
    「逆アセンブルして覗いてみると、AVXレジスタを用いた
    mov命令なんて知らなかったなー、みたいな気持ちになる。」
    / Twitter https://twitter.com/uchan_nos/status/1158192868080513024

    とみながたけひろさんはTwitterを使っています:
    「@uchan_nos このせいで最近はFPU lazy context switchとかが
    全然メリットにならないというかむしろ遅くなったりするんですよねえ」
    / Twitter https://twitter.com/takehiro_t/status/1158335098564956160
  20. tenpoku1000 created this gist Jan 19, 2020.
    78 changes: 78 additions & 0 deletions side_channel.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,78 @@

    # 投機的実行サイドチャネルハードウェア脆弱性

    ## 脆弱性対策として追加された CPUID/MSR

    Deep Dive: CPUID Enumeration and Architectural MSRs
    https://software.intel.com/security-software-guidance/insights/deep-dive-cpuid-enumeration-and-architectural-msrs

    Deep Dive: Indirect Branch Restricted Speculation
    https://software.intel.com/security-software-guidance/insights/deep-dive-indirect-branch-restricted-speculation

    Deep Dive: Single Thread Indirect Branch Predictors
    https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors

    Deep Dive: Indirect Branch Predictor Barrier
    https://software.intel.com/security-software-guidance/insights/deep-dive-indirect-branch-predictor-barrier

    ## (1) CVE-2017-5753 Variant 1 Bounds Check Bypass

    Deep Dive: Analyzing Potential Bounds Check Bypass Vulnerabilities
    https://software.intel.com/security-software-guidance/insights/deep-dive-analyzing-potential-bounds-check-bypass-vulnerabilities

    Spectre mitigations in MSVC | C++ Team Blog
    https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/

    ## (2) CVE-2017-5715 Variant 2 Branch Target Injection

    Mitigating Spectre variant 2 with Retpoline on Windows - Microsoft Tech Community - 295618
    https://techcommunity.microsoft.com/t5/windows-kernel-internals/mitigating-spectre-variant-2-with-retpoline-on-windows/ba-p/295618

    Deep Dive: Retpoline: A Branch Target Injection Mitigation
    https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-target-injection-mitigation

    ## (3) CVE-2017-5754 Variant 3 Meltdown:rogue data cache load

    Meltdown (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

    Kernel page-table isolation - Wikipedia
    https://en.wikipedia.org/wiki/Kernel_page-table_isolation

    KVA Shadow: Mitigating Meltdown on Windows - Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/

    ## (4) CVE-2018-3639 Variant 4 Speculative Store Bypass

    Speculative Store Bypass
    https://software.intel.com/security-software-guidance/software-guidance/speculative-store-bypass

    Analysis and mitigation of speculative store bypass (CVE-2018-3639) - Microsoft Security Response Center
    https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/

    ## (5) CVE-2018-3615/CVE-2018-3620/CVE-2018-3646 L1 Terminal Fault

    Foreshadow (security vulnerability) - Wikipedia
    https://en.wikipedia.org/wiki/Foreshadow_(security_vulnerability)

    Deep Dive: Intel Analysis of L1 Terminal Fault | 01.org API
    https://software.intel.com/security-software-guidance/api-app/insights/deep-dive-intel-analysis-l1-terminal-fault

    ## (5) CVE-2018-12126/CVE-2018-12127/CVE-2018-12130/CVE-2019-11091 Microarchitectural Data Sampling

    Microarchitectural Data Sampling - Wikipedia
    https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling

    Deep Dive: Intel Analysis of Microarchitectural Data Sampling
    https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling

    ## (6) CVE-2019-11135 Transactional Asynchronous Abort

    Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort
    https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort

    ## (7) CVE-2019-1125 Spectre SWAPGS gadget vulnerability

    Deep Dive: Intel Analysis of Speculative Behavior of SWAPGS and Segment Registers
    https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-speculative-behavior-swapgs-and-segment-registers