SWAPGS Side Channel Attack

sergei....@gmail.com

unread,

Aug 9, 2019, 5:04:32 PM8/9/19

to qubes-users

Is Qubes affected by the SWAPGS attack?
I haven’t found a statement or Security Advisory from Xen. But it seems Xen still hasn’t even fixed the original Spectre v1 yet:
https://xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/
At the time of original Spectre, v1 was deemed very hard to exploit on Xen, but new variants of v1 like v1.1 and SWAPGS may invalidate that hypothesis.

Lorenzo Lamas

unread,

Sep 3, 2019, 10:40:19 AM9/3/19

to qubes-users

Is anyone from Qubes team reading this?

awokd

unread,

Sep 6, 2019, 7:31:32 AM9/6/19

to qubes...@googlegroups.com

Lorenzo Lamas:

> Is anyone from Qubes team reading this?
>

ADW and unman are pretty active in this list, but the original question
might be better suited for qubes-devel.

Andrew David Wong

unread,

Sep 7, 2019, 2:45:52 AM9/7/19

to qubes...@googlegroups.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The Qubes Security Team is preparing an answer to this question.
Please stand by.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1zUhUACgkQ203TvDlQ
MDAQkw//ctHN6HCb6R5fzPNnqcIhLzAyWoOWewXEGJGBPD1PHXT0xSKDakeqXn91
yaZ5t54sB2rnTgZmAvo0GfcBoxt2mMO0KTyYosVDoQYsJIlNlvsKFHsxhMUvgSxP
wtYATAuYna6Ohj+hDzCPzt1x3ld3ALk7dBMLIknpepPnkbrKzE24JG3t9N8FPlll
kYAwtO3KQWbPA2YLIOlRO5+rgkgNucMflVipSuIUzVH3zc7wQKEpqipYoE9P2/bl
yxomkoqZsVLhsuebKnLBlHa/RHhMlWj7sgXC2xL3NTc+O5cTLbnTlEGqzmxmTEHD
6M1GRNa8caO9y0lisoAAb0SSlX6QwAf5r1f0X1G9RRbpN61bHFE/AfGOt9lpHaGM
irOacfzcJ5U4+L9g5MzkX/HGfDxN6muaPa5WffvHQpYFl2eBV9t/QBsinKS5oSTI
gSsuO5aG6dZ2hvn/n7LXzsaS2OuluU5TSzlvVHMKD79YlNVx3ymFHpV2rXQfS2rM
AX3QgjjU2ZAVkKjRRJI3Lwg1cJfiZmHqHOCxDoW05KAwK2pnIAN2646wcT4q8Job
9NVOT1OMDDPIgVfTHJgPLZ0oY06vOS79Et3G44OzhD+zXSJ8bWra469bg4Tf7iXk
Rt/5SkJpD3E83qjL8OKXlKKZCGeT3fGswAkkLdU/FILbFh9/KDw=
=CQeP
-----END PGP SIGNATURE-----

Lorenzo Lamas

unread,

Sep 7, 2019, 10:52:39 AM9/7/19

to qubes-users

Thanks for taking the time to reply! I'll await news from the Qubes Security Team.

Simon Gaiser

unread,

Sep 9, 2019, 10:42:45 AM9/9/19

to sergei....@gmail.com, qubes-users, Marek Marczykowski-Górecki, Andrew David Wong

sergei....@gmail.com:

> Is Qubes affected by the SWAPGS attack?

From the Bitdefender "white paper" [1] (They reported this vuln.):

"A quick analysis of the Hyper-V kernel and of the Xen hypervisor kernel
revealed that the SWAPGS instruction is not used, so exploitation is
impossible."

[1]: https://businessresources.bitdefender.com/hubfs/noindex/Bitdefender-WhitePaper-SWAPGS.pdf

For Spectre variant 1 my understanding is that they are not aware of a
exploitable code path in Xen. But they are working on hardening. For
example grep the commit log for array_index_nospec or see [2] for an
arbitrary example where they discuss this during review.

In the long run I hope there will be some compiler assisted technique
instead of manual review, which likely misses cases. But something like
this is not in place currently. See [3] for a description of the
non-public gcc plugin from grsecurity which implements this approach.

[2]: https://lists.xenproject.org/archives/html/xen-devel/2018-07/msg00982.html
[3]: https://grsecurity.net/respectre_announce.php

Simon

signature.asc

Simon Gaiser

unread,

Sep 9, 2019, 10:45:44 AM9/9/19

to sergei....@gmail.com, qubes-users, Marek Marczykowski-Górecki, Andrew David Wong

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[Now with Inline-PGP such that google group doesn't break the signature]

sergei....@gmail.com:

> Is Qubes affected by the SWAPGS attack?

- From the Bitdefender "white paper" [1] (They reported this vuln.):

"A quick analysis of the Hyper-V kernel and of the Xen hypervisor kernel
revealed that the SWAPGS instruction is not used, so exploitation is
impossible."

[1]: https://businessresources.bitdefender.com/hubfs/noindex/Bitdefender-WhitePaper-SWAPGS.pdf

For Spectre variant 1 my understanding is that they are not aware of a
exploitable code path in Xen. But they are working on hardening. For
example grep the commit log for array_index_nospec or see [2] for an
arbitrary example where they discuss this during review.

In the long run I hope there will be some compiler assisted technique
instead of manual review, which likely misses cases. But something like
this is not in place currently. See [3] for a description of the
non-public gcc plugin from grsecurity which implements this approach.

[2]: https://lists.xenproject.org/archives/html/xen-devel/2018-07/msg00982.html
[3]: https://grsecurity.net/respectre_announce.php

Simon

Andrew David Wong

unread,

Sep 10, 2019, 12:03:58 AM9/10/19

to Simon Gaiser, qubes-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2019-09-09 9:45 AM, Simon Gaiser wrote:
> [Now with Inline-PGP such that google group doesn't break the signature]
>
> sergei....@gmail.com:
>> Is Qubes affected by the SWAPGS attack?
>

> From the Bitdefender "white paper" [1] (They reported this vuln.):
>
> "A quick analysis of the Hyper-V kernel and of the Xen hypervisor kernel
> revealed that the SWAPGS instruction is not used, so exploitation is
> impossible."
>
> [1]: https://businessresources.bitdefender.com/hubfs/noindex/Bitdefender-WhitePaper-SWAPGS.pdf
>
>> I haven’t found a statement or Security Advisory from Xen. But it
>> seems Xen still hasn’t even fixed the original Spectre v1 yet:
>> https://xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/
>> At the time of original Spectre, v1 was deemed very hard to exploit on
>> Xen, but new variants of v1 like v1.1 and SWAPGS may invalidate that
>> hypothesis.
>
> For Spectre variant 1 my understanding is that they are not aware of a
> exploitable code path in Xen. But they are working on hardening. For
> example grep the commit log for array_index_nospec or see [2] for an
> arbitrary example where they discuss this during review.
>
> In the long run I hope there will be some compiler assisted technique
> instead of manual review, which likely misses cases. But something like
> this is not in place currently. See [3] for a description of the
> non-public gcc plugin from grsecurity which implements this approach.
>
> [2]: https://lists.xenproject.org/archives/html/xen-devel/2018-07/msg00982.html
> [3]: https://grsecurity.net/respectre_announce.php
>
> Simon
>

Thanks for the informative reply, Simon!

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl13IJgACgkQ203TvDlQ
MDDHYw/+KbvGX2gn65Nx331LlnJmc2CgSFXA3t6B53tqomDtGsXY+YK6jRqMXYgW
J1END4kYleHw4zF/Qs2VhGmO0JvRFoASpMFGHJWyavMFzWz0PbStvnYAkJrjm9ay
eZC91/jdbGgw/5ssyS1wtyD74YAc3vKMwTtmLLztrXfDv8v1V48vCKOcH44K2z/h
MzcV1yoqw5zPus4ycDwdudBIwjaNT4+fnMymSJ6+wDjCAkRWi+7eWqVE8WHzIXMu
tR3hC+mXWU2Qzmq77PbhTXpq1lp275i4tABEOcXM4lhtopl5HP6B6YLkkIjWqYNv
sJsTDFgM7S1IqwFp1ypL9xzGHkqEns5zYmaNklGxJ8Oh6QJlZYbrZ6Zjciq3w+s8
DDipLpmXgT8TFKGN4mmW7U0UjK3a9jeBBxFYRZxRJNFd6h1WkVTm4V/MBKzW7yp+
yUooSSprIxv6mEMS3WVV7l9bQbPLdbqmbel9GLqyali+0t4yEftQME7tk9OWvbuP
caUop7Ock1rDtnnlasTYkNWX9hH0sXHAdjcfQlcKi96+w6eg4R9kvrOyLU3rxWHF
EmWQv+rLNSd9MKyL8aCb2dIVV6nk/n6yqlQ0AeiUhNrjIbnkja7E0lPZAWdAwWgY
OCCHMZmjebseram7hcElk6CJtO6I5yPz5uNbKterNFOX5eGf2X4=
=WvGu
-----END PGP SIGNATURE-----

Lorenzo Lamas

unread,

Sep 11, 2019, 11:50:52 AM9/11/19

to qubes-users

Thank you Simon for the informative reply. Good to hear there is some progress on Spectre variant 1. I hope something similar to Respectre will be available in the future.

Reply all

Reply to author

Forward