All-Loads Mitigation: Compiler/assembler configuration that inserts an
LFENCE instruction after each instruction that performs a load. Replaces
RET and indirect
JMP instructions with an
LFENCE-protected instruction stream in developers' C/C++/assembly source code and linker configuration that selects the set of SDK-provided enclave libraries with the same mitigation.
App developer: Person who writes, debugs and executes the source code of a software application. Generally, developers are well versed in at least one programming language and proficient in the art of structuring and developing software code. Although the primary job role is writing code, a developer also may gather requirements for software, design or overall software architecture, software documentation and other related software development processes. Source
Application (app): Software designed to perform a group of coordinated functions, tasks, or activities for the benefit of the user. Common examples include: word processor, spreadsheet, accounting program, web browser, a media player, game, and photo editor. The collective noun application software refers to all applications, which are distinguished from system software such as firmware and BIOS that are mainly involved with running the computer. Source
Bounds Check Bypass (Variant 1): Side Channel Cache Method that takes advantage of speculative execution after conditional branch instructions. Using this method, an attacker discovers or creates ‘confused deputy’ code, which allows them to use speculative operations to infer information not normally accessible. It uses speculative operations occurring while the processor is checking whether an input is in bounds (for example, if the index of an array being read is within acceptable values) and takes advantage of memory accesses to out of bound memory performed speculatively before the bounds check resolves. These memory accesses can be used in certain circumstances to leak information to the attacker. If the attacker can identify and exploit an appropriate ‘confused deputy’ in a more privileged level, the attacker may deduce the contents of memory accessible to that deputy.
Bare Metal: Computer or system containing essential hardware components, (processors, motherboards, hard disks and network cards) but without a base operating system (OS) or installed applications. A computer's hardware assembly, structure and components installed with firmware or basic input/output system (BIOS) software utility or no software at all. Source
Bounds Check Bypass Store: Variant of the Bounds Check Bypass (variant 1) security issue that uses speculative stores to overwrite younger speculative loads in a way that creates a side channel controlled by a malicious actor.
Branch Target Injection (Variant 2): Side Channel Cache Method that takes advantage of indirect branch predictors inside the processor that direct what operations are speculatively executed. By influencing how indirect branch predictors operate, an attacker can cause malicious code to be speculatively executed and then infer data values. For conditional direct branches, there are two options: the target of the branch or the fall-through path of instructions directly subsequent to the branch. Indirect branches, can cause speculative execution of code at a wider set of targets. This method works by causing an indirect branch to speculatively execute a ‘gadget’ which creates a side channel based on sensitive data available to the victim.
Browser: Software application with a graphical user interface for displaying HTML files, used to access information and navigate the World Wide Web.
Buffer overwrite: Methods to mitigate Microarchitectural Data Sampling (MDS) vulnerabilities by clearing store buffers, fill buffers, and load ports before transitioning to possibly less-privileged execution entities. The two methods to overwrite buffers are
MD_CLEAR functionality and software sequences.
Channel: A channel is any medium in a computing system that may transmit or signal information, be it legitimately or incidentally. Channels in the context of computing systems are of two sorts: legitimate channels are those intended by system designers for the transmission of information, and all other channels are incidental channels.
Cloud Service Provider (CSP): Third-party company that delivers cloud computing-based services and solutions to businesses and/or individuals. This company may offer rented and provider-managed virtual hardware, software, infrastructure, platform and storage as a service options. Source
Confused Deputy Code: Code which allows an attacker to use speculative operations to fool computer program into allowing access to information not normally accessible to the attacker.
Constant-Time Implementation: Legacy term for code that does not leak secret information through timing analysis. Constant-time implementations are one way to protect against timing attacks by making it so that variations in execution time are not correlated with secret data.
Context: A structure, instance, or object in software programming that contains minimal set of attributes, properties, or states that allows the system to execute or manage a defined set of operations or tasks. A context model is the physical scope of a system, which could include the user as well as the environment and other actors; a system context diagram represents the context graphically. Source
Control flow Enforcement Technology (CET): Future Intel® Security Technologies that will allow limiting near indirect jump and call instructions to only target
ENDBRANCH instructions. This feature can reduce the speculation allowed to non-
Control Flow Mitigation: Compiler/assembler configuration that replaces
RET and indirect
JMP instructions with an
LFENCE-protected instruction stream in developers' C/C++/assembly source code and linker configuration that selects the set of SDK-provided enclave libraries with the same mitigation.
Control-Flow Redirection Gadget: A Load Value Injection (LVI) attack method that uses LVI to redirect transient control flow to jump to other code inside a victim process that reads and transmits a secret.
Core Scheduling: Also known as group scheduling or gang scheduling. Algorithms for parallel compute systems that schedules related threads or processes to run simultaneously on the same physical processor cores. Used so that threads or processes from different users or privilege levels do not share system resources and cannot leak secret data to sibling threads or processes.
Covert channel: In the context of a security threat model, an incidental channel where an adversary controls both the input and output of that channel.
Cross-Domain Attack: A transient execution attack that requires an adversary to find a disclosure gadget in the victim’s domain which, when executed transiently, can access and transmit a secret over a covert channel. The transient access may violate either hardware- or software-enforced access controls. An example of a cross-domain attack is Branch Target Injection.
Data Oblivious: An algorithm, instruction or data structure is considered to be data-oblivious, or just oblivious, if its control flow and memory access pattern do not depend on its input data, giving it compelling applications in cryptography and security.
Decoded ICache: A microarchitectural structure to decode instructions coming out of the legacy decode pipeline and speed program execution. Also called Decoded Streaming Buffer (DSB).
Desktop: Primary user interface of a computer, displayed once the startup process is complete, typically including a background (or wallpaper) and icons of saved files and folders. Various operating systems include a task bar or menu bar with shortcuts to programs. Source
Disclosure Gadget: Collective term for any way an adversary can access a victim’s secret and transmit that secret over a covert channel.
Domain: A hardware protection domain (shortened to domain if the context is unambiguous) consists of code and data within a protection boundary that is defined by hardware-enforced access control mechanisms.
Domain-Bypass Attack: A transient execution attack in which an adversary executes transient instructions that circumvent hardware-based access controls, allowing access to secret data outside of the adversary’s domain. An example is Rogue Data Cache Load.
Enclave: A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.
Enclave-to-Enclave (E2E): A subvariant method of the L1 Terminal Fault (L1TF) side channel method. E2E may expose memory in one Intel® Software Guard Extensions (Intel® SGX) enclave to software that is running in a different Intel SGX enclave on the same core.
Execute Disable Bit: Hardware-based security feature that can help reduce system exposure to viruses and malicious code by allowing the processor to classify areas in memory where application code can or cannot execute, even speculatively.
Extended Page Tables: Intel's implementation of Second Level Address Translation (SLAT), also known as nested paging, which is used to more efficiently virtualize the memory of guest VMs.
Fill buffers: Microarchitectural structures that are temporary buffers between CPU caches.
Firmware Interface Table: A data structure located in the platform BIOS SPI flash. May contain pointers to one or more microcode updates.
Gather Data Sampling: Gather Data Sampling (GDS) is a transient execution side channel vulnerability affecting certain Intel processors. In some situations when a gather instruction performs certain loads from memory, it may be possible for a malicious attacker to use this type of instruction to infer stale data from previously used vector registers.
Hardware Protection Domain (Domain): Consists of code and data within a protection boundary that is defined by hardware-enforced access control mechanisms. Some examples include, privilege rings, page tables, and protection keys.
Hyperthreading: Officially Intel® Hyper-Threading Technology (Intel® HT Technology), hyperthreading is Intel proprietary simultaneous multithreading (SMT) implementation used to improve parallelization of computations (doing multiple tasks at once) performed on x86 microprocessors. For each physical processor core, the operating system addresses two logical processors and shares the workload between the logical processors when possible in order to increase the number of independent instructions in the pipeline.
In-Domain Attack: A Transient Execution Attack in which a sandboxed adversary can access a secret within the same domain by circumventing software-based access controls. An example of an in-domain attack is Bounds Check Bypass.
Incidental Channel: Anything that may transmit or signal information in a way not intended by system designers. Some examples include: Resource contention, the state of a CPU cache, and variations in power consumption.
Indirect Branch Predictor Barrier (IBPB): Side channel mitigation technique that ensures that earlier code’s behavior does not control later indirect branch predictions.
Indirect Branch Restricted Speculation (IBRS): Side channel mitigation technique that restricts speculation of indirect branches.
Induced Memory Access: In the context of Load Value Injection (LVI), Induced Memory Access attempts to manipulate a victim's pointer so that a using that pointer transiently signals a fault or assist.
Intel® Advanced Vector Extensions (Intel® AVX): Set of instructions for doing Single Instruction Multiple Data (SIMD) operations on Intel® architecture CPUs.
Intel® Advanced Vector Extensions 512 (Intel® AVX-512): Set of instructions with ultra-wide 512-bit vector operations capabilities, designed to accelerate performance for high-compute workloads.
Intel® OS Guard: Also known as Supervisor-Mode Execution Prevention (SMEP), a security technology that restricts the operating system from directly executing application code, even speculatively, thereby making branch target injection attacks on the OS substantially more difficult.
Intel® Secure Key: A digital random number generator located on the CPU that provides software applications with high quality pseudorandom numbers and random seeds. Software applications access this capability through the
Intel® Software Guard Extensions (Intel® SGX): Technology offering hardware-based memory encryption that isolates specific application code and data in memory; allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels.
Intel® Transactional Synchronization Extensions (Intel® TSX): An extension to the x86 instruction set architecture that adds hardware transactional memory support to improve performance of multi-threaded software.
L1 Terminal Fault (L1TF): A speculative execution side channel cache timing vulnerability that could potentially allow unauthorized disclosure of information residing in the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next. The three known L1TF variants target Intel® Software Guard Extensions (Intel® SGX), operating system and system management mode, and hypervisor software.
L1D Eviction Sampling: On some processors under certain microarchitectural conditions, data from the most recently evicted modified L1 data cache (L1D) line to be propagated into an unused (invalid) L1D fill buffer. On processors affected by Microarchitectural Data Sampling (MDS) or Transactional Asynchronous Abort (TAA), data from an L1D fill buffer may be inferred using one of these data sampling side channel methods. By combining these behaviors, it may be possible for a malicious actor to infer data values from modified cache lines that were previously evicted from the L1 data cache.
LLVM: Collection of modular, reusable compiler and toolchain technologies which can be used to develop a front end for any programming language and a back end for any instruction set architecture.
Load ports: Microarchitectural structures that are temporary buffers used when loading data into registers.
Load Value Injection (LVI): On some processors, faulting or assisting load operations may transiently receive data from a microarchitectural buffer. If a malicious actor can cause a specified victim load to fault, assist, or abort, data may be forwarded to dependent operations by the faulting/assisting/aborting load. For certain code sequences, those dependent operations may create a covert channel, allowing the malicious actor to infer data values. LVI is an example of a cross-domain transient execution attack.
Loads: Loads are operations that copy data from main memory into a register so the data is available to the CPUs execution engine.
Machine Check: A mechanism in Intel® processors that support machine check architecture by which the CPU can detect and report hardware errors to system software.
Machine Check Error: Erratum on some Intel® platforms that can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system.
Microarchitectural Data Sampling (MDS): A subclass of speculative execution side channel vulnerabilities that, under certain conditions, could allow a program to read data that the program otherwise would not be able to see. MDS techniques are based on sampling data leaked from small microarchitectural structures within the CPU using a locally executed speculative execution side channel.
Microarchitectural Data Sampling Uncacheable Memory (MDSUM): A Microarchitectural Data Sampling (MDS) technique where, on affected processors, load operations that fault or assist to uncacheable memory may still speculatively see the data value from those core or data accesses.
Microarchitectural Fill Buffer Data Sampling (MFBDS): A Microarchitectural Data Sampling (MDS) technique where, under certain conditions, the fill buffer may speculatively forward data to a faulting or assisting load operation.
Microarchitectural Load Port Data Sampling (MLPDS): A Microarchitectural Data Sampling (MDS) technique where stale load port data can be revealed to malicious actors in certain cases:
- A faulting/assisting vector (SSE/Intel® AVX/Intel® AVX-512) load that is more than 64 bits in size
- A faulting/assisting load which spans a 64-byte boundary
Microarchitectural Store Buffer Data Sampling (MSBDS): A Microarchitectural Data Sampling (MDS) technique where, under certain conditions, data from a store operation can be speculatively forwarded from the store buffer to a faulting or assisting load operation for a different memory address.
Multi-tenant: Architecture in which a single instance of software runs on a server and is shared between customers or tenants, groups of users who share common access with specific privileges to the software instance. Source
Non-universal Read Gadget: A method related to Load Value Injection that can allow a malicious actor to read non-arbitrary secret data from a victim application. A non-universal read gadget triggers microarchitectural data sampling in a victim application to leak secret that a preexisting portion of the victim code already loads or stores. The non-universal read gadget does not involve the attacker injecting data into the victim process. Also known as Load+Transmit.
Operating System (OS): Software that supports a computing device’s basic functions, such as scheduling tasks, executing applications, and controlling peripherals. It allows applications/programs to take advantage of common libraries and not worry about specific hardware details by managing resources, including input, output, network and storage devices. Source
Page Fault: Type of exception raised when a running program accesses a memory page that is not currently mapped by the memory management unit (MMU) into the virtual address space of a process.
Page Tables: Data structures in memory used to translate linear addresses to physical addresses. These translations happen on certain granularity, also known as the page size, because the translation of linear address to physical address stays the same for the entire page.
Predictor Mode: Describes the branch prediction privileges on Intel processors used to ensure that less privileged software cannot control use of the branch predictors by more privileged software. There are four predictor modes: host-supervisor, host-user, guest-supervisor, and guest-user. The guest predictor modes are considered less privileged than the host predictor modes. Similarly, the user predictor modes are considered less privileged than the supervisor predictor modes.
Private Cloud: Computing resources hosted on-premise, or in data centers owned by private hosting providers, on infrastructure dedicated to a single company/customer in a personal environment unique to that specific consumer. Source
Privilege: The delegation of authority to perform security-relevant functions on a computer system. A privilege allows a user to perform an action with security consequences. Examples of various privileges include the ability to create a new user, install software, or change kernel functions.
Protected data: Protected data is data that is not readable by some piece of software in the system (for example, because the OS specifies an application should not be able to read it).
Protection Keys: Future Intel® Security Technologies that can help limit the data accessible to a piece of software, including the memory addresses that could be revealed by a branch target injection or bound check bypass attack.
Public Cloud: Computing resources hosted by a provider on infrastructure shared among multiple customers that offer servers, databases, and additional resources needed to run applications and websites in the “cloud.” Source
RDRAND: An instruction that retrieves a random value (16-, 32-, or 64-bits) determined by size of the destination register.
RDSEED: An instruction set similar to
RDRAND that retrieves a hardware-generated random seed value (16-, 32-, or 64-bits) from the on-CPU entropy source.
RDSEED can be concatenated together to form arbitrarily long random seed values that retain their full entropy.
Retpoline: Side channel mitigation technique, developed by Google, which introduces a “return trampoline” also known as a retpoline. In this mitigation, software essentially replaces indirect near jump and call instructions with a code sequence that includes pushing the target of the branch in question onto the stack and then executing a Return (
RET) instruction to jump to that location, as Return instructions can generally be protected using this method.
Rogue Data Cache Load (Variant 3): Side Channel Cache Method that involves an application (user) attacker directly probing kernel (supervisor) memory. Such an operation typically results in an error (page fault due to page table permissions), but it can be speculatively executed under certain conditions for certain implementations. This method only applies to regions of memory designated supervisor-only by the page tables; not memory designated as not present.
Rogue System Register Read (Variant 3a): Side Channel Cache Method that uses speculative execution of instructions that read system register state while the processor is operating at a mode/privilege level that does not architecturally allow the reading of that state. The set of system registers that can have their value inferred by this method is implementation-specific. Although these operations will architecturally fault or VM exit, in certain cases, they may return data accessible to subsequent instructions in the speculative execution path. These subsequent instructions can then create a side channel to infer the system register state.
Runtime: Specific version of an application distributed for limited use. These software releases may be called runtime programs because they offer a runtime environment without other features that allow for more permanent use. Source
Sandbox: Security mechanism that uses isolation to create a separate, restricted environment in which certain functions are prohibited and the execution, operation and processes of isolated software/code is not affected by other programs. The goal is to give enough access/ functionality while not exposing critical systems to potential risks. Source
Segment Register Writes: When converting an effective address into a linear address, the address generation hardware needs to know the base address and the limit of the applicable segment. When a segment register is written, these fields are cached within the processor in a microarchitectural structure called the segment register file.
Segment Registers: Registers are internal memory storage locations used to improve processor performance. Segment registers are specific areas defined in a program, specifically: Code Segment (CS), Data Segment (DS), and Stack Segment (SS) as well as an Extra Segment (ES). IA-32 architecture includes two additional segment registers (FS and GS) with no specific uses defined by hardware.
SGX EGETKEY: Instruction set that allows an Intel® Software Guard Extensions (Intel® SGX) enclave to get derivatives of device keys.
EGETKEY produces symmetric keys for different purposes depending on invoking enclave attributes and the requested key type.
Side Channel: In the context of a security threat model, an incidental channel where an adversary cannot exert control over the input and is only able to read the output of that channel.
Side Channel Cache Methods: Class of methods, such as those identified by Google Project Zero, through which the content of caches can be affected by speculative execution and potentially used to leak secret information. A cache timing side channel involves an agent detecting whether a piece of data is present in a specific level of the processor’s caches, where its presence may be used to infer some other piece of information.
Simultaneous Multithreading (SMT): A technique for improving the overall efficiency of superscalar CPUs with hardware multithreading by permitting multiple independent threads of execution to better utilize resources provided by modern processor architectures.
Single Thread Indirect Branch Predictors (STIBP): Side channel mitigation technique that prevents indirect branch predictions from being controlled by the sibling Hyperthread.
Single-Tenant: An architecture in which a single instance of a software application and supporting infrastructure (server) is dedicated to a single customer rather than shared among customers. Typically it’s hosted on a distinct physical (not virtualized) piece of hardware. Source
Snoop-assisted L1D Sampling: A domain-bypass transient execution attack variant where a malicious actor may be able to infer the data values of some modified cache lines in the L1 data cache (L1D) under a specific set of complex conditions involving a cache-coherence snoop to a modified cache line.
Special Register Buffer Data Sampling: A domain-bypass transient execution attack that may allow data values from special registers to be inferred by malicious code executing on any core of the CPU.
Special Register Read: An internal microarchitectural operation that allows certain processor operations (such as
RDRAND) to read data from outside the physical core (for example, from a random number generator shared between cores).
Speculative execution: Technique used by modern high performance processors to improve performance by executing instructions before knowing they are required. The most common form involves the control flow of a program. Instead of waiting for all branch instructions to resolve to determine which operations to execute, the processor predicts the control flow using highly sophisticated mechanisms. Usually the predictions are correct, which allows higher performance by hiding the latency of operations that determine the control flow and increasing the parallelism the processor can extract by having a larger pool of instructions to analyze. If a prediction is wrong, the work executed speculatively is discarded and the processor is redirected to execute the correct instruction path.
Speculative Store Bypass (Variant 4): Side Channel Cache Method that takes advantage of a performance feature present in many high-performance processors that allows loads to speculatively execute even if the address of a preceding, potentially overlapping store, is unknown. In such a case, this may allow a load to speculatively read a stale data value. The processor will eventually correct such cases, but an attacker may discover ‘confused deputy’ code, which might allow them to use speculative execution to reveal the value of memory that is not normally accessible to them.
Speculative Store Bypass Disable (SSBD): Mitigation technique for Speculative Store Bypass (Variant 4), which prevents a load from executing speculatively until the addresses of all older stores are known. This ensures that a load does not speculatively consume stale data values due to bypassing an older store on the same logical processor.
Stale registers: Stale registers are entries in the register file which hold old values of registers (values that were previously used).
Store buffers: Microarchitectural structures that are temporary buffers to hold store addresses and data.
Supervisor-Mode Access Prevention (SMAP): Intel® Security Technologies that can limit which memory addresses can be used for a cache based side channel, forcing an application attacking the kernel to use kernel memory space for the side channel. This makes it more difficult for an application to perform an attack on the kernel.
SWAPGS: Many operating systems (OSes) use the GS segment register to reference application and kernel data specific to a thread or processor.
SWAPGS is a privileged CPU instruction used to exchange application and kernel values of GS.
If operating systems that use
SWAPGS to switch the contents of the GS register on kernel entry have code paths that conditionally determine whether or not to execute the instruction and then also contain memory references offset from the register, those OSes may be vulnerable to malicious actors who can cause the
SWAPGS instruction to be speculatively executed or bypassed.
System Management Mode (SMM): An operating mode on x86 and x86-64 processors, intended for use by firmware/BIOS to perform low-level system management operations while an OS is running.
System Management Mode (SMM): An operating mode of x86 CPUs in which all normal execution, including the operating system, is suspended. Sometimes called ring 2 in the context of protection rings.
Transient Execution: A sequence of transient instructions.
Transient Execution Attack: Exploits the microarchitectural side effects of transient execution, thus allowing a malicious adversary to access information that would ordinarily be prohibited by architectural access control mechanisms.
Transactional execution attacks are characterized by the relationship between the disclosure gadget and the victim/adversary domains: such attacks are called domain-bypass if the disclosure gadget is in the adversary’s domain, cross-domain if the disclosure gadget is in the victim’s domain, or in-domain if the disclosure gadget is in an adversary-controlled sandbox within the victim’s domain.
Transient Instruction: An instruction that is executed speculatively along a mispredicted path; transient instructions are invalid and must be squashed, meaning that their results are not committed to the architectural program state.
Translation Lookaside Buffer (TLB): A hardware structure used by the processor to cache resolved translations from linear addresses to physical addresses in order to save the performance cost of walking through the page tables on each linear memory access within the same page.
TSX Asynchronous Abort: When an Intel TSX memory transaction is aborted, (synchronously or asynchronously), earlier memory writes inside the transaction are rolled back to the state before the transaction started. While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. Similar to microarchitectural data sampling, this may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.
Universal Read Gadget: A Load Value Injection (LVI) method that involves using LVI in conjunction with preexisting patterns in the victim code, allowing a malicious actor to select values in the victim's memory to infer.
Untrusted data: Data that is controlled by the user and can be manipulated before it gets to the server. Source
Vector Register Sampling: A speculative execution side channel variant that may allow the partial data values of some vector operations to be inferred under a specific set of complex conditions that include vector operations executing after a period of vector inactivity.
Vector Registers: Storage areas in a CPU core that contain the operands and results for vector computations. Note that these registers may also hold temporary values used by non-vector operations.
Virtual Machine: Software that exhibits behavior and performs tasks of a separate computing device or system, implemented through software emulation or hardware virtualization techniques. The virtual instance, known as a guest, is created within a host computing environment. Multiple VMs can exist within a single host at one time. Virtual machines are often created to perform tasks that are different than tasks performed in a host environment. Source
Virtual Machine Monitor: Primary software behind virtualized environments and implementations. This software creates and manages virtual machines (VM) and manages operation of virtualized environments on physical hosts. When installed over a host machine, it facilitates creation of VMs, each with separate operating systems (OS) and applications. VMM manages backend operation by allocating needed resources. They also provide a centralized interface for managing the entire operation, status and availability of VMs installed over a single host or spread across different and interconnected hosts.
Related terms: virtual machine manager, hypervisor
Web developer: Programmer specializing or specifically engaged in development of World Wide Web applications or applications that are run over HTTP from a web server to a web browser.
Zero-at-ret: Hardware behavior that forwards values of zero from faulting loads to dependent instructions only when the load is ready to retire.
Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources