Microarchitectural Data Sampling on Chrome OS
Microarchitectural Data Sampling on Chrome OS
(CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091)
Microarchitectural Data Sampling (MDS) is a group of vulnerabilities that allow an attacker to potentially read sensitive data. If Chrome processes are attacked, these sensitive data could include website contents as well as passwords, credit card numbers, or cookies. The vulnerabilities can also be exploited to read host memory from inside a virtual machine, or for an Android App to read privileged process memory (e.g. keymaster). See below for affected devices.
Chrome OS Response
To protect users, Chrome OS 74 disables Hyper-Threading by default. For the majority of our users, whose workflows are primarily interactive, this mitigates the security risk of MDS without a noticeable loss of responsiveness. Chrome OS 75 will contain additional mitigations.
Users concerned about the performance loss, such as those running CPU intensive workloads, may enable Hyper-Threading on a per machine basis. The setting is located at chrome://flags#scheduler-configuration. The "performance" setting chooses the configuration that enables Hyper-Threading. The "conservative" setting chooses the configuration that disables Hyper-Threading.
Enterprises who wish to set Hyper-Threading policy organizationally may use the enterprise policy named “SchedulerConfiguration.”
The decision to disable or enable Hyper-Threading is a security versus performance tradeoff. With Hyper-Threading disabled, Intel CPUs may experience reduced performance, which varies depending on the workload. But, with Hyper-Threading enabled, users could execute code, such as by visiting a website or running an Android app, that exploits MDS to read sensitive memory contents.
As of May 14th, 2019, Google is not aware of any active exploitation of the MDS vulnerabilities. Users and customers who process particularly sensitive data on their Chrome OS devices are nonetheless advised to disable Hyper-Threading as a measure of caution.
Microarchitectural Data Sampling (MDS) refers to a set of speculative execution side-channel vulnerabilities which potentially allow results from previous execution on a core to be observed across security boundaries via microarchitectural state, on certain Intel CPUs. They are described in Intel's announcement, and referred to as MSBDS/CVE-2018-12126, MLPDS/CVE-2018-12127, MFBDS/CVE-2018-12130, and MDSUM/CVE-2019-11091. See below for more details.
Microarchitectural Store Buffer Data Sampling (MSBDS) and Microarchitectural Fill Buffer Data Sampling (MFBDS)
(CVE-2018-1212 and CVE-2018-12130 respectively)
Intel CPUs use microarchitectural data structures known as the fill buffer and store buffer. The fill buffer contains loaded data pending insertion into the L1 cache. The store buffer contains stored data pending write to the memory subsystem. Concurrently executing threads, on the same physical CPU core, may potentially read the contents of prior entries for these buffers by observing timing side channels when speculatively executed.
Load ports are used by the CPUs to perform load operations from memory or I/O. The bus in the load ports may retain data from old operations, allowing one process to leak data from another process through speculative execution side channels.
Uncacheable memory (UC) is read from RAM without filling the CPU’s cache with a new line. However, uncacheable memory does still move through the store buffers, fill buffers, and load ports;allowing data stored in UC regions to still be leaked via the mechanisms described above.
Chrome OS devices with affected Intel CPUs, supported as of May 14th, 2019, are as follows:
AOpen Chromebase Commercial AOpen Chromebox Commercial ASI Chromebook ASUS Chromebook C200MA ASUS Chromebook C300MA ASUS Chromebook Flip C302 ASUS Chromebox 3 ASUS Chromebox CN60 ASUS Chromebox CN62 Acer C720 Chromebook Acer Chromebase 24 Acer Chromebook 11 (C740) Acer Chromebook 11 (C771 / C771T) Acer Chromebook 13 (CB713-1W ) Acer Chromebook 15 (C910 / CB5-571) Acer Chromebook 15 (CB3-531) Acer Chromebook Spin 13 (CP713-1WN) Acer Chromebox Acer Chromebox CXI2 Acer Chromebox CXI3 Bobicus Chromebook 11 CTL Chromebox CBx1 CTL N6 Education Chromebook Chromebook 11 (C730 / CB3-111) Chromebook 11 (C735) Chromebook 14 for work (CP5-471) Chromebox Reference Consumer Chromebook Crambo Chromebook Dell Chromebook 11 Dell Chromebook 11 (3120) Dell Chromebook 13 3380 Dell Chromebook 13 7310 Dell Chromebox Dell Inspiron Chromebook 14 2-in-1 7486 Education Chromebook eduGear Chromebook R Edxis Chromebook Edxis Education Chromebook Google Chromebook Pixel (2015) Google Pixelbook HEXA Chromebook Pi HP Chromebook 11 2100-2199 / HP Chromebook 11 G3 HP Chromebook 11 2200-2299 / HP Chromebook 11 G4/G4 EE HP Chromebook 13 G1 HP Chromebook 14 HP Chromebook 14 ak000-099 / HP Chromebook 14 G4 HP Chromebook x2 HP Chromebook x360 14 HP Chromebox CB1-(000-099) / HP Chromebox G1/ HP Chromebox for Meetings HP Chromebox G2 Haier Chromebook 11 G2 JP Sa Couto Chromebook LG Chromebase 22CB25S LG Chromebase 22CV241 Lenovo 100S Chromebook Lenovo N20 Chromebook Lenovo N21 Chromebook Lenovo ThinkCentre Chromebox Lenovo ThinkPad 11e Chromebook Lenovo Thinkpad X131e Chromebook M&A Chromebook Pixel Slate RGS Education Chromebook Samsung Chromebook 2 11 - XE500C12 Samsung Chromebook Plus (LTE) Samsung Chromebook Plus (V2) Samsung Chromebook Pro Senkatel C1101 Chromebook Thinkpad 13 Chromebook Toshiba Chromebook Toshiba Chromebook 2 Toshiba Chromebook 2 (2015 Edition) True IDC Chromebook Videonet Chromebook ViewSonic NMP660 Chromebox Yoga C630 Chromebook