| 1 | <?xml version='1.0' encoding='UTF-8'?>
|
|---|
| 2 | <!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
|
|---|
| 3 | <topic xml:lang="en-us" id="buffer-overwriting-mitigation">
|
|---|
| 4 | <title>Buffer Overwriting and Disabling Hyper-Threading</title>
|
|---|
| 5 |
|
|---|
| 6 | <body>
|
|---|
| 7 | <p>
|
|---|
| 8 | First, up to date CPU microcode is a prerequisite for the
|
|---|
| 9 | buffer overwriting (clearing) mitigations. Some host OSes may
|
|---|
| 10 | install these automatically, though it has traditionally been
|
|---|
| 11 | a task best performed by the system firmware. Please check
|
|---|
| 12 | with your system or mainboard manufacturer for the latest
|
|---|
| 13 | firmware update.
|
|---|
| 14 | </p>
|
|---|
| 15 | <p>
|
|---|
| 16 | This mitigation aims at removing potentially sensitive data
|
|---|
| 17 | from the affected buffers before running guest code. Since
|
|---|
| 18 | this means additional work each time the guest is scheduled,
|
|---|
| 19 | there might be some performance side effects.
|
|---|
| 20 | </p>
|
|---|
| 21 | <p>
|
|---|
| 22 | We recommend disabling hyper-threading (HT) on hosts affected
|
|---|
| 23 | by CVE-2018-12126 and CVE-2018-12127, because the affected
|
|---|
| 24 | sets of buffers are normally shared between thread pairs and
|
|---|
| 25 | therefore cause leaks between the threads. This is
|
|---|
| 26 | traditionally done from the firmware setup, but some OSes also
|
|---|
| 27 | offers ways disable HT. In some cases it may be disabled by
|
|---|
| 28 | default, but please verify as the effectiveness of the
|
|---|
| 29 | mitigation depends on it.
|
|---|
| 30 | </p>
|
|---|
| 31 | <p>
|
|---|
| 32 | The default action taken by Oracle VM VirtualBox is to clear the
|
|---|
| 33 | affected buffers when a thread is scheduled to execute guest
|
|---|
| 34 | code, rather than on each VM entry. This reduces the
|
|---|
| 35 | performance impact, while making the assumption that the host
|
|---|
| 36 | OS will not handle security sensitive data from interrupt
|
|---|
| 37 | handlers and similar without taking precautions.
|
|---|
| 38 | </p>
|
|---|
| 39 | <p>
|
|---|
| 40 | The <userinput>VBoxManage modifyvm</userinput> command provides a
|
|---|
| 41 | more aggressive flushing option is provided by means of the
|
|---|
| 42 | <codeph>--mds-clear-on-vm-entry</codeph> option. When enabled
|
|---|
| 43 | the affected buffers will be cleared on every VM entry. The
|
|---|
| 44 | performance impact is greater than with the default option,
|
|---|
| 45 | though this of course depends on the workload. Workloads
|
|---|
| 46 | producing a lot of VM exits (like networking, VGA access, and
|
|---|
| 47 | similiar) will probably be most impacted.
|
|---|
| 48 | </p>
|
|---|
| 49 | <p>
|
|---|
| 50 | For users not concerned by this security issue, the default
|
|---|
| 51 | mitigation can be disabled using the <userinput>VBoxManage
|
|---|
| 52 | modifyvm name --mds-clear-on-sched off</userinput> command.
|
|---|
| 53 | </p>
|
|---|
| 54 | </body>
|
|---|
| 55 |
|
|---|
| 56 | </topic>
|
|---|
