Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

This is for discussing general topics about how to use VirtualBox.
Petr Vones
Posts: 89
Joined: 27. Dec 2012, 01:20
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10 64-bit
Location: Czech Republic

Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by Petr Vones »

Hello,

is there any information of possible impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization? While the first one can be fixed but has (serious?) performance penalty, the second one is almost beyond repair. According wikipedia, "Spectre can allow malicious programs to induce a hypervisor to transmit the data to a guest system running on top of it". There was similar issue lately with DLL injection that has been fixed by the exe loader hardening. Now it seems there is similar issue again.

As for performace, if both host and guest applies those "slowing down" Meltdown patches, the real performance penalty might be noticeable and annoying.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by socratis »

If you were in the developer's mailing list, you would have noticed the following:
We are aware of the (so far only) rumors but don’t know anything beyond what is available on the public sources which all copy from each other. The original source seems to be http://pythonsweetness.tumblr.com/post/ ... page-table
Because there are no details so far we can’t say whether VirtualBox is affected in any way.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Petr Vones
Posts: 89
Joined: 27. Dec 2012, 01:20
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10 64-bit
Location: Czech Republic

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by Petr Vones »

Thanks to the link. Interesting reading, especially the part about new evolution of DRAM Rowhammer bug. It looks like 2018 will bring a lot of surprises :?

As for performance hints, Microsoft patches are already available (at least on Microsoft Update Catalog download) so everyone can test the impact now.
VBTech88
Posts: 2
Joined: 8. Dec 2017, 17:08

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by VBTech88 »

I am running a Windows 10 Pro guest on a Windows 10 Pro host. The host system is fully patched for Meltdown and Spectre, but even though I installed KB4056892 on the guest OS, it shows as still vulnerable. Is there a way to enable hardware support for branch target injection mitigation to a guest OS in VirtualBox? Is there a way for VirtualBox to enable Windows OS support for PCID optimization for the guest OS?
Windows 10 Pro (Build 16299) Host with KB4056892 Installed - Meltdown and Spectre show as fully patched.
Windows 10 Pro (Build 16299) Host with KB4056892 Installed - Meltdown and Spectre show as fully patched.
Windows 10 Pro (Build 16299) Host with KB4056892 Installed.png (22.3 KiB) Viewed 16149 times
Windows 10 Pro (Build 16299) Guest with KB4056892 Installed - Meltdown and Spectre show as NOT fully patched.
Windows 10 Pro (Build 16299) Guest with KB4056892 Installed - Meltdown and Spectre show as NOT fully patched.
Windows 10 Pro (Build 16299) Guest with KB4056892 Installed.png (32.57 KiB) Viewed 16149 times
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by michaln »

VBTech88 wrote:Is there a way to enable hardware support for branch target injection mitigation to a guest OS in VirtualBox? Is there a way for VirtualBox to enable Windows OS support for PCID optimization for the guest OS?
Not without changes to VirtualBox, obviously. The approach Intel has taken involves a set of new CPUID bits and MSRs, and those have to be explicitly supported by the hypervisor for the guest to see them.
cremor
Posts: 41
Joined: 16. Oct 2013, 11:37

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by cremor »

I really hope VirtualBox implements both of those features as quickly as possible.
Passing the new hardware (microcode) capabilites of updated host systems to the guest OS is important for security. If not present the guest OS won't activate the Spectre variant 2 (branch target injection) fixes.
Passing the (not new) process context identifiers (PCID) feature to the guest is a performance optimization for Meltdown (rogue data cache load) when the host is running on any recent Intel CPU (fourth-generation Core and newer).

Here is some more information about the PCID optimization and how it impacts performance:
https://archive.fo/ma8Iw
https://patchwork.kernel.org/patch/10035481/
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by socratis »

cremor wrote:I really hope VirtualBox implements both of those features as quickly as possible.
Patches are always welcome if it's that crucial ;)
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Rodrigo Gomes
Posts: 29
Joined: 19. Jul 2016, 13:19

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by Rodrigo Gomes »

Anything new in this subject by VirtualBox?
I use VirtualBox to maintain servers with many hosted websites, this has really worried me.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by socratis »

I read this just today, and I really liked it:
Just because you're paranoid doesn't mean they aren't after you.
- Joseph Heller, Catch-22
Do the attackers (who don't exist yet in the wild) have "local" access to the VMs (which is required for the flaw to be exploited) ? Also, do you know that this affects VirtualBox? VirtualBox doesn't do any kernel level jobs, not the kind that's affected in any event. I don't know if it does affect VirtualBox for sure, do you?
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by mpack »

I would think that "Meltdown" does potentially affect a VM because of course code runs natively on the host CPU. Therefore a cache attack is theoretically possible, except of course that no malware yet known is capable of exploiting the bug - and I expect it would be even harder to get the timing right in a VM.
cremor
Posts: 41
Joined: 16. Oct 2013, 11:37

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by cremor »

According to https://access.redhat.com/articles/3311301 Spectre also affects VMs. Quote:
CVE-2017-5715 (variant #2/Spectre) is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software.
Petr Vones
Posts: 89
Joined: 27. Dec 2012, 01:20
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10 64-bit
Location: Czech Republic

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by Petr Vones »

As for the Intel Spectre CPU microcode updates, Lenovo has to witdrawn it due to a quality issues (BSODs, system hangs). More information on that link, Withdrawn CPU Microcode Update paragraph. I suppose it affects all machines, not just Lenovo ones.

It will be harder to fix it (without stability issues) than it seems. Lenovo postponed target availability by ~ 6 weeks now.
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by michaln »

Rodrigo Gomes wrote:Anything new in this subject by VirtualBox?
At this point I'd suggest waiting for the next Oracle CPU (January 16th).
I use VirtualBox to maintain servers with many hosted websites, this has really worried me.
You should be worried. There is an unknown number of existing vulnerabilities that have, just like Spectre/Meltdown, been hiding for decades. And in the end we'll all die.
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by michaln »

Petr Vones wrote:It will be harder to fix it (without stability issues) than it seems. Lenovo postponed target availability by ~ 6 weeks now.
The problem with Spectre/Meltdown is that it abuses the design (Spectre) of practically all modern CPU hardware, or Intel's mis-design in the case of Meltdown. The real fix is to go back to the Pentium MMX, but that's also extremely costly and certainly not doable on short notice.

The mitigations are invasive, require changes to microcode / OS / (some) applications, and were developed on rather short notice. Proper testing is impossible because for example the updated microcode from Intel started appearing only a few days ago, and it's not even available at all for older CPUs. Similarly OS updates only turned up in the last few days, so the full impact on the ecosystem isn't even known.
jonha
Posts: 33
Joined: 31. Jul 2015, 19:09

Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

Post by jonha »

michaln wrote:The mitigations are invasive, require changes to microcode / OS / (some) applications, and were developed on rather short notice.
Well... apparently the first information about Meltdown/Spectre trickled down to Intel, AMD etc sometime in June 2017. I fully see that analysis of the problems, establishing viable routes to mitigating or resolving these abuses and bugs etc etc takes a lot of time. However. short notice still sounds a bit rich, I'd say, if you look at the way Intel and others have rushed out microcode updates (and these only for some CPUs!) that seem not very well tested, to say the least. Either they have been sleepwalking into this or they are criminally negligent. Probably both.
michaln wrote:Proper testing is impossible because for example the updated microcode from Intel started appearing only a few days ago
Not only that. The incredibly high number of possible variations in hard- and software on billions of target machines must make this into the worst update nightmare for decades. And, as you wrote in another post, who know what lurks under the surface.
Post Reply