Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

[Petr Vones]

Hello,

is there any information of possible impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization? While the first one can be fixed but has (serious?) performance penalty, the second one is almost beyond repair. According wikipedia, "Spectre can allow malicious programs to induce a hypervisor to transmit the data to a guest system running on top of it". There was similar issue lately with DLL injection that has been fixed by the exe loader hardening. Now it seems there is similar issue again.

As for performace, if both host and guest applies those "slowing down" Meltdown patches, the real performance penalty might be noticeable and annoying.

[socratis]

If you were in the developer's mailing list, you would have noticed the following:

We are aware of the (so far only) rumors but don’t know anything beyond what is available on the public sources which all copy from each other. The original source seems to be http://pythonsweetness.tumblr.com/post/ ... page-table
Because there are no details so far we can’t say whether VirtualBox is affected in any way.

[Petr Vones]

Thanks to the link. Interesting reading, especially the part about new evolution of DRAM Rowhammer bug. It looks like 2018 will bring a lot of surprises

As for performance hints, Microsoft patches are already available (at least on Microsoft Update Catalog download) so everyone can test the impact now.

[VBTech88]

I am running a Windows 10 Pro guest on a Windows 10 Pro host. The host system is fully patched for Meltdown and Spectre, but even though I installed KB4056892 on the guest OS, it shows as still vulnerable. Is there a way to enable hardware support for branch target injection mitigation to a guest OS in VirtualBox? Is there a way for VirtualBox to enable Windows OS support for PCID optimization for the guest OS?

Windows 10 Pro (Build 16299) Host with KB4056892 Installed - Meltdown and Spectre show as fully patched.

Windows 10 Pro (Build 16299) Host with KB4056892 Installed.png (22.3 KiB) Viewed 16561 times

Windows 10 Pro (Build 16299) Guest with KB4056892 Installed - Meltdown and Spectre show as NOT fully patched.

Windows 10 Pro (Build 16299) Guest with KB4056892 Installed.png (32.57 KiB) Viewed 16561 times

[michaln]

Is there a way to enable hardware support for branch target injection mitigation to a guest OS in VirtualBox? Is there a way for VirtualBox to enable Windows OS support for PCID optimization for the guest OS?

Not without changes to VirtualBox, obviously. The approach Intel has taken involves a set of new CPUID bits and MSRs, and those have to be explicitly supported by the hypervisor for the guest to see them.

[cremor]

I really hope VirtualBox implements both of those features as quickly as possible.
Passing the new hardware (microcode) capabilites of updated host systems to the guest OS is important for security. If not present the guest OS won't activate the Spectre variant 2 (branch target injection) fixes.
Passing the (not new) process context identifiers (PCID) feature to the guest is a performance optimization for Meltdown (rogue data cache load) when the host is running on any recent Intel CPU (fourth-generation Core and newer).

Here is some more information about the PCID optimization and how it impacts performance:
https://archive.fo/ma8Iw
https://patchwork.kernel.org/patch/10035481/

[socratis]

I really hope VirtualBox implements both of those features as quickly as possible.

Patches are always welcome if it's that crucial

[Rodrigo Gomes]

Anything new in this subject by VirtualBox?
I use VirtualBox to maintain servers with many hosted websites, this has really worried me.

[socratis]

I read this just today, and I really liked it:

Just because you're paranoid doesn't mean they aren't after you.
- Joseph Heller, Catch-22

Do the attackers (who don't exist yet in the wild) have "local" access to the VMs (which is required for the flaw to be exploited) ? Also, do you know that this affects VirtualBox? VirtualBox doesn't do any kernel level jobs, not the kind that's affected in any event. I don't know if it does affect VirtualBox for sure, do you?

[mpack]

I would think that "Meltdown" does potentially affect a VM because of course code runs natively on the host CPU. Therefore a cache attack is theoretically possible, except of course that no malware yet known is capable of exploiting the bug - and I expect it would be even harder to get the timing right in a VM.

[cremor]

According to https://access.redhat.com/articles/3311301 Spectre also affects VMs. Quote:

CVE-2017-5715 (variant #2/Spectre) is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software.

[Petr Vones]

As for the Intel Spectre CPU microcode updates, Lenovo has to witdrawn it due to a quality issues (BSODs, system hangs). More information on that link, Withdrawn CPU Microcode Update paragraph. I suppose it affects all machines, not just Lenovo ones.

It will be harder to fix it (without stability issues) than it seems. Lenovo postponed target availability by ~ 6 weeks now.

[michaln]

Anything new in this subject by VirtualBox?

At this point I'd suggest waiting for the next Oracle CPU (January 16th).

I use VirtualBox to maintain servers with many hosted websites, this has really worried me.

You should be worried. There is an unknown number of existing vulnerabilities that have, just like Spectre/Meltdown, been hiding for decades. And in the end we'll all die.

[michaln]

It will be harder to fix it (without stability issues) than it seems. Lenovo postponed target availability by ~ 6 weeks now.

The problem with Spectre/Meltdown is that it abuses the design (Spectre) of practically all modern CPU hardware, or Intel's mis-design in the case of Meltdown. The real fix is to go back to the Pentium MMX, but that's also extremely costly and certainly not doable on short notice.

The mitigations are invasive, require changes to microcode / OS / (some) applications, and were developed on rather short notice. Proper testing is impossible because for example the updated microcode from Intel started appearing only a few days ago, and it's not even available at all for older CPUs. Similarly OS updates only turned up in the last few days, so the full impact on the ecosystem isn't even known.

[jonha]

The mitigations are invasive, require changes to microcode / OS / (some) applications, and were developed on rather short notice.

Well... apparently the first information about Meltdown/Spectre trickled down to Intel, AMD etc sometime in June 2017. I fully see that analysis of the problems, establishing viable routes to mitigating or resolving these abuses and bugs etc etc takes a lot of time. However. short notice still sounds a bit rich, I'd say, if you look at the way Intel and others have rushed out microcode updates (and these only for some CPUs!) that seem not very well tested, to say the least. Either they have been sleepwalking into this or they are criminally negligent. Probably both.

Proper testing is impossible because for example the updated microcode from Intel started appearing only a few days ago

Not only that. The incredibly high number of possible variations in hard- and software on billions of target machines must make this into the worst update nightmare for decades. And, as you wrote in another post, who know what lurks under the surface.