Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
-
- Posts: 89
- Joined: 27. Dec 2012, 01:20
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows 10 64-bit
- Location: Czech Republic
Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
Hello,
is there any information of possible impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization? While the first one can be fixed but has (serious?) performance penalty, the second one is almost beyond repair. According wikipedia, "Spectre can allow malicious programs to induce a hypervisor to transmit the data to a guest system running on top of it". There was similar issue lately with DLL injection that has been fixed by the exe loader hardening. Now it seems there is similar issue again.
As for performace, if both host and guest applies those "slowing down" Meltdown patches, the real performance penalty might be noticeable and annoying.
is there any information of possible impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization? While the first one can be fixed but has (serious?) performance penalty, the second one is almost beyond repair. According wikipedia, "Spectre can allow malicious programs to induce a hypervisor to transmit the data to a guest system running on top of it". There was similar issue lately with DLL injection that has been fixed by the exe loader hardening. Now it seems there is similar issue again.
As for performace, if both host and guest applies those "slowing down" Meltdown patches, the real performance penalty might be noticeable and annoying.
-
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
If you were in the developer's mailing list, you would have noticed the following:
We are aware of the (so far only) rumors but don’t know anything beyond what is available on the public sources which all copy from each other. The original source seems to be http://pythonsweetness.tumblr.com/post/ ... page-table
Because there are no details so far we can’t say whether VirtualBox is affected in any way.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
-
- Posts: 89
- Joined: 27. Dec 2012, 01:20
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows 10 64-bit
- Location: Czech Republic
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
Thanks to the link. Interesting reading, especially the part about new evolution of DRAM Rowhammer bug. It looks like 2018 will bring a lot of surprises
As for performance hints, Microsoft patches are already available (at least on Microsoft Update Catalog download) so everyone can test the impact now.
As for performance hints, Microsoft patches are already available (at least on Microsoft Update Catalog download) so everyone can test the impact now.
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
I am running a Windows 10 Pro guest on a Windows 10 Pro host. The host system is fully patched for Meltdown and Spectre, but even though I installed KB4056892 on the guest OS, it shows as still vulnerable. Is there a way to enable hardware support for branch target injection mitigation to a guest OS in VirtualBox? Is there a way for VirtualBox to enable Windows OS support for PCID optimization for the guest OS?
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Any and all
- Contact:
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
Not without changes to VirtualBox, obviously. The approach Intel has taken involves a set of new CPUID bits and MSRs, and those have to be explicitly supported by the hypervisor for the guest to see them.VBTech88 wrote:Is there a way to enable hardware support for branch target injection mitigation to a guest OS in VirtualBox? Is there a way for VirtualBox to enable Windows OS support for PCID optimization for the guest OS?
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
I really hope VirtualBox implements both of those features as quickly as possible.
Passing the new hardware (microcode) capabilites of updated host systems to the guest OS is important for security. If not present the guest OS won't activate the Spectre variant 2 (branch target injection) fixes.
Passing the (not new) process context identifiers (PCID) feature to the guest is a performance optimization for Meltdown (rogue data cache load) when the host is running on any recent Intel CPU (fourth-generation Core and newer).
Here is some more information about the PCID optimization and how it impacts performance:
https://archive.fo/ma8Iw
https://patchwork.kernel.org/patch/10035481/
Passing the new hardware (microcode) capabilites of updated host systems to the guest OS is important for security. If not present the guest OS won't activate the Spectre variant 2 (branch target injection) fixes.
Passing the (not new) process context identifiers (PCID) feature to the guest is a performance optimization for Meltdown (rogue data cache load) when the host is running on any recent Intel CPU (fourth-generation Core and newer).
Here is some more information about the PCID optimization and how it impacts performance:
https://archive.fo/ma8Iw
https://patchwork.kernel.org/patch/10035481/
-
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
Patches are always welcome if it's that crucialcremor wrote:I really hope VirtualBox implements both of those features as quickly as possible.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
-
- Posts: 29
- Joined: 19. Jul 2016, 13:19
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
Anything new in this subject by VirtualBox?
I use VirtualBox to maintain servers with many hosted websites, this has really worried me.
I use VirtualBox to maintain servers with many hosted websites, this has really worried me.
-
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
I read this just today, and I really liked it:
Do the attackers (who don't exist yet in the wild) have "local" access to the VMs (which is required for the flaw to be exploited) ? Also, do you know that this affects VirtualBox? VirtualBox doesn't do any kernel level jobs, not the kind that's affected in any event. I don't know if it does affect VirtualBox for sure, do you?Just because you're paranoid doesn't mean they aren't after you.
- Joseph Heller, Catch-22
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Mostly XP
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
I would think that "Meltdown" does potentially affect a VM because of course code runs natively on the host CPU. Therefore a cache attack is theoretically possible, except of course that no malware yet known is capable of exploiting the bug - and I expect it would be even harder to get the timing right in a VM.
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
According to https://access.redhat.com/articles/3311301 Spectre also affects VMs. Quote:
CVE-2017-5715 (variant #2/Spectre) is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software.
-
- Posts: 89
- Joined: 27. Dec 2012, 01:20
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows 10 64-bit
- Location: Czech Republic
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
As for the Intel Spectre CPU microcode updates, Lenovo has to witdrawn it due to a quality issues (BSODs, system hangs). More information on that link, Withdrawn CPU Microcode Update paragraph. I suppose it affects all machines, not just Lenovo ones.
It will be harder to fix it (without stability issues) than it seems. Lenovo postponed target availability by ~ 6 weeks now.
It will be harder to fix it (without stability issues) than it seems. Lenovo postponed target availability by ~ 6 weeks now.
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Any and all
- Contact:
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
At this point I'd suggest waiting for the next Oracle CPU (January 16th).Rodrigo Gomes wrote:Anything new in this subject by VirtualBox?
You should be worried. There is an unknown number of existing vulnerabilities that have, just like Spectre/Meltdown, been hiding for decades. And in the end we'll all die.I use VirtualBox to maintain servers with many hosted websites, this has really worried me.
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Any and all
- Contact:
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
The problem with Spectre/Meltdown is that it abuses the design (Spectre) of practically all modern CPU hardware, or Intel's mis-design in the case of Meltdown. The real fix is to go back to the Pentium MMX, but that's also extremely costly and certainly not doable on short notice.Petr Vones wrote:It will be harder to fix it (without stability issues) than it seems. Lenovo postponed target availability by ~ 6 weeks now.
The mitigations are invasive, require changes to microcode / OS / (some) applications, and were developed on rather short notice. Proper testing is impossible because for example the updated microcode from Intel started appearing only a few days ago, and it's not even available at all for older CPUs. Similarly OS updates only turned up in the last few days, so the full impact on the ecosystem isn't even known.
Re: Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?
Well... apparently the first information about Meltdown/Spectre trickled down to Intel, AMD etc sometime in June 2017. I fully see that analysis of the problems, establishing viable routes to mitigating or resolving these abuses and bugs etc etc takes a lot of time. However. short notice still sounds a bit rich, I'd say, if you look at the way Intel and others have rushed out microcode updates (and these only for some CPUs!) that seem not very well tested, to say the least. Either they have been sleepwalking into this or they are criminally negligent. Probably both.michaln wrote:The mitigations are invasive, require changes to microcode / OS / (some) applications, and were developed on rather short notice.
Not only that. The incredibly high number of possible variations in hard- and software on billions of target machines must make this into the worst update nightmare for decades. And, as you wrote in another post, who know what lurks under the surface.michaln wrote:Proper testing is impossible because for example the updated microcode from Intel started appearing only a few days ago