The Crucible Embedded Hypervisor mitigates the recent rash of CPU-based information leakage / unauthorized disclosure vulnerabilities, including those made public in CVE 2018-3620 and CVE 2018-3646. The Xen project further classifies these vulnerabilities under XSA 273. Crucible inherently mitigates these speculative execution (and related Spectre / Meltdown) vulnerabilities as a result of its explicit hardware resource allocation strategy, and overall secure-by-design configuration.

The latest round of Intel processor vulnerabilities (i.e. Foreshadow – L1 Terminal Fault speculative side channel) is an additional vector for abusing speculative execution and CPU pipelining. The Foreshadow attack leverages an untrusted guest which has shared L1 cache with a trusted guest, in order to expose the memory contents (i.e. keys, encryption parameters, classified data, etc.) to untrusted guests. For an attacker to leverage these attacks, the guests must be oversubscribed (i.e. they must share a physical CPU core including L1/L2 cache), which is the standard configuration for most virtualized systems. Conversely, Crucible does not permit trusted / untrusted guests or frankly any guests to share system resources. One of the core defining principles of Crucible is strict allocation of hardware – including CPU cores, cache, and RAM to individual guests VMs. Using this principle of isolation, Crucible prevents VMs from oversubscribing or sharing resources, eliminating the ability for trusted and untrusted applications to co-exist on the same set of hardware resources, and thus removing Foreshadow (and other similar speculative execution) vulnerabilities from deployed systems.

In addition to preventing the over-subscription of hardware resources, Crucible provides several other mitigations for speculative execution attacks. Additional mitigations include: special treatment of Hyperthreading as a single core-pair (when enabled at the system / processor level), Xen patches for PV mode, Linux kernel patches as part of the Titanium suite, and preventing shadow paging.

Now considered part of historical cyber-lore, the DoD 5200.28-STD (i.e. the “Orange Book”) published in 1985 provided clear guidance on secure system configuration. The guiding principles of the “Orange Book” include isolation of applications and/or execution domains and mandatory access control for all system users / resources. A full implementation of the DoD 5200.28-STD standard configures a system in such a way so as to prevent side-channel information leakage vulnerabilities, including speculative execution. Since it’s inception, Crucible has used DoD 5200.28-STD as a guiding principle for secure system design, and enforces both Mandatory Access Control (for system resources, and application access) as well as strict isolation of resources.

For additional information on Crucible, or the mitigation of speculative execution vulnerabilities, contact Star Lab.