Linux Readying Spectre V2 Userspace-Userspace Protection
Written by Michael Larabel in Security on 26 September 2018 at 07:13 AM EDT. 5 Comments
SECURITY --
While the Linux kernel has been patched for months (and updated CPU microcode available) to mitigate Spectre Variant Two "Branch Target Injection" this has been focused on kernel-space protection while patches are pending now for userspace-userspace protection.

Spectre V2 mitigation for application to application attacks hasn't been a priority since its more difficult to exploit due to ASLR (Address Space Layout Randomization). This protection is being worked on and these new patches enable app-to-app mitigation for Spectre Variant Two via IBPB (Indirect Branch Prediction Barrier) and STIBP (Single Thread Indirect Branch Predictors). This protection via the new Linux kernel patches is for both Intel and AMD CPUs.

But as with the other Spectre (and Meltdown) mitigations, this userspace-userspace protection will come at a performance cost. Tim Chen who posted these latest Linux kernel patches noted, "leaving STIBP on all the time is expensive for certain applications that have frequent indirect branches. One such application is perlbench in the SpecInt Rate 2006 test suite which shows a 21% reduction in throughput. Other application like bzip2 in the same test suite with minimal indirct branches have only a 0.7% reduction in throughput. IBPB will also impose overhead during context switches."

The default behavior will be for the kernel to decide on "lite" or "strict" behavior. The lite mode enables mitigation for non-dumpable processes while the strict mode protects all user processes. This support can be toggled via the spectre_v2_app2app= kernel configuration.

The four patches for this Spectre V2 app-to-app mitigation can be found on the kernel mailing list. As Spectre/Meltdown patches have generally been accepted to mainline when ready rather than waiting for the next cycle's merge window, we'll see if these patches end up landing in Linux 4.19 or held off until 4.20~5.0. Benchmarks will be coming soon on Phoronix.
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Security News
Popular News This Week