You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/security/developer-guidance-speculative-execution.md
+9-10Lines changed: 9 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ This article contains guidance for developers to assist with identifying and mit
16
16
17
17
The guidance provided by this article is related to the classes of vulnerabilities represented by:
18
18
19
-
1.CVE-2017-5753, also known as Spectre variant 1. This hardware vulnerability class is related to side channels that can arise due to speculative execution that occurs as a result of a conditional branch misprediction. The Visual C++ compiler in Visual Studio 2017 (starting with version 15.5.5) includes support for the `/Qspectre` switch which provides a compile-time mitigation for a limited set of potentially vulnerable coding patterns related to CVE-2017-5753. The `/Qspectre` switch is also available in Visual Studio 2015 Update 3 through [KB 4338871](https://support.microsoft.com/help/4338871). The documentation for the [/Qspectre](https://docs.microsoft.com/cpp/build/reference/qspectre) flag provides more information on its effects and usage.
19
+
1.CVE-2017-5753, also known as Spectre variant 1. This hardware vulnerability class is related to side channels that can arise due to speculative execution that occurs as a result of a conditional branch misprediction. The Visual C++ compiler in Visual Studio 2017 (starting with version 15.5.5) includes support for the `/Qspectre` switch which provides a compile-time mitigation for a limited set of potentially vulnerable coding patterns related to CVE-2017-5753. The `/Qspectre` switch is also available in Visual Studio 2015 Update 3 through [KB 4338871](https://support.microsoft.com/help/4338871). The documentation for the [/Qspectre](https://docs.microsoft.com/cpp/build/reference/qspectre) flag provides more information on its effects and usage.
20
20
21
21
2.CVE-2018-3639, also known as [Speculative Store Bypass (SSB)](https://aka.ms/sescsrdssb). This hardware vulnerability class is related to side channels that can arise due to speculative execution of a load ahead of a dependent store as a result of a memory access misprediction.
In this example, `ReadByte` is supplied a buffer, a buffer size, and an index into that buffer. The index parameter, as specified by `untrusted_index`, is supplied by a less privileged context, such as a non-administrative process. If `untrusted_index` is less than `buffer_size`, then the character at that index is read from `buffer` and used to index into a shared region of memory referred to by `shared_buffer`.
43
+
In this example, `ReadByte` is supplied a buffer, a buffer size, and an index into that buffer. The index parameter, as specified by `untrusted_index`, is supplied by a less privileged context, such as a non-administrative process. If `untrusted_index` is less than `buffer_size`, then the character at that index is read from `buffer` and used to index into a shared region of memory referred to by `shared_buffer`.
44
44
45
-
From an architectural perspective, this code sequence is perfectly safe as it is guaranteed that `untrusted_index` will always be less than `buffer_size`. However, in the presence of speculative execution, it is possible that the CPU will mispredict the conditional branch and execute the body of the if statement even when `untrusted_index` is greater than or equal to `buffer_size`. As a consequence of this, the CPU may speculatively read a byte from beyond the bounds of `buffer` (which could be a secret) and could then use that byte value to compute the address of a subsequent load through `shared_buffer`.
45
+
From an architectural perspective, this code sequence is perfectly safe as it is guaranteed that `untrusted_index` will always be less than `buffer_size`. However, in the presence of speculative execution, it is possible that the CPU will mispredict the conditional branch and execute the body of the if statement even when `untrusted_index` is greater than or equal to `buffer_size`. As a consequence of this, the CPU may speculatively read a byte from beyond the bounds of `buffer` (which could be a secret) and could then use that byte value to compute the address of a subsequent load through `shared_buffer`.
46
46
47
47
While the CPU will eventually detect this misprediction, residual side effects may be left in the CPU cache that reveal information about the byte value that was read out of bounds from `buffer`. These side effects can be detected by a less privileged context running on the system by probing how quickly each cache line in `shared_buffer` is accessed. The steps that can be taken to accomplish this are:
48
48
@@ -58,14 +58,14 @@ The above steps provide an example of using a technique known as FLUSH+RELOAD in
58
58
59
59
## What software scenarios can be impacted?
60
60
61
-
Developing secure software using a process like the [Security Development Lifecycle](https://www.microsoft.com/en-us/sdl/) (SDL) typically requires developers to identify the trust boundaries that exist in their application. A trust boundary exists in places where an application may interact with data provided by a less-trusted context, such as another process on the system or a non-administrative user mode process in the case of a kernel-mode device driver. The new class of vulnerabilities involving speculative execution side channels is relevant to many of the trust boundaries in existing software security models that isolate code and data on a device.
61
+
Developing secure software using a process like the [Security Development Lifecycle](https://www.microsoft.com/en-us/sdl/) (SDL) typically requires developers to identify the trust boundaries that exist in their application. A trust boundary exists in places where an application may interact with data provided by a less-trusted context, such as another process on the system or a non-administrative user mode process in the case of a kernel-mode device driver. The new class of vulnerabilities involving speculative execution side channels is relevant to many of the trust boundaries in existing software security models that isolate code and data on a device.
62
62
63
63
The following table provides a summary of the software security models where developers may need to be concerned about these vulnerabilities occurring:
64
64
65
65
|Trust boundary|Description|
66
66
|----------------|----------------|
67
-
|Virtual machine boundary|Applications that isolate workloads in separate virtual machines that receive untrusted data from another virtual machine may be at risk.|
68
-
|Kernel boundary|A kernel-mode device driver that receives untrusted data from a non-administrative user mode process may be at risk.|
67
+
|Virtual machine boundary|Applications that isolate workloads in separate virtual machines that receive untrusted data from another virtual machine may be at risk.|
68
+
|Kernel boundary|A kernel-mode device driver that receives untrusted data from a non-administrative user mode process may be at risk.|
69
69
|Process boundary|An application that receives untrusted data from another process running on the local system, such as through a Remote Procedure Call (RPC), shared memory, or other Inter-Process Communication (IPC) mechanisms may be at risk.|
70
70
|Enclave boundary|An application that executes within a secure enclave (such as Intel SGX) that receives untrusted data from outside of the enclave may be at risk.|
71
71
|Language boundary|An application that interprets or Just-In-Time (JIT) compiles and executes untrusted code written in a higher-level language may be at risk.|
### Array out-of-bounds load feeding an indirect branch
120
120
121
-
This coding pattern involves the case where a conditional branch misprediction can lead to an out-of-bounds access to an array of function pointers which then leads to an indirect branch to the target address that was read out-of-bounds. The following snippet provides an example that demonstrates this.
121
+
This coding pattern involves the case where a conditional branch misprediction can lead to an out-of-bounds access to an array of function pointers which then leads to an indirect branch to the target address that was read out-of-bounds. The following snippet provides an example that demonstrates this.
122
122
123
123
In this example, an untrusted message identifier is provided to DispatchMessage through the `untrusted_message_id` parameter. If `untrusted_message_id` is less than `MAX_MESSAGE_ID`, then it is used to index into an array of function pointers and branch to the corresponding branch target. This code is safe architecturally, but if the CPU mispredicts the conditional branch, it could result in `DispatchTable` being indexed by `untrusted_message_id` when its value is greater than or equal to `MAX_MESSAGE_ID`, thus leading to an out-of-bounds access. This could result in speculative execution from a branch target address that is derived beyond the bounds of the array which could lead to information disclosure depending on the code that is executed speculatively.
124
124
@@ -173,7 +173,7 @@ It should be noted that both of these examples involve speculative modification
173
173
174
174
## Speculative type confusion
175
175
176
-
This category deals with coding patterns that can give rise to a speculative type confusion. This occurs when memory is accessed using an incorrect type along a non-architectural path during speculative execution. Both conditional branch misprediction and speculative store bypass can potentially lead to a speculative type confusion.
176
+
This category deals with coding patterns that can give rise to a speculative type confusion. This occurs when memory is accessed using an incorrect type along a non-architectural path during speculative execution. Both conditional branch misprediction and speculative store bypass can potentially lead to a speculative type confusion.
177
177
178
178
For speculative store bypass, this could occur in scenarios where a compiler reuses a stack location for variables of multiple types. This is because the architectural store of a variable of type `A` may be bypassed, thus allowing the load of type `A` to speculatively execute before the variable is assigned. If the previously stored variable is of a different type, then this can create the conditions for a speculative type confusion.
179
179
@@ -353,6 +353,5 @@ Another technique that can be used to mitigate speculative execution side channe
353
353
354
354
## See Also
355
355
356
-
[Guidance to mitigate speculative execution side-channel vulnerabilities](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV180002)
357
-
356
+
[Guidance to mitigate speculative execution side-channel vulnerabilities](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV180002)<br/>
358
357
[Mitigating speculative execution side channel hardware vulnerabilities](https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/)
Copy file name to clipboardExpand all lines: docs/security/how-user-account-control-uac-affects-your-application.md
+24-20Lines changed: 24 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,23 +12,27 @@ ms.author: "mblome"
12
12
ms.workload: ["cplusplus"]
13
13
---
14
14
# How User Account Control (UAC) Affects Your Application
15
-
User Account Control (UAC) is a feature of Windows Vista in which user accounts have limited privileges. You can find detailed information about UAC at these sites:
16
-
17
-
-[Developer Best Practices and Guidelines for Applications in a Least Privileged Environment](/windows/desktop/uxguide/winenv-uac)
18
-
19
-
## Building Projects after Enabling UAC
20
-
If you build a Visual C++ project on Windows Vista with UAC disabled, and you later enable UAC, you must clean and rebuild the project for it to work correctly.
21
-
22
-
## Applications that Require Administrative Privileges
23
-
Be default, the Visual C++ linker embeds a UAC fragment into the manifest of an application with an execution level of `asInvoker`. If your application requires administrative privileges to run correctly (for example, if it modifies the HKLM node of the registry or if it writes to protected areas of the disk, such as the Windows directory), you must modify your application.
24
-
25
-
The first option is to modify the UAC fragment of the manifest to change the execution level to *requireAdministrator*. The application will then prompt the user for administrative credentials before it runs. For information about how to do this, see [/MANIFESTUAC (Embeds UAC information in manifest)](../build/reference/manifestuac-embeds-uac-information-in-manifest.md).
26
-
27
-
The second option is to not embed a UAC fragment into the manifest by specifying the `/MANIFESTUAC:NO` linker option. In this case, your application will run virtualized. Any changes you make to the registry or to the file system will not persist after your application has ended.
28
-
29
-
The following flowchart describes how your application will run depending on whether UAC is enabled and whether the application has a UAC manifest:
30
-
31
-
![Windows Vista Loader behavior](media/uacflowchart.png"UACflowchart")
32
-
33
-
## See Also
34
-
[Security Best Practices](security-best-practices-for-cpp.md)
15
+
16
+
User Account Control (UAC) is a feature of Windows Vista in which user accounts have limited privileges. You can find detailed information about UAC at these sites:
17
+
18
+
-[Developer Best Practices and Guidelines for Applications in a Least Privileged Environment](/windows/desktop/uxguide/winenv-uac)
19
+
20
+
## Building Projects after Enabling UAC
21
+
22
+
If you build a Visual C++ project on Windows Vista with UAC disabled, and you later enable UAC, you must clean and rebuild the project for it to work correctly.
23
+
24
+
## Applications that Require Administrative Privileges
25
+
26
+
By default, the Visual C++ linker embeds a UAC fragment into the manifest of an application with an execution level of `asInvoker`. If your application requires administrative privileges to run correctly (for example, if it modifies the HKLM node of the registry or if it writes to protected areas of the disk, such as the Windows directory), you must modify your application.
27
+
28
+
The first option is to modify the UAC fragment of the manifest to change the execution level to *requireAdministrator*. The application will then prompt the user for administrative credentials before it runs. For information about how to do this, see [/MANIFESTUAC (Embeds UAC information in manifest)](../build/reference/manifestuac-embeds-uac-information-in-manifest.md).
29
+
30
+
The second option is to not embed a UAC fragment into the manifest by specifying the `/MANIFESTUAC:NO` linker option. In this case, your application will run virtualized. Any changes you make to the registry or to the file system will not persist after your application has ended.
31
+
32
+
The following flowchart describes how your application will run depending on whether UAC is enabled and whether the application has a UAC manifest:
33
+
34
+
![Windows Vista Loader behavior](media/uacflowchart.png"UACflowchart")
35
+
36
+
## See Also
37
+
38
+
[Security Best Practices](security-best-practices-for-cpp.md)
0 commit comments