有关在 Azure 中防御推理执行旁道漏洞的指南Guidance for mitigating speculative execution side-channel vulnerabilities in Azure

上次文档更新时间:太平洋标准时间 2019 年 8 月 9 日上午 10:00。Last document update: 9 August 2019 10:00 AM PST.

发现一种称为推理执行旁道攻击的新型 CPU 漏洞,这使想要了解其详情的客户向我们提出了问题。The disclosure of a new class of CPU vulnerabilities known as speculative execution side-channel attacks has resulted in questions from customers seeking more clarity.

Azure 已在我们的所有云服务中部署了缓解措施。Azure has deployed mitigations across all our cloud services. 运行 Azure 并将客户工作负荷相互隔离的基础结构是受保护的。The infrastructure that runs Azure and isolates customer workloads from each other is protected. 这意味着使用同一基础结构的潜在攻击者无法使用这些漏洞攻击你的应用程序。This means that a potential attacker using the same infrastructure can't attack your application using these vulnerabilities.

Azure 尽可能使用内存保留维护,这样可以尽量降低对客户的影响并且不需要重启。Azure is using memory preserving maintenance whenever possible, to minimize customer impact and eliminate the need for reboots. Azure 会在对主机进行系统级更新时继续利用这些方法,对客户进行保护。Azure will continue utilizing these methods when making systemwide updates to the host and protect our customers.

若要详细了解如何将安全性集成到 Azure 的各个方面,请访问 Azure 安全文档站点。More information about how security is integrated into every aspect of Azure is available on the Azure Security Documentation site.

Note

自本文档首次发布以来,已发现此漏洞类型的多个变体。Since this document was first published, multiple variants of this vulnerability class have been disclosed. Azure 会继续不遗余力地为客户提供保护和指导。Azure continues to be heavily invested in protecting our customers and providing guidance. 我们会继续发布更多的修复程序,同时也会更新此页面。This page will be updated as we continue to release further fixes.

在 2019 年 5 月 14 日,Intel 披露了一组新的推理执行旁道漏洞,称为“微体系结构数据采样”(即 MDS,请参阅 Microsoft 安全指南 ADV190013),它已被分配多个 CVE:On May 14, 2019, Intel disclosed a new set of speculative execution side channel vulnerability known as Microarchitectural Data Sampling (MDS see the Microsoft Security Guidance ADV190013), which has been assigned multiple CVEs:

  • CVE-2019-11091 - 微体系结构数据采样不可缓存内存 (MDSUM)CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
  • CVE-2018-12126 - 微体系结构存储缓冲区数据采样 (MSBDS)CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS)
  • CVE-2018-12127 - 微体系结构负载端口数据采样 (MLPDS)CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2018-12130 - 微体系结构填充缓冲区数据采样 (MFBDS)CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS)

此漏洞影响 Intel® Core® 处理器和 Intel® Xeon® 处理器。This vulnerability affects Intel® Core® processors and Intel® Xeon® processors. Azure 已发布了操作系统更新,并且正在将新的微代码(当它由 Intel 提供时)部署到我们的全套产品中,从而保护我们的客户免受这些新漏洞影响。Azure has released operating system updates and is deploying new microcode, as it is made available by Intel, throughout our fleet to protect our customers against these new vulnerabilities. Azure 正在与 Intel 密切合作,以便在平台上正式发布新的微代码之前对其进行测试和验证。Azure is closely working with Intel to test and validate the new microcode prior to its official release on the platform.

正在 VM 中运行不受信任的代码的客户需要通过阅读下面的信息来了解有关所有推理执行旁道漏洞的更多指南(Microsoft 安全公告 ADV 180002180018190013),从而采取措施来免受这些漏洞影响。Customers that are running untrusted code within their VM need to take action to protect against these vulnerabilities by reading below for additional guidance on all speculative execution side-channel vulnerabilities (Microsoft Advisories ADV 180002, 180018, and 190013).

其他客户应从“深度防御”角度评估这些漏洞,并考虑其所选配置的安全性和性能影响。Other customers should evaluate these vulnerabilities from a Defense in Depth perspective and consider the security and performance implications of their chosen configuration.

使操作系统保持最新Keeping your operating systems up-to-date

虽然无需 OS 更新即可将你在 Azure 上运行的应用程序与其他 Azure 客户隔离,但使软件保持最新始终是最佳做法。While an OS update is not required to isolate your applications running on Azure from other Azure customers, it is always a best practice to keep your software up-to-date. 最新的 Windows 安全汇总包含了针对多个推理执行旁道漏洞的缓解措施。The latest Security Rollups for Windows contain mitigations for several speculative execution side channel vulnerabilities. 类似地,Linux 发行版发布了多个修补这些漏洞的更新。Similarly, Linux distributions have released multiple updates to address these vulnerabilities. 建议执行下面的操作来更新操作系统:Here are our recommended actions to update your operating system:

产品/服务Offering 建议的操作Recommended Action
Azure 云服务Azure Cloud Services 启用自动更新,或确保运行最新的来宾 OS。Enable auto update or ensure you are running the newest Guest OS.
Azure Linux 虚拟机Azure Linux Virtual Machines 安装操作系统提供商的更新。Install updates from your operating system provider. 有关详细信息,请查看本文档后面部分的 LinuxFor more information, see Linux later in this document.
Azure Windows 虚拟机Azure Windows Virtual Machines 安装最新的安全汇总。Install the latest security rollup.
其他 Azure PaaS 服务Other Azure PaaS Services 使用这些服务的客户不需要执行任何操作。There is no action needed for customers using these services. Azure 会自动使你的操作系统版本保持最新。Azure automatically keeps your OS versions up-to-date.

附加指南(如果正在运行不受信任的代码)Additional guidance if you are running untrusted code

那些允许不受信任的用户执行任意代码的客户可能会希望在其 Azure 虚拟机或云服务中实施一些额外的安全功能。Customers who allow untrusted users to execute arbitrary code may wish to implement some additional security features inside their Azure Virtual Machines or Cloud Services. 这些功能可防范多个推理执行漏洞所描述的进程内泄露矢量。These features protect against the intra-process disclosure vectors that several speculative execution vulnerabilities describe.

建议实施额外安全功能的示例方案:Example scenarios where additional security features are recommended:

  • 允许不信任的代码在 VM 中运行。You allow code that you do not trust to run inside your VM.
    • 例如,允许某一客户上传你随后要在应用程序内执行的二进制文件或脚本。For example, you allow one of your customers to upload a binary or script that you then execute within your application.
  • 允许不信任的用户使用权限低的帐户登录到 VM。You allow users that you do not trust to log into your VM using low privileged accounts.
    • 例如,允许权限低的用户使用远程桌面或 SSH 登录到某个 VM。For example, you allow a low-privileged user to log into one of your VMs using remote desktop or SSH.
  • 允许不受信任的用户访问通过嵌套虚拟化实现的虚拟机。You allow untrusted users access to virtual machines implemented via nested virtualization.
    • 例如,你控制 Hyper-V 主机,但却将 VM 分配给不受信任的用户。For example, you control the Hyper-V host, but allocate the VMs to untrusted users.

所实施方案不涉及不受信任代码的客户不需启用这些额外安全功能。Customers who do not implement a scenario involving untrusted code do not need to enable these additional security features.

启用额外安全性Enabling additional security

如果运行的是不受信任的代码,可以在 VM 或云服务中启用额外的安全功能。You can enable additional security features inside your VM or Cloud Service if you are running untrusted code. 与此同时,请确保操作系统是最新版本,以便可以在 VM 或云服务内启用安全功能In parallel, ensure your operating system is up-to-date to enable security features inside your VM or Cloud Service

WindowsWindows

目标操作系统必须为最新才能启用这些额外安全功能。Your target operating system must be up-to-date to enable these additional security features. 虽然许多推理执行旁道缓解措施是默认启用的,但此处所述的额外功能必须手动启用,并且可能会造成性能影响。While numerous speculative execution side channel mitigations are enabled by default, the additional features described here must be enabled manually and may cause a performance impact.

步骤 1:在 VM 上禁用超线程功能 - 在超线程 VM 上运行不受信任的代码的客户将需要禁用超线程功能或转换到非超线程的 VM 大小。Step 1: Disable hyper-threading on the VM - Customers running untrusted code on a hyper-threaded VM will need to disable hyper-threading or move to a non-hyper-threaded VM size. 有关超线程 VM 大小(其中 vCPU 与核心的比率为 2:1)的列表,请参阅此文档Reference this doc for a list of hyper-threaded VM sizes (where ratio of vCPU to Core is 2:1). 若要从 VM 中使用 Windows 命令行检查 VM 是否启用了超线程功能,请参考下面的脚本。To check if your VM has hyper-threading enabled, please refer to the below script using the Windows command line from within the VM.

键入 wmic 以进入交互式界面。Type wmic to enter the interactive interface. 然后键入以下命令来查看 VM 上的物理和逻辑处理器数量。Then type the below to view the amount of physical and logical processors on the VM.

CPU Get NumberOfCores,NumberOfLogicalProcessors /Format:List

如果逻辑处理器数量大于物理处理器(核心)数量,则超线程功能已启用。If the number of logical processors is greater than physical processors (cores), then hyper-threading is enabled. 如果运行的是超线程 VM,请联系 Azure 支持以禁用超线程功能。If you are running a hyper-threaded VM, please contact Azure Support to get hyper-threading disabled. 在超线程功能已禁用后,支持人员将要求完全重启 VMOnce hyper-threading is disabled, support will require a full VM reboot. 请参阅核心计数以了解 VM 核心计数减少的原因。Please refer to Core count to understand why your VM core count decreased.

步骤 2:在执行步骤 1 的同时,请按照 KB4072698 中的说明,使用 SpeculationControl PowerShell 模块验证是否已启用了保护。Step 2: In parallel to Step 1, follow the instructions in KB4072698 to verify protections are enabled using the SpeculationControl PowerShell module.

Note

如果以前下载过此模块,则需安装最新版本。If you previously downloaded this module, you will need to install the newest version.

PowerShell 脚本的输出应具有以下值才能确认已针对这些漏洞启用了保护:The output of the PowerShell script should have the below values to validate enabled protections against these vulnerabilities:

Windows OS support for branch target injection mitigation is enabled: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for speculative store bypass disable is enabled system-wide: False
Windows OS support for L1 terminal fault mitigation is enabled: True
Windows OS support for MDS mitigation is enabled: True

如果输出显示 MDS mitigation is enabled: False,请联系 Azure 支持以了解可用的缓解选项。If the output shows MDS mitigation is enabled: False, please contact Azure Support for available mitigation options.

步骤 3:若要启用内核虚拟地址隐藏 (KVAS) 和分支目标注入 (BTI) OS 支持,请按照 KB4072698 中的说明,使用 Session Manager 注册表项启用保护。Step 3: To enable Kernel Virtual Address Shadowing (KVAS) and Branch Target Injection (BTI) OS support, follow the instructions in KB4072698 to enable protections using the Session Manager registry keys. 必须重启。A reboot is required.

步骤 4:对于正在使用嵌套虚拟化的部署(仅限 D3 和 E3):这些说明适用于用作 HYPER-V 主机的 VM。Step 4: For deployments that are using nested virtualization (D3 and E3 only): These instructions apply inside the VM you are using as a Hyper-V host.

  1. 按照 KB4072698 中的说明,使用 MinVmVersionForCpuBasedMitigations 注册表项启用保护。Follow the instructions in KB4072698 to enable protections using the MinVmVersionForCpuBasedMitigations registry keys.
  2. 可以按照此处的说明将虚拟机监控程序计划程序类型设置为 CoreSet the hypervisor scheduler type to Core by following the instructions here.

LinuxLinux

在内部启用额外的一组安全功能需要目标操作系统已彻底更新。Enabling the set of additional security features inside requires that the target operating system be fully up-to-date. 某些缓解措施会默认启用。Some mitigations will be enabled by default. 以下部分介绍的功能是默认关闭的,以及/或者是依赖于硬件支持(微代码)的。The following section describes the features which are off by default and/or reliant on hardware support (microcode). 启用这些功能可能造成性能影响。Enabling these features may cause a performance impact. 如需进一步的说明,请参阅操作系统提供商的文档Reference your operating system provider's documentation for further instructions

步骤 1:在 VM 上禁用超线程功能 - 在超线程 VM 上运行不受信任的代码的客户将需要禁用超线程功能或转换到非超线程VM。Step 1: Disable hyper-threading on the VM - Customers running untrusted code on a hyper-threaded VM will need to disable hyper-threading or move to a non-hyper-threaded VM. 有关超线程 VM 大小(其中 vCPU 与核心的比率为 2:1)的列表,请参阅此文档Reference this doc for a list of hyper-threaded VM sizes (where ratio of vCPU to Core is 2:1). 若要检查是否正在运行超线程 VM,请在 Linux VM 中运行 lscpu 命令。To check if you are running a hyper-threaded VM, run the lscpu command in the Linux VM.

如果 Thread(s) per core = 2,则已启用超线程功能。If Thread(s) per core = 2, then hyper-threading has been enabled.

如果 Thread(s) per core = 1,则已禁用超线程功能。If Thread(s) per core = 1, then hyper-threading has been disabled.

启用了超线程功能的 VM 的输出示例:Sample output for a VM with hyper-threading enabled:

CPU Architecture:      x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                8
On-line CPU(s) list:   0-7
Thread(s) per core:    2
Core(s) per socket:    4
Socket(s):             1
NUMA node(s):          1

如果运行的是超线程 VM,请联系 Azure 支持以禁用超线程功能。If you are running a hyper-threaded VM, please contact Azure Support to get hyper-threading disabled. 在超线程功能已禁用后,支持人员将要求完全重启 VMOnce hyper-threading is disabled, support will require a full VM reboot. 请参阅核心计数以了解 VM 核心计数减少的原因。Please refer to Core count to understand why your VM core count decreased.

步骤 2:若要针对以下任何推理执行旁道漏洞进行缓解,请参阅操作系统提供商的文档:Step 2: To mitigate against any of the below speculative execution side-channel vulnerabilities, refer to your operating system provider's documentation:

核心计数Core count

创建超线程 VM 时,Azure 会为每个核心分配 2 个线程,这些线程称为 vCPU。When a hyper-threaded VM is created, Azure allocates 2 threads per core - these are called vCPUs. 禁用超线程功能时,Azure 会删除一个线程并向上显示单线程核心(物理核心)。When hyper-threading is disabled, Azure removes a thread and surfaces up single threaded cores (physical cores). vCPU 与 CPU 的比率为 2:1,因此禁用超线程功能后,VM 中的 CPU 计数将似乎减少了一半。The ratio of vCPU to CPU is 2:1, so once hyper-threading is disabled, the CPU count in the VM will appear to have decreased by half. 例如,D8_v3 VM 是在 8 个 vCPU(每个核心 2 个线程 x 4 个核心)上运行的超线程 VM。For example, a D8_v3 VM is a hyper-threaded VM running on 8 vCPUs (2 threads per core x 4 cores). 禁用超线程功能后,CPU 将减至 4 个物理核心(每个核心 1 个线程)。When hyper-threading is disabled, CPUs will drop to 4 physical cores with 1 thread per core.

后续步骤Next steps

对于会影响许多现代处理器的推理执行旁道攻击,本文提供了相应指南:This article provides guidance to the below speculative execution side-channel attacks that affect many modern processors:

Spectre MeltdownSpectre Meltdown:

  • CVE-2017-5715 - 分支目标注入 (BTI)CVE-2017-5715 - Branch Target Injection (BTI)
  • CVE-2017-5754 - 内核页表隔离 (KPTI)CVE-2017-5754 - Kernel Page Table Isolation (KPTI)
  • CVE-2018-3639 - 推理存储旁路 (KPTI)CVE-2018-3639 - Speculative Store Bypass (KPTI)
  • CVE-2019-1125 - Windows 内核信息-Spectre 变体 1 的变体CVE-2019-1125 - Windows Kernel Information - variant of Spectre Variant 1

L1 终端故障 (L1TF)L1 Terminal Fault (L1TF):

  • CVE-2018-3615 - Intel 软件防护扩展 (Intel SGX)CVE-2018-3615 - Intel Software Guard Extensions (Intel SGX)
  • CVE-2018-3620 - 操作系统 (OS) 和系统管理模式 (SMM)CVE-2018-3620 - Operating Systems (OS) and System Management Mode (SMM)
  • CVE-2018-3646 - 影响 Virtual Machine Manager (VMM)CVE-2018-3646 - impacts Virtual Machine Manager (VMM)

微体系结构数据采样Microarchitectural Data Sampling:

  • CVE-2019-11091 - 微体系结构数据采样不可缓存内存 (MDSUM)CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
  • CVE-2018-12126 - 微体系结构存储缓冲区数据采样 (MSBDS)CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS)
  • CVE-2018-12127 - 微体系结构负载端口数据采样 (MLPDS)CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2018-12130 - 微体系结构填充缓冲区数据采样 (MFBDS)CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS)