Warn user if speculative stores are disabled

[sporksmith]

There's a speculative-store sidechannel that only affects processes that need to prevent code that has access to its memory locations from reading its data, such as browser sandboxes. The common mitigation is to disable speculative stores, which is expensive. In many situations this mitigation is conservatively turned on (such as seccomp, and by extension Docker), but isn't actually needed.

There's a prctl, PR_GET_SPECULATION_CTRL and PR_SET_SPECULATION_CTRL to check the status of some opt-in mitigations - currently only PR_SPEC_STORE_BYPASS. Notably, installing a seccomp policy sets this to PR_SPEC_FORCE_DISABLE by default, which can lead to quite large performance penalties in Shadow. Similarly, Docker uses seccomp by default, and uses it in a way that sets this to PR_SPEC_FORCE_DISABLE.

We should use PR_GET_SPECULATION_CTRL as startup to check whether this mitigation is turned on, and if so notify the user that performance will suffer. Ideally we should point them to some hints about opting out of it when using Docker or using seccomp directly.

Somewhat orthogonal, but we should also check whether this is getting turned on inside the tor process when it installs its seccomp policy.

[sporksmith]

Example of how to check this, and how to disable in Docker:

$ sudo docker run -it shadow:centos-8-gcc-debug /bin/bash
[sudo] password for jnewsome: 
[root@f65e840b30c8 shadow]# cat > spec.c
#include <sys/prctl.h>
#include <stdio.h>int main(int argc, char **argv) {
	int spec = prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
	if (spec & PR_SPEC_PRCTL) {
		printf("PR_SPEC_PRCTL\n");
	}
	if (spec & PR_SPEC_ENABLE) {
		printf("PR_SPEC_ENABLE\n");
	}
	if (spec & PR_SPEC_DISABLE) {
		printf("PR_SPEC_DISABLE\n");
	} 
	if (spec & PR_SPEC_FORCE_DISABLE) {
		printf("PR_SPEC_FORCE_DISABLE\n");
	}
	return 0;
}[root@f65e840b30c8 shadow]# gcc spec.c 
[root@f65e840b30c8 shadow]# ./a.out 
PR_SPEC_PRCTL
PR_SPEC_FORCE_DISABLE

$ sudo docker run --security-opt seccomp=unconfined -it shadow:centos-8-gcc-debug /bin/bash
[root@caa217aa0f13 shadow]# cat > spec.c
#include <sys/prctl.h>
#include <stdio.h>int main(int argc, char **argv) {
	int spec = prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
	if (spec & PR_SPEC_PRCTL) {
		printf("PR_SPEC_PRCTL\n");
	}
	if (spec & PR_SPEC_ENABLE) {
		printf("PR_SPEC_ENABLE\n");
	}
	if (spec & PR_SPEC_DISABLE) {
		printf("PR_SPEC_DISABLE\n");
	} 
	if (spec & PR_SPEC_FORCE_DISABLE) {
		printf("PR_SPEC_FORCE_DISABLE\n");
	}
	return 0;
}[root@caa217aa0f13 shadow]# gcc spec.c 
[root@caa217aa0f13 shadow]# ./a.out 
PR_SPEC_PRCTL
PR_SPEC_ENABLE

[sporksmith]

Reading a bit more about this vulnerability and mitigation to better understand when it is or isn't safe to leave speculative stores enabled. It looks like this particular vulnerability only affects programs that have access to the same memory, but need to keep secrets from each-other; e.g. a browser running untrusted code in its process.

Given this, I'm not really sure why the Docker default seccomp policy disables speculative execution; afaik none of the containerized code has access to Docker's memory or other containers' memory.

From https://www.redhat.com/en/blog/speculative-store-bypass-explained-what-it-how-it-works

One potential problem arises when an application is implementing a sandbox or other attempt at isolation within a single running process. In this case, there are really two active contexts: the trusted sandbox environment, and the untrusted code running within it. Microprocessors are designed with the concept of different privilege levels, and of course, our entire computing world relies upon this in order to isolate processes and virtual machines from one another. But microprocessor designers don’t (traditionally) factor in separated contexts within the same process (same privilege or exception level). As a result, untrusted (possibly malicious) code can run within a sandbox and abuse store buffer speculation to read sensitive data from the sandbox itself.

In the common case of managed code environments (such as Java or JavaScript), an ability for a managed code to dump arbitrary content from its managing process could be fatal to the security of the application, or of other applications running within the same shared process. The attack is possible because the code may be constructed to appear to perform benign reads of values to which it has legitimate access. These accesses are seen by the runtime security checks that validate the managed code prior to allowing it to execute. Unfortunately, the untrusted managed code could, in fact, be abusing speculation to see unsafe previous values of memory variables, pointers, and sensitive security structures through a cache side channel.

It sounds like it's turned on by default with seccomp only because one use-case is to sandbox code within the same process, and it's conceivable that the sandboxed code should be prevented from reading sandboxer code data.

The Linux kernel "seccomp" ("secure computing") framework allows an application to request that limits be placed upon itself, for example, to prevent further use of certain system calls and other system interfaces after its initial startup phase. Seccomp is often used by sandboxes and managed code frameworks to limit the ability for sandbox escape once potentially malicious untrusted code begins to execute. The seccomp framework has been modified in the latest Linux kernel updates such that its use will automatically have the side-effect of disabling Speculative Store Buffer Bypass, equivalent to applications making an explicitly programmed "prctl" request.

[sporksmith]

AFAICT tor does not opt out of this mitigation. While that's the case, in shadow simulations we should probably avoid enabling tor's seccomp (or have Shadow no-op emulate the corresponding syscalls)

tor uses libseccomp. AFAIK it'd need to set the libseccomp attr SCMP_FLTATR_CTL_SSB to opt out, but appears not to:

$ git grep SCMP_FLTATR_CTL_SSB
<no output>

In case I'm misunderstanding and it's actually using bare syscalls somewhere - afaik it'd need to pass SECCOMP_FILTER_FLAG_SPEC_ALLOW to the seccomp syscall, but appears not to:

$ git grep SECCOMP_FILTER_FLAG_SPEC_ALLOW
<no output>

[sporksmith]

Cross-referencing #1471 for posterity, where we opt out of this in Shadow's use of seccomp.

[sporksmith]

Some ad-hoc benchmarking for reference:

Before #1471, a phold benchmark got about 50% 30% slower with seccomp enabled. EDIT: ((14.2-10.8)/10.8) * 100 = 31%

seccomp disabled:

$ rm -rf shadow.data && time /home/jnewsome/.local/bin/shadow -p12 --interpose-method=preload --use-seccomp=false  config.yaml > shadow.log
** Starting Shadow v2.0.0-pre.1-54-g1381e242 2021-06-22--17:57:38 with GLib v2.64.6 and IGraph v0.7.1
** Stopping Shadow, returning code 0 (success)real	0m10.847s
user	1m18.286s
sys	0m18.238s

seccomp enabled:

$ rm -rf shadow.data && time /home/jnewsome/.local/bin/shadow -p12 --interpose-method=preload --use-seccomp=true  config.yaml > shadow.log
** Starting Shadow v2.0.0-pre.1-54-g1381e242 2021-06-22--17:57:38 with GLib v2.64.6 and IGraph v0.7.1
** Stopping Shadow, returning code 0 (success)real	0m14.192s
user	1m29.324s
sys	0m35.719s

After #1471 (explicitly leaving speculative stores enabled while enabling seccomp), seccomp has very little overhead. (Including baseline again because these runs used a modified simulation config).

Without seccomp:

$ rm -rf shadow.data && time /home/jnewsome/.local/bin/shadow -p12 --interpose-method=preload --use-seccomp=false  config.yaml > shadow.log
** Starting Shadow v2.0.0-pre.1-54-g1381e242-dirty 2021-06-22--17:57:38 with GLib v2.64.6 and IGraph v0.7.1
** Stopping Shadow, returning code 0 (success)real	0m25.282s
user	3m43.667s
sys	0m37.588s

With seccomp, with the SECCOMP_FILTER_FLAG_SPEC_ALLOW flag

$ rm -rf shadow.data && time /home/jnewsome/.local/bin/shadow -p12 --interpose-method=preload --use-seccomp=true  config.yaml > shadow.log
** Starting Shadow v2.0.0-pre.1-54-g1381e242-dirty 2021-06-22--17:57:38 with GLib v2.64.6 and IGraph v0.7.1
** Stopping Shadow, returning code 0 (success)real	0m24.815s
user	3m38.089s
sys	0m38.213s

[sporksmith]

Filed https://gitlab.torproject.org/tpo/core/tor/-/issues/40423 with tor

[stevenengler]

Reading a bit more about this vulnerability and mitigation to better understand when it is or isn't safe to leave speculative stores enabled. It looks like this particular vulnerability only affects programs that have access to the same memory, but need to keep secrets from each-other; e.g. a browser running untrusted code in its process.

Given this, I'm not really sure why the Docker default seccomp policy disables speculative execution; afaik none of the containerized code has access to Docker's memory or other containers' memory.

Since applications running in Docker share the same page table cache with the host, I think they still have the same cache-based side channel vulnerabilities. So I'm guessing they keep speculative stores disabled to help protect against these attacks from other containers.

[sporksmith]

Since applications running in Docker share the same page table cache with the host, I think they still have the same cache-based side channel vulnerabilities. So I'm guessing they keep speculative stores disabled to help protect against these attacks from other containers.

From what I can gather e.g. from the redhat writeup, this vulnerability is only exploitable from code running in the same address space (or perhaps with some other form of shared memory); I don't think sharing page table caches is sufficient.