減少推測性執行旁路攻擊漏洞在 Azure 中造成的風險指引Guidance for mitigating speculative execution side-channel vulnerabilities in Azure

上次檔更新:2019年8月9日 10:00 AM PST。Last document update: 9 August 2019 10:00 AM PST.

揭露的新 CPU 漏洞類別 (也稱為推測性執行旁路攻擊),讓許多客戶不知所措。The disclosure of a new class of CPU vulnerabilities known as speculative execution side-channel attacks has resulted in questions from customers seeking more clarity.

Microsoft 已在我們所有的雲端服務上部署防護功能。Microsoft has deployed mitigations across all our cloud services. 執行 Azure 的基礎結構,以及將客戶的工作負載互相隔離這方面已受到保護。The infrastructure that runs Azure and isolates customer workloads from each other is protected. 這表示,使用相同基礎結構的潛在攻擊者不能利用這些漏洞來攻擊您的應用程式。This means that a potential attacker using the same infrastructure can’t attack your application using these vulnerabilities.

Azure 會盡可能使用記憶體保留維護,將客戶的影響降到最低,以及避免重新開機。Azure is using memory preserving maintenance whenever possible, to minimize customer impact and eliminate the need for reboots. Azure 會在對主機進行全系統更新時,繼續使用這些方法,並且保護我們的客戶。Azure will continue utilizing these methods when making systemwide updates to the host and protect our customers.

如何將安全性整合至 Azure 各個層面的詳細資訊位於 Azure 安全性文件網站。More information about how security is integrated into every aspect of Azure is available on the Azure Security Documentation site.

注意

自從這份文件首次發行以來,已揭露此弱點類別的多個變體。Since this document was first published, multiple variants of this vulnerability class have been disclosed. Microsoft 持續致力於保護客戶和提供指引。Microsoft continues to be heavily invested in protecting our customers and providing guidance. 我們會持續發行進一步的修正,而此頁面也會隨之更新。This page will be updated as we continue to release further fixes.

在 2019 5 月14日, Intel 公開了一組新的理論執行端通道弱點, 稱為 Microarchitectural 資料取樣 (MDS 請參閱 Microsoft 安全性指導方針ADV190013), 其已獲指派多個 cve:On May 14, 2019, Intel disclosed a new set of speculative execution side channel vulnerability known as Microarchitectural Data Sampling (MDS see the Microsoft Security Guidance ADV190013), which has been assigned multiple CVEs:

  • CVE-2019-11091-Microarchitectural 資料取樣 Uncacheable 記憶體 (MDSUM)CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
  • CVE-2018-12126-Microarchitectural 存放區緩衝區資料取樣 (MSBDS)CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS)
  • CVE-2018-12127-Microarchitectural 載入埠資料取樣 (MLPDS)CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2018-12130-Microarchitectural 填滿緩衝區資料取樣 (MFBDS)CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS)

此弱點會影響 Intel® Core® 處理器和 Intel® Xeon® 處理器。This vulnerability affects Intel® Core® processors and Intel® Xeon® processors. Microsoft Azure 已發行作業系統更新, 並部署新的微碼, 這是由 Intel 提供, 可讓我們的客戶抵禦這些新的弱點。Microsoft Azure has released operating system updates and is deploying new microcode, as it is made available by Intel, throughout our fleet to protect our customers against these new vulnerabilities. Azure 會與 Intel 密切合作, 在其正式發行之前, 先測試並驗證新的微碼。Azure is closely working with Intel to test and validate the new microcode prior to its official release on the platform.

其 VM 中執行未受信任程式碼的客戶, 必須採取動作來防範這些弱點, 方法是閱讀下列內容, 以取得所有理論上執行端通道弱點的其他指引 (MICROSOFT 諮詢進階180002180018190013)。Customers that are running untrusted code within their VM need to take action to protect against these vulnerabilities by reading below for additional guidance on all speculative execution side-channel vulnerabilities (Microsoft Advisories ADV 180002, 180018, and 190013).

其他客戶應從深層防禦的觀點來評估這些弱點, 並考慮其所選設定的安全性和效能含意。Other customers should evaluate these vulnerabilities from a Defense in Depth perspective and consider the security and performance implications of their chosen configuration.

讓您的作業系統保持在最新狀態Keeping your operating systems up-to-date

雖然無需更新作業系統,就能讓 Azure 上執行的應用程式與其他 Azure 客戶隔離,但最佳做法是讓軟體維持在最新狀態。While an OS update is not required to isolate your applications running on Azure from other Azure customers, it is always a best practice to keep your software up-to-date. Windows 最新的安全性彙總套件包含數個推測性執行旁路弱點的防護功能。The latest Security Rollups for Windows contain mitigations for several speculative execution side channel vulnerabilities. 同樣地,Linux 散發套件已發行多個更新來解決這些弱點。Similarly, Linux distributions have released multiple updates to address these vulnerabilities. 以下是我們建議的動作, 以更新您的作業系統:Here are our recommended actions to update your operating system:

供應項目Offering 建議的動作Recommended Action
Azure 雲端服務Azure Cloud Services 啟用自動更新,或確定您執行最新的客體作業系統。Enable auto update or ensure you are running the newest Guest OS.
Azure Linux 虛擬機器Azure Linux Virtual Machines 安裝來自作業系統提供者的更新。Install updates from your operating system provider. 如需詳細資訊,請參閱本文後面的 LinuxFor more information, see Linux later in this document.
Azure Windows 虛擬機器Azure Windows Virtual Machines 安裝最新的安全性彙總套件。Install the latest security rollup.
其他 Azure PaaS 服務Other Azure PaaS Services 使用這些服務的客戶無需採取任何行動。There is no action needed for customers using these services. Azure 會自動將您的作業系統版本保持在最新狀態。Azure automatically keeps your OS versions up-to-date.

如果您執行的是不受信任的程式碼的其他指引Additional guidance if you are running untrusted code

如果客戶允許不受信任的使用者執行任意程式碼,則可以建議他們在 Azure 虛擬機器或雲端服務內實作一些額外的安全性功能。Customers who allow untrusted users to execute arbitrary code may wish to implement some additional security features inside their Azure Virtual Machines or Cloud Services. 這些功能可抵禦多個推測性執行弱點描述的程序內洩漏向量。These features protect against the intra-process disclosure vectors that several speculative execution vulnerabilities describe.

建議使用額外安全性功能的案例:Example scenarios where additional security features are recommended:

  • 您允許不受信任的程式碼在 VM 內執行。You allow code that you do not trust to run inside your VM.
    • 例如,您允許其中一個客戶上傳二進位檔或指令碼,然後在您的應用程式內執行。For example, you allow one of your customers to upload a binary or script that you then execute within your application.
  • 您允許不受信任的使用者以低權限帳戶登入 VM。You allow users that you do not trust to log into your VM using low privileged accounts.
    • 例如,您允許低權限的使用者透過遠端桌面或 SSH 登入您其中一個 VM。For example, you allow a low-privileged user to log into one of your VMs using remote desktop or SSH.
  • 允許不受信任的使用者存取透過巢狀虛擬化實作的虛擬機器。You allow untrusted users access to virtual machines implemented via nested virtualization.
    • 例如,您控制 HYPER-V 主機,但將 VM 配置給不受信任的使用者。For example, you control the Hyper-V host, but allocate the VMs to untrusted users.

如果客戶實作的案例並未包含不受信任的程式碼,則無須啟用這些額外的安全性功能。Customers who do not implement a scenario involving untrusted code do not need to enable these additional security features.

啟用額外的安全性Enabling additional security

如果您執行的是不受信任的程式碼, 您可以在 VM 或雲端服務內啟用其他安全性功能。You can enable additional security features inside your VM or Cloud Service if you are running untrusted code. 平行, 確保您的作業系統處於最新狀態, 以啟用 VM 或雲端服務內的安全性功能In parallel, ensure your operating system is up-to-date to enable security features inside your VM or Cloud Service

WindowsWindows

目標作業系統必須是最新版本,才能啟用這些額外的安全性功能。Your target operating system must be up-to-date to enable these additional security features. 雖然許多推測性執行旁路攻擊的防護功能會預設為啟用,但此處描述的其他功能必須手動啟用,並可能會對效能造成影響。While numerous speculative execution side channel mitigations are enabled by default, the additional features described here must be enabled manually and may cause a performance impact.

步驟 1:停用 VM上的超執行緒-在超執行緒 vm 上執行不受信任程式碼的客戶, 必須停用超執行緒, 或移至非超執行緒 vm 大小。Step 1: Disable hyper-threading on the VM - Customers running untrusted code on a hyper-threaded VM will need to disable hyper-threading or move to a non-hyper-threaded VM size. 如需超執行緒 VM 大小的清單, 請參閱檔 (VCPU 與 Core 的比率為 2:1)。Reference this doc for a list of hyper-threaded VM sizes (where ratio of vCPU to Core is 2:1). 若要檢查您的 VM 是否已啟用超執行緒, 請從 VM 內使用 Windows 命令列參閱下列腳本。To check if your VM has hyper-threading enabled, please refer to the below script using the Windows command line from within the VM.

鍵入wmic以輸入互動式介面。Type wmic to enter the interactive interface. 然後輸入下列資訊, 以查看 VM 上的實體和邏輯處理器數量。Then type the below to view the amount of physical and logical processors on the VM.

CPU Get NumberOfCores,NumberOfLogicalProcessors /Format:List

如果邏輯處理器的數目大於實體處理器 (核心), 則會啟用超執行緒。If the number of logical processors is greater than physical processors (cores), then hyper-threading is enabled. 如果您正在執行超執行緒 VM, 請聯絡 Azure 支援以停用超執行緒。If you are running a hyper-threaded VM, please contact Azure Support to get hyper-threading disabled. 停用超執行緒之後,支援將需要完整的 VM 重新開機Once hyper-threading is disabled, support will require a full VM reboot. 請參閱核心計數, 以瞭解 VM 核心計數降低的原因。Please refer to Core count to understand why your VM core count decreased.

步驟 2:在步驟1中, 遵循KB4072698中的指示, 使用SpeculationControl PowerShell 模組來確認是否已啟用保護。Step 2: In parallel to Step 1, follow the instructions in KB4072698 to verify protections are enabled using the SpeculationControl PowerShell module.

注意

如果您先前已下載此模組,則必須安裝最新版本。If you previously downloaded this module, you will need to install the newest version.

PowerShell 腳本的輸出應該具有下列值, 以根據下列弱點來驗證已啟用的保護:The output of the PowerShell script should have the below values to validate enabled protections against these vulnerabilities:

Windows OS support for branch target injection mitigation is enabled: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for speculative store bypass disable is enabled system-wide: False
Windows OS support for L1 terminal fault mitigation is enabled: True
Windows OS support for MDS mitigation is enabled: True

如果輸出顯示MDS mitigation is enabled: False, 請聯絡 Azure 支援以取得可用的緩和選項。If the output shows MDS mitigation is enabled: False, please contact Azure Support for available mitigation options.

步驟 3:若要啟用核心虛擬位址陰影 (KVAS) 和分支目標插入 (BTI) OS 支援, 請遵循KB4072698中的指示, 使用Session Manager登錄機碼來啟用保護。Step 3: To enable Kernel Virtual Address Shadowing (KVAS) and Branch Target Injection (BTI) OS support, follow the instructions in KB4072698 to enable protections using the Session Manager registry keys. 需要重新開機。A reboot is required.

步驟 4:適用于使用嵌套虛擬化的部署 (僅限 D3 和 E3):這些指示適用于您用來做為 Hyper-v 主機的 VM 中。Step 4: For deployments that are using nested virtualization (D3 and E3 only): These instructions apply inside the VM you are using as a Hyper-V host.

  1. 遵循KB4072698中的指示, 使用MinVmVersionForCpuBasedMitigations登錄機碼來啟用保護。Follow the instructions in KB4072698 to enable protections using the MinVmVersionForCpuBasedMitigations registry keys.
  2. 依照此處的指示, 將Core [程式管理器排程器] 類型設定為。Set the hypervisor scheduler type to Core by following the instructions here.

LinuxLinux

若要在內部啟用一組額外安全性功能,目標作業系統必須完全是最新版本。Enabling the set of additional security features inside requires that the target operating system be fully up-to-date. 有些防護功能會預設為啟用。Some mitigations will be enabled by default. 下節會描述預設為關閉的功能,以及 (或) 相依於硬體支援 (微碼) 的功能。The following section describes the features which are off by default and/or reliant on hardware support (microcode). 啟用這些功能可能會對效能造成影響。Enabling these features may cause a performance impact. 請參閱作業系統提供者的文件,以取得進一步的指示Reference your operating system provider’s documentation for further instructions

步驟 1:停用 VM上的超執行緒-在超執行緒 vm 上執行不受信任程式碼的客戶, 必須停用超執行緒, 或移至非超執行緒 vm。Step 1: Disable hyper-threading on the VM - Customers running untrusted code on a hyper-threaded VM will need to disable hyper-threading or move to a non-hyper-threaded VM. 如需超執行緒 VM 大小的清單, 請參閱檔 (VCPU 與 Core 的比率為 2:1)。Reference this doc for a list of hyper-threaded VM sizes (where ratio of vCPU to Core is 2:1). 若要檢查您是否正在執行超執行緒 VM, 請在 Linux lscpu VM 中執行命令。To check if you are running a hyper-threaded VM, run the lscpu command in the Linux VM.

如果Thread(s) per core = 2為, 則已啟用超執行緒。If Thread(s) per core = 2, then hyper-threading has been enabled.

如果Thread(s) per core = 1為, 則會停用超執行緒。If Thread(s) per core = 1, then hyper-threading has been disabled.

已啟用超執行緒之 VM 的範例輸出:Sample output for a VM with hyper-threading enabled:

CPU Architecture:      x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                8
On-line CPU(s) list:   0-7
Thread(s) per core:    2
Core(s) per socket:    4
Socket(s):             1
NUMA node(s):          1

如果您正在執行超執行緒 VM, 請聯絡 Azure 支援以停用超執行緒。If you are running a hyper-threaded VM, please contact Azure Support to get hyper-threading disabled. 停用超執行緒之後,支援將需要完整的 VM 重新開機Once hyper-threading is disabled, support will require a full VM reboot. 請參閱核心計數, 以瞭解 VM 核心計數降低的原因。Please refer to Core count to understand why your VM core count decreased.

步驟 2:若要減輕下列任何推測性執行端通道弱點的風險, 請參閱您作業系統提供者的檔:Step 2: To mitigate against any of the below speculative execution side-channel vulnerabilities, refer to your operating system provider’s documentation:

核心計數Core count

建立超執行緒 VM 時, Azure 會為每個核心配置2個執行緒-這些是稱為個 vcpu。When a hyper-threaded VM is created, Azure allocates 2 threads per core - these are called vCPUs. 停用超執行緒時, Azure 會移除執行緒, 並表面化單一執行緒核心 (實體核心)。When hyper-threading is disabled, Azure removes a thread and surfaces up single threaded cores (physical cores). VCPU 與 CPU 的比率為 2:1, 因此一旦停用超執行緒, VM 中的 CPU 計數就會顯示為已減少一半。The ratio of vCPU to CPU is 2:1, so once hyper-threading is disabled, the CPU count in the VM will appear to have decreased by half. 例如, D8_v3 VM 是在8個 vcpu (每個核心2個執行緒 x 4 核心) 上執行的超執行緒 VM。For example, a D8_v3 VM is a hyper-threaded VM running on 8 vCPUs (2 threads per core x 4 cores). 停用超執行緒時, Cpu 會降至4個實體核心, 每個核心1個執行緒。When hyper-threading is disabled, CPUs will drop to 4 physical cores with 1 thread per core.

後續步驟Next steps

本文提供適用于下列會影響許多新式處理器之理論式執行端通道攻擊的指引:This article provides guidance to the below speculative execution side-channel attacks that affect many modern processors:

Spectre Meltdown:Spectre Meltdown:

  • CVE-2017-5715-分支目標插入 (BTI)CVE-2017-5715 - Branch Target Injection (BTI)
  • CVE-2017-5754-核心分頁表隔離 (KPTI)CVE-2017-5754 - Kernel Page Table Isolation (KPTI)
  • CVE-2018-3639-推測式存放區略過 (KPTI)CVE-2018-3639 – Speculative Store Bypass (KPTI)
  • CVE-2019-1125 – Windows 核心資訊– Spectre variant 1 的變異CVE-2019-1125 – Windows Kernel Information – variant of Spectre Variant 1

L1 終端機錯誤 (L1TF):L1 Terminal Fault (L1TF):

  • CVE-2018-3615-Intel 軟體防護延伸模組 (Intel SGX)CVE-2018-3615 - Intel Software Guard Extensions (Intel SGX)
  • CVE-2018-3620-作業系統 (OS) 和系統管理模式 (SMM)CVE-2018-3620 - Operating Systems (OS) and System Management Mode (SMM)
  • CVE-2018-3646 –影響 Virtual Machine Manager (VMM)CVE-2018-3646 – impacts Virtual Machine Manager (VMM)

Microarchitectural 資料取樣:Microarchitectural Data Sampling:

  • CVE-2019-11091-Microarchitectural 資料取樣 Uncacheable 記憶體 (MDSUM)CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
  • CVE-2018-12126-Microarchitectural 存放區緩衝區資料取樣 (MSBDS)CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS)
  • CVE-2018-12127-Microarchitectural 載入埠資料取樣 (MLPDS)CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2018-12130-Microarchitectural 填滿緩衝區資料取樣 (MFBDS)CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS)