As suggested by Thomas Gleixner and signed off by Waiman Long in a proposed Linux kernel patch, a new bit will be introduced to toggle off Speculative Store Bypass Disable (SSBD) for programs that do not require the extra protection against the Spectre Variant 4 security issue.

This vulnerability was disclosed during May 2018 and mitigated in the Linux kernel with the SSBD bit added to the IA32_SPEC_CTRL Model-Specific Register (MSR) of x86 processors and introduced via an intel-microcode omnibus update on August 27, 2018.  

SSBD mitigates the effects of the CVE-2018-3639 (aka Variant 4 or SpectreNG or Speculative Store Bypass or SSB) hardware security vulnerability which can be exploited by would-be attackers using "speculative execution and cache based side channel methods to bypass security measures and access privileged memory."

Wiz

SSB is closely related to the Meltdown and Spectre issues, and it affects a wide range of modern microprocessors, from AMD, Intel, and ARM, to IBM, POWER8, and POWER9.

According to the suggested Linux kernel patch:

Only certain class of applications (like Java) that can run on behalf of multiple users on a single thread will require disabling speculative store bypass for security purposes. Those applications will call prctl(2) at startup time to disable SSB. They won't rely on the fact the SSB might have been disabled. Other applications that don't need SSBD will just move on without checking if SSBD has been turned on or not.

The fact that the TIF_SSBD is inherited across execve(2) boundary will cause performance of applications that don't need SSBD but their predecessors have SSBD on to be unwittingly impacted especially if they write to memory a lot. 

To be more exact, the unnecessary performance decrease caused by SSBD to programs unaffected by SSB stems from the inheritance of the TIF_SSBD bit when new tasks are either forked or cloned, leading to the bit still being kept active "when a new program is execve'ed".

To fix this problem, the new changes to the kernel will add a PR_SPEC_DISABLE_NOEXEC argument for the PR_SET_SPECULATION_CTRL option of prctl(2) which will enable allow applications to specify that the SSBD feature bit should be cleared whenever a new program is being executed.

Using this argument will allow Linux programs that do not need protection against the Speculative Store Bypass issue to run without a performance hit.

It is also important to mention that, as explained by Red Hat's Jon Masters, system administrators who want "to globally disable the Speculative Store Buffer Bypassing can do so quickly and easily through the new “spec_store_bypass_disable” kernel parameter."

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

CISA: High-severity Linux flaw now exploited by ransomware gangs

Chinese state hackers use rootkit to hide ToneShell malware activity

Microsoft Teams to let admins block external users via Defender portal

Microsoft Teams strengthens messaging security by default in January

Docker Hardened Images now open source and available for free