GhostRace: Speculative Race Conditions

ISSUE DESCRIPTION

Researchers at VU Amsterdam and IBM Research have discovered GhostRace; an analysis of the behaviour of synchronisation primitives under speculative execution.
Synchronisation primitives are typically formed as an unbounded loop which waits until a resource is available to be accessed. This means there is a conditional branch which can be microarchitecturally bypassed using Spectre-v1 techniques, allowing an attacker to speculatively execute critical regions.
Therefore, while a critical region might be safe architecturally, it can still suffer from data races under speculation with unsafe consequences.
The GhostRace paper focuses on Speculative Concurrent Use-After-Free issues, but notes that there are many other types of speculative data hazard to be explored.
For more details, see: <a href=“https://vusec.net/projects/ghostrace”>https://vusec.net/projects/ghostrace</a>

IMPACT

An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.

VULNERABLE SYSTEMS

Systems running all versions of Xen are affected.
GhostRace is a variation of Spectre-v1, and Spectre-v1 is known to affect a wide range of CPU architectures and designs. Consult your hardware vendor.
However, Xen does not have any known gadgets vulnerable to GhostRace at the time of writing.
Furthermore, even with the vulnerable instance found in Linux, the researchers had to insert an artificial syscall to make the instance more accessible to a userspace attacker.
Therefore, The Xen Security Team does not believe that immediate action is required.