Spectre V2 "Lite" App-To-App Protection Mode Readying For The Linux Kernel

We are approaching one year since the Spectre and Meltdown CPU vulnerabilities shocked the industry, and while no new CPU speculative execution vulnerabilities have been made public recently, the Linux kernel developers continue improving upon the Spectre/Meltdown software-based mitigation techniques for helping to offset incurred performance costs with current generation hardware.

The latest work out today is a revised set of patches from an Intel developer for the Spectre Variant Two "Lite" mode for application-to-application protection. This is improving upon the lite mode for application-to-application / userspace-userspace Spectre V2 protection. Spectre V2 application to application attacks are much less likely due to KASLR, but in recent months kernel developers from Intel, SUSE, and other vendors have been working on a solution. The lite mode is intended to avoid the performance costs with having STIBP (Single Thread Indirect Branch Predictors) / IBPB (Indirect Branch Prediction Barrier) enabled for all applications even if they may not be a target for exploit or hold sensitive information.

Tim Chen summed it up in the patches, "leaving STIBP on all the time is expensive for certain applications that have frequent indirect branches. One such application is perlbench in the SpecInt Rate 2006 test suite which shows a 21% reduction in throughput. Other application like bzip2 in the same test suite with minimal indirct branches have only a 0.7% reduction in throughput. IBPB will also impose overhead during context switches...Application to application exploit is in general difficult due to address space layout randomization in applications and the need to know an application's address space layout ahead of time. Users may not wish to incur performance overhead from IBPB and STIBP for general non security sensitive processes and use these mitigations only for security sensitive processes. This patchset provides a process property based lite protection mode that applies IBPB and STIBP mitigation only to security sensitive non-dumpable processes."

The patches add the spectre_v2_app2app kernel module parameter to control the behavior. The default behavior is the automatic mode that lets the kernel decide but via this option the user can go with the "lite" mode whereby mitigation is turned on only for non-dumpable processes such as daemons and other privileged processes. The "strict" mode is what protects all user processes as the most secure means but potentially can regress performance a lot with this Spectre V2 app-tp-app mitigation and may not be entirely necessary depending upon your system's processes and security concerns (or there the lack of). Or there's spectre_v2_app2app=off for outright disabling this protection.

These patches also expose a PRCTL interface so users can restrict an application's individual indirect branch speculation ability for manually protecting certain user processes.

With the just published V3 patches, STIBP is skipped when enhanced IBRS is used plus an assortment of other fixes. While Spectre/Meltdown patches are generally accepted upstream into the kernel whenever ready and when warranted by security needs, as this functionality isn't particularly pressing, the timing of these patches may mean we'll see this latest Spectre code merged in the upcoming 4.20~5.0 kernel merge window.