MIPS: response on speculative execution and side channel vulnerabilities
February 2nd, 2018 – The cache side channel vulnerabilities disclosed by security researchers recently have garnered much attention across the processor world. Here is information on the susceptibility of MIPS processor implementations to these techniques.
Given the extensive history of the MIPS architecture and breadth of usage across the industry, there are many varieties of MIPS processors being used across numerous markets and billions of products. The scope of this announcement applies to the analysis and findings on the licensable IP processor cores designed by, and available from, MIPS.
Many resources are now available that discuss these attacks, so the technical details of the mechanisms are not covered here. The websites that announced the vulnerabilities, specifically the Meltdown and Spectre pages, are a good starting point for general information and further details.
While all of the attacks are related to speculative execution of processor instructions that modify cache state and then infer information about memory contents, otherwise believed to be secure, via a side channel that can observe access timing, there are several variations that have been identified.
– Spectre (variant 1): Bounds check bypass
– Spectre (variant 2): Branch target injection
– Meltdown (variant 3): Rogue data cache load
Most MIPS processors are not affected at all. If your processor core is not listed in the table below, your processor core is not affected by these vulnerabilities. The attacks are simply not possible on the majority of MIPS processor cores, as their microarchitecture either does not perform speculative execution, or can’t speculate deeply enough to allow the exploits that have been described. MIPS processors should not be affected by variant 3 (speculatively accessing memory and updating cache contents with incomplete protection checks) as this scenario is not allowed by the MIPS architecture. However, two MIPS processor families that support superscalar out-of-order execution – P5600 and P6600 – could be affected by variants 1 & 2 from the scenarios above. See the following table for a summary of affected processors.
This information covers only the affected processor IP cores provided directly by MIPS. If you are using a processor that was designed by a MIPS Architecture licensee, please check with them directly for susceptibility as the attack scenarios are directed at microarchitectural implementation behavior, not the instruction set architecture level.
For the affected MIPS processors, there are several independent mitigation alternatives that can be used to avoid the vulnerabilities. An overview of these mitigation approaches can be found here, which will also be updated with any latest guidance, documentation, and software patches as they become available. Note that all of the attacks that have been disclosed require a user to be able to modify and run his or her own code on the processor. So a “deeply embedded” application that does not allow user modifiable code will not be susceptible.
Future MIPS-designed processors will be resilient to this style of attack or allow for mitigation through software patches.