Yes Spectre can cross host/guest, guest/host and guest/guest boundaries because this is a CPU level flaw that means that potentially sensitive information can be leaked across anything that runs on a CPU core.
Most of the news stories on the internet speak about the cloud providers being worst hit by this as they have massive clusters of systems that are virtualised and could potentially be abused to leak sensitive information.
Most of the large providers should have been patched against the flaws by now, as best they can be, but this is going to be a problem that lives with us for some time.
Security.SE has a canonical Q & A regarding this and it mentions VM's:
I am running a Virtual Machine/Containers, to what extent am I vulnerable?
As per Steffen Ullrich's
answer
- Meltdown attacks do not cross VMs, only leaks kernel memory to local processes.
- Spectre can work across VMs.
Also, from Steffen
again, Meltdown and
Spectre works with containers, as containers relies on the host
kernel.
VMs use the actual CPU in your system with some privileged instructions trapped and able to be redirected. It uses the same caches and instructions as the host does. It is essentially just another layer within the physical CPU in your system.
Virtualization is only fast because it uses the physical CPU with as little abstraction as possible and relies on CPU hardware to provide isolation. Things like qemu can do emulation which would be safer as it is not a hardware CPU, but it is much slower and is different from virtualization.
From the Security.se canonical post again:
Spectre works on a different level and does not allow access to kernel-space data from user-space. In this attack, the attacker tricks the speculative execution to predictively execute instructions erroneously. In a nutshell, the predictor is coerced to predict a specific branch result (if -> true), that results in asking for an out-of-bound memory access that the victim process would not normally have requested, resulting in incorrect speculative execution. Then by the side-channel, retrieves the value of this memory. In this way, memory belonging to the victim process is leaked to the malicious process.
So, because the VM runs in actual CPU hardware and all it needs to do is run a particular loop to "train" the speculative execution engine. Then it can use precise timing to watch the caches for particular patterns of access indicative of the host or guest (or other VM) process that it is looking to exploit.
In this way it means that a machine is exploitable in every direction. From host to VM, from VM to host, and from VM to VM.
Yes, it is by no means easy and is a difficult thing to pull off as the VM CPU core could change at whim of the host and the host could happily schedule tasks on different cores as well, but over a long period of time enough information could be leaked to give up a secret key to some important system or account. Given enough time and some suitably stealthy software everything is potentially open.
If you wanted a "secure" VM then you have to guarantee that it's cores are isolated. The only real ways to block this attack would be to "force" the host and VMs to only use certain cores so that they are never running on the same hardware but this would lead to an effective increase in cost as you would not be able to have as many VMs on a given host. You would never be able to get away with running more VMs than you have cores available, which is something I would expect to be done on "low load" servers as many systems sit idle for 90% of their life.
4Yes, A little research would have confirmed VMWare has released patches to address Spectre and Meltdown. The guest OS must be patched, in addition, to the actual hypervisor (both types) – Ramhound – 2018-03-03T13:41:20.073
Depends on the level of virtualisation, I'd say. If you are simulating a virtual CPU, then you're probably safe. But that's not what modern VMs do. – Bergi – 2018-03-03T17:08:53.353
Is there any explanation how it is possible to read the cache of a virtual cpu? – None – 2018-03-03T17:15:35.293
1@jms details are in the canonical post I linked in my answer:
Spectre works on a different level ... In this attack, the attacker tricks the speculative execution to predictively execute instructions erroneously. In a nutshell, the predictor is coerced to predict a specific branch result that results in asking for an out-of-bound memory access that the victim process would not normally have requested resulting in incorrect speculative execution. Then by the side-channel, retrieves the value of this memory. In this way memory belonging to the victim process is leaked to the malicious process.
– Mokubai – 2018-03-03T18:33:20.860@jms When it is running, a virtual CPU has the same cache as the physical CPU it is running on. – David Schwartz – 2018-03-03T19:31:46.077
@DavidSchwartz really? this is surprising. I was assuming that a VM is more abstracted from the real hardware. – None – 2018-03-04T10:03:44.750
1@jms Virtualization is only fast because it uses the physical CPU with as little abstraction as possible and relies on CPU hardware to provide isolation and abstraction. Things like
qemu
can do emulation which would be safer as it is not a hardware CPU, but it is much slower and is different from virtualization. – Mokubai – 2018-03-04T16:43:49.343@jms added a bunch of info to my answer. – Mokubai – 2018-03-05T08:10:04.157