Spectre and Meltdown CPU vulnerabilities: what you need to know

Spectre and Meltdown CPU vulnerabilities: what you need to know

In the past 24 hours, two critical flaws in Intel, AMD and ARM CPUs were publicly released to the public. Both of them were originally discovered last year by Google’s Project Zero team: their name are Spectre and Meltdown and are caused by a technique called speculative execution, which is used by most modern processors (CPUs) to optimize performance.

In this post we'll try to shed some light upon these threats and see how the major companies - Intel, Google, Microsoft and the whole Linux ecosystem - are reacting to harden their products again these new subtle exploits.

The big picture

As most of us should alerady know, one of the most basic premises of computer security is isolation among different processes / threads. In short terms, any different executable / piece of code is executed within a separate process (or thread) on our machine, restricting its behaviour to its very own memory space: conversely, it might intentionally peer into other processes "secure" areas and gather info on other processes' reserved data, or even snoop around the computer and fetch info around. To quickly understand such concept, let's think about our e-mail client - be it Outlook, Thunderbird and so on: when we read our e-mail messages, all the relevant data is loaded into a reserved memory space, where we take for granted that nobody else - including other software running on our machine at the same time - can access them.

These vulnerabilities demonstrate that such "reserved" memory space isn't as secure and secluded as we thought: there might be a serious crack in those walls, and the issue affects millions of processors.

How it was discovered

The whole thing started to become public earlier this week, when a bunch of security researchers took note of a series of changes Linux and Windows developers were planning to roll out to address a critical security flaw affecting Intel CPUs. The patches were addressed to fix an exploit allowing low-privilege processes to access memory in the computer's kernel, which could be used by hackers to develop and deploy malicious software to peek into other processes and data on the target machine. The impact of this issue would be even bigger for cloud-based servers, as they could theoretically allow a malicious process to spy on all other processes running on the same shared server.These findings were published by The Register on Wednesday, Jan 2 2018 in a dedicated article and quickly spread around most social networks and online & offline magazines, thus attracting the attention of thousands of readers all over the world.

That kinda forced the hand of Google's Project Zero team, which published a blog post releasing the full details of two attacks based on that flaw, which they call Meltdown and Spectre:

"These hardware bugs allow programs to steal data which [is] currently processed on the computer.While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs."

Meltdown and Spectre

Jann Horn, a Project Zero researcher, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host. These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.

Although both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer's memory, while Spectre steals data from the memory of other applications running on a machine: on top of that, while the researchers say that Meltdown is limited to Intel chips, they say that they've verified Spectre attacks on AMD and ARM processors, as well.

Ben Gras, a security researcher with Vrije Universiteit Amsterdam who specializes in chip-level hardware security, says that the attacks represent a deep and serious security breach:

"With these glitches, if there's any way an attacker can execute code on a machine, it can’t be contained anymore. For any process that’s untrusted and isolated, that safety is gone now. Every process can spy on every other process and access secrets in the operating system kernel."

Prior to the official revelation of Meltdown and Spectre on Wednesday, Erik Bosman (Vrije Universiteit Amsterdam's VUSEC security group) successfully reproduced one of the Intel attacks, which take advantage of a feature in chips known as speculative execution.

Speculative Execution

In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true: that feature is known as speculative execution and, in a nutshell, it works in the following way.

When modern Intel processors execute code and come to a point in an algorithm where instructions branch in two different directions, depending on input data—whether there's enough money in an account to process a transaction, for instance—they save time by "speculatively" venturing down those forks. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.

In other words, they take a guess, and execute instructions to get a head start. If the processor learns that it ventured down the wrong path, it jumps back to the fork in the road, and throws out the speculative work. VUSEC's Bosman confirmed that when Intel processors perform that speculative execution, they don't fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer's kernel, thus allowing the attacker to trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution. 
The underlying vulnerabily of such behaviour has been further confirmed by Daniel Gruss, a researcher from the Graz University of Technology:

"The processor basically runs too far ahead, executing instructions that it should not execute".

Attack Methods

To take advantage of this vulnerability an attacker first must be able to run malicious code on the targeted system. The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information including passwords, cryptographic key material and more.
At the moment, there is no single fix for all three attack variants; each requires protection independently. However, given the amount of known info, a thing can be said for certain: the exploit requires a malicious piece of software - in other words, a malware - to be up and running on our system. It's not something that can be used to infect us out of nowhere. In other words, as long as we manage to keep your system out of troubles - and we're confident that the software applications and tools you're running won't exploit such CPU vulnerability - we won't be affected.

Browser-specific countermeasures

If we want to harden our environment as soon as possible, without waiting for the official upcoming patches, the first thing we should do is to check that all our client software that can run potentially unsecure third-party code has taken countermeasures against such threat(s). The first thing that comes into mind when thinking about this are web browsers, which are meant to constantly execute third-party code in form of plugins, extensions, web sites scripts and so on. 
For Google Chrome there's already a Site Isolation feature available that will help us mitigate the risks until Chrome 64 will be released (on January 23, 2018), which will contain a complete fix: Chrome's Site Isolation can be activated by following this official guide.
For Mozilla Firefox, the company just released this statement where they confirm that "it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes". However, there's still no patch available yet.
All in all, we shouldn't take this threat lightly, as it overthrows one of the most acknowledged good practices in malware security prevention: not running unsecure process with high priviledges to prevent them from gaining access to our ACL protected data. This CPU vulnerability clearly shows that such countermeasure is hardly enough to keep our data safe from prying eyes.

Fixes and Patches

Many vendors are currently releasing patches for one or more of these attacks in an effort to mitigate the issue. Intel, Microsoft, Apple (which also uses Intel processors in most of their machines) and the Linux community, as well as some Cloud-based service providers such as Google and Amazon, are currently at work to mitigate these vulnerabilities and will update both their product support pages as they release further fixes. In a statement responding to the Meltdown and Spectre research, Intel noted that "these exploits do not have the potential to corrupt, modify, or delete data," though they do have the ability to spy on privileged data. The statement also argued that "many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits," mentioning ARM and AMD processors as well.

ARM public relation director Phil Huges also released a statement about that:

"I can confirm that Arm have been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This method requires malware running locally and could result in data being accessed from privileged memory."

Microsoft, which relies heavily on Intel processors in its computers, says that it has updates forthcoming to address the problem. "We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers," the company said in a statement. "We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."

Linux developers have already released a fix, while Apple has not released a public statement yet.

A costly workaround

It goes without saying that better isolating the kernel memory from unprivileged memory will most likely affect performance. The impact will heavily vary, depending on the process workload and the type/age of the CPU involved (newer processors are likely to experience less significant slowdowns): it's really hard to predict how much speed an average machine will lose until the patches will roll out. 

However, a thing is for certain: considering the amount of malware available today, we'll gladly accept such performance impact to better secure our environment.

 

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.