Table of Contents [hide]
In the past 24 hours, two critical flaws in Intel, AMD and ARM CPUs were publicly released to the public. Both of them were originally discovered last year by Google’s Project Zero team: their name are Spectre and Meltdown and are caused by a technique called speculative execution, which is used by most modern processors (CPUs) to optimize performance.
In this post we'll try to shed some light upon these threats and see how the major companies - Intel, Google, Microsoft and the whole Linux ecosystem - are reacting to harden their products again these new subtle exploits.
The big picture
As most of us should alerady know, one of the most basic premises of computer security is isolation among different processes / threads. In short terms, any different executable / piece of code is executed within a separate process (or thread) on our machine, restricting its behaviour to its very own memory space: conversely, it might intentionally peer into other processes "secure" areas and gather info on other processes' reserved data, or even snoop around the computer and fetch info around. To quickly understand such concept, let's think about our e-mail client - be it Outlook, Thunderbird and so on: when we read our e-mail messages, all the relevant data is loaded into a reserved memory space, where we take for granted that nobody else - including other software running on our machine at the same time - can access them.
These vulnerabilities demonstrate that such "reserved" memory space isn't as secure and secluded as we thought: there might be a serious crack in those walls, and the issue affects millions of processors.
How it was discovered
The whole thing started to become public earlier this week, when a bunch of security researchers took note of a series of changes Linux and Windows developers were planning to roll out to address a critical security flaw affecting Intel CPUs. The patches were addressed to fix an exploit allowing low-privilege processes to access memory in the computer's kernel, which could be used by hackers to develop and deploy malicious software to peek into other processes and data on the target machine. The impact of this issue would be even bigger for cloud-based servers, as they could theoretically allow a malicious process to spy on all other processes running on the same shared server.These findings were published by The Register on Wednesday, Jan 2 2018 in a dedicated article and quickly spread around most social networks and online & offline magazines, thus attracting the attention of thousands of readers all over the world.
That kinda forced the hand of Google's Project Zero team, which published a blog post releasing the full details of two attacks based on that flaw, which they call Meltdown and Spectre:
"These hardware bugs allow programs to steal data which [is] currently processed on the computer.While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs."
Meltdown and Spectre
Jann Horn, a Project Zero researcher, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host. These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.
Although both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer's memory, while Spectre steals data from the memory of other applications running on a machine: on top of that, while the researchers say that Meltdown is limited to Intel chips, they say that they've verified Spectre attacks on AMD and ARM processors, as well.
Ben Gras, a security researcher with Vrije Universiteit Amsterdam who specializes in chip-level hardware security, says that the attacks represent a deep and serious security breach:
"With these glitches, if there's any way an attacker can execute code on a machine, it can’t be contained anymore. For any process that’s untrusted and isolated, that safety is gone now. Every process can spy on every other process and access secrets in the operating system kernel."
Prior to the official revelation of Meltdown and Spectre on Wednesday, Erik Bosman (Vrije Universiteit Amsterdam's VUSEC security group) successfully reproduced one of the Intel attacks, which take advantage of a feature in chips known as speculative execution.
Speculative Execution
In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true: that feature is known as speculative execution and, in a nutshell, it works in the following way.
When modern Intel processors execute code and come to a point in an algorithm where instructions branch in two different directions, depending on input data—whether there's enough money in an account to process a transaction, for instance—they save time by "speculatively" venturing down those forks. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.
"The processor basically runs too far ahead, executing instructions that it should not execute".
Attack Methods
Browser-specific countermeasures
Fixes and Patches
ARM public relation director Phil Huges also released a statement about that:
"I can confirm that Arm have been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This method requires malware running locally and could result in data being accessed from privileged memory."
Microsoft, which relies heavily on Intel processors in its computers, says that it has updates forthcoming to address the problem. "We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers," the company said in a statement. "We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."
Linux developers have already released a fix, while Apple has not released a public statement yet.
A costly workaround
It goes without saying that better isolating the kernel memory from unprivileged memory will most likely affect performance. The impact will heavily vary, depending on the process workload and the type/age of the CPU involved (newer processors are likely to experience less significant slowdowns): it's really hard to predict how much speed an average machine will lose until the patches will roll out.
However, a thing is for certain: considering the amount of malware available today, we'll gladly accept such performance impact to better secure our environment.