Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products.
The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20 years.
What are Spectre and Meltdown?
We have explained both, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), exploitation techniques in our previous article.
In short, Spectre and Meltdown are the names of security vulnerabilities found in many processors from Intel, ARM and AMD that could allow attackers to steal your passwords, encryption keys and other private information.
Both attacks abuse ‘speculative execution’ to access privileged memory—including those allocated for the kernel—from a low privileged user process like a malicious app running on a device, allowing attackers to steal passwords, login keys, and other valuable information.
What is Meltdown?
Meltdown is an exploit that affects Intel CPUs at least since 2011, which leverages elements of out-of-order execution to cause a change in the cache state of a CPU, and then use that to dump contents of memory that should normally be inaccessible. It may affect many other CPUs as well, basically anything that uses OOOE, which includes all Intel CPUs back to the original Pentium Pro (excluding Itanium and Atom before 2013), and AMD CPUs from a similar time period. While the current full implementation of Meltdown does not work on AMD and ARM CPUs, there are indications that further modification of the code could allow a similar attack to work on AMD and ARM processors. The KPTI (and similar) patches that have been deployed for Windows, OS X, and Linux largely mitigate the problem, though there are still some less critical remaining concerns.
It’s important to note that many of these exploits aren’t actually new. From the whitepaper, “The fact that hardware optimizations can change the state of microarchitectural elements, and thereby imperil secure software implementations, is known since more than 20 years. Both industry and the scientific community so far accepted this as a necessary evil for efficient computing.” What has changed is that Meltdown is a working attack vector on many Intel CPUs. The good news is that all the major operating systems should already be patched to mitigate problems.
The first issue, Meltdown (paper), allows attackers to read not only kernel memory but also the entire physical memory of the target machines, and therefore all secrets of other programs and the operating system.
“Meltdown is a related microarchitectural attack which exploits out-of-order execution in order to leak the target’s physical memory.”
Meltdown uses speculative execution to break the isolation between user applications and the operating system, allowing any application to access all system memory, including memory allocated for the kernel.
“Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection.”
Nearly all desktop, laptop, and cloud computers affected by Meltdown.
What is Spectre?
Spectre uses a processor’s speculative execution capability and branch prediction, combined with similar approaches to those in Meltdown (eg, cache attacks like Evict+Time), to read secrets from a process’s memory. The attack involves training a branch predictor to take one path, and then after many iterations, using a branch mispredict to cause speculative execution of code that shouldn’t be run. Up to nearly 200 instructions could be run in some instances. Spectre can affect processors from AMD, ARM, Intel, and others—any processor that uses branch prediction, in theory, which is basically every modern processor—but the attack must be tailored somewhat specifically to the hardware, making it more difficult to implement.
Protecting against Spectre is also more difficult. As the whitepaper puts it, “More broadly, there are trade-offs between security and performance. The vulnerabilities in this paper, as well as many others, arise from a longstanding focus in the technology industry on maximizing performance. As a result, processors, compilers, device drivers, operating systems, and numerous other critical components have evolved compounding layers of complex optimizations that introduce security risks. As the costs of insecurity rise, these design choices need to be revisited, and in many cases alternate implementations optimized for security will be required.”
In other words, making our processors faster has come at the cost of security, and the only real fix may end up being to slow things down.
The second problem, Spectre (paper), is not easy to patch and will haunt people for quite some time since this issue requires changes to processor architecture in order to fully mitigate.
Spectre attack breaks the isolation between different applications, allowing the attacker-controlled program to trick error-free programs into leaking their secrets by forcing them into accessing arbitrary portions of its memory, which can then be read through a side channel.
Spectre attacks can be used to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.
“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”
According to researchers, this vulnerability impacts almost every system, including desktops, laptops, cloud servers, as well as smartphones—powered by Intel, AMD, and ARM chips.
What You Should Do: Mitigations And Patches
Many vendors have security patches available for one or both of these attacks.
Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018
MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update. Other users have to wait for their device manufacturers to release a compatible security update.