Default Banner

Meltdown and Spectre: Vulnerabilities in Modern Computers

02/02/2018
Meltdown and Spectre: Vulnerabilities in Modern Computers

We’ve begun the new year with a lot of patching and discussions about our computer’s security. The terms used for these current vulnerabilities is “Meltdown” and “Spectre”. One might ask why these vulnerabilities are so newsworthy. Usually we just install software patches and the problem goes away… Right?

Vulnerable CPU

The issue with this current set of vulnerabilities is that they exploit how our modern processors work. Unlike software-based attacks, these hardware vulnerabilities allow programs to steal data which is currently processed on the computer. So, the problem is very low level and uses the actual CPU hardware architecture.

While programs are typically not permitted to read data from other programs, a malicious program can exploit these vulnerabilities to get hold of secrets stored in the memory of other running programs. This might include passwords, photos, emails, instant messages or other critical documents.

What’s the difference between Meltdown and Spectre?

While Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory, so that applications can access system memory, Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. Both are complex and frightening scenarios to say the least. Let’s look at both in more detail.

Meltdown: The core details

“Meltdown” is so named because it ‘melts’ security boundaries normally enforced by hardware. Meltdown exploits the side effects of “out-of-order execution” on modern processors, to read any memory locations. Out-of-order execution is a performance feature that is present in a wide range of modern processors. Intel is known to have used this feature since 2010. The attack is therefore independent of the operating system and does not rely on any other software vulnerability. In short, Meltdown enables an attacker to read memory locations of other processes or virtual machines in the cloud without the need for permissions or privileges.

Meltdown has been shown to be used for extracting passwords from the Firefox browser password manager and to successfully extract HTTP headers of a request to a web server from Intel-based computers.

So far, Meltdown has not been successful in extracting memory in AMD and ARM-based computers. This does not mean that these CPUs are immune to the attack, rather, it might mean that a more optimised version of the attack would be needed to be implemented for it to succeed.

There is already a known countermeasure for Meltdown called KAISER. KAISER was initially developed to mitigate side-channel attacks against another vulnerability. However, inadvertently, it also protects against Meltdown. That said, KAISER still has some limitations in fully protecting against Meltdown, but it is the current stop-gap solution and it is therefore highly recommended to be deployed immediately on all systems through software patches or kernel rewrites.

Even if Meltdown is fixed completely, Spectre will remain an issue. These two vulnerabilities require different defences.

Spectre: The gruesome facts

The name “Spectre” is based on the root cause: speculative execution. Attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel attack.

Speculative execution is a technique used by modern processors to increase performance by guessing likely future execution paths and prematurely executing the instructions in them. Through Spectre, an attacker trains the processor to mispredict execution paths and then executes the instructions in them. This effect can then be used to leak sensitive information from the memory that these instructions executed.

Successful implementations of Spectre have been carried out on Intel Ivybridge, Haswell and Skylake processors; AMD Ryzen processors and several Samsung and Qualcomm processors (ARM).

Spectre can be mitigated if speculative execution can be halted on potentially-sensitive execution paths. However, this is a very challenging problem. Although this can be done for every speculative execution, it would also severely degrade performance. Static analysis techniques might be able to eliminate some of these checks.

It is also possible to disable speculative execution or prevent speculative memory reads through a microcode (BIOS) update though this will also bring about significant performance penalty. Any software or microcode countermeasure attempts should be viewed as stop-gap measures pending further research.

Conclusion

There are always trade-offs between security and performance. These two vulnerabilities have arisen from the fact that technology focus has always been to maximise performance, thus introducing security risks. Since the cost of insecurity is rising, these design choices need to be revisited.

We have just seen how these two vulnerabilities can be mitigated in the short-term, but not fully solved. Long-term solutions will require that instruction set architectures be updated to include clear guidance about the security properties of the processor. CPU implementations will have to be updated and changed to conform.

In the meantime, we will have to live with the fact that our current computers are not fully mitigated against Meltdown and Spectre attacks.

 

Vincent Farrugia is a network and systems manager at Deloitte Malta. For more information please visit www.deloitte.com/mt