What Meltdown and Spectre mean for CPU Security

Last week, Intel made headlines when it was reported by the Register that a security flaw in its processors forced Windows and Linux programmers to redesign their kernels. The news sent Intel stock plummeting and the cybersercurity community into a panic as further details of the extent of the vulnerability were revealed.

Since the initial news broke, several independent teams of academic and industry security researchers from around the world, among them Google’s Zero Project, confirmed they have identified three possible attacks that could exploit processors’ design security flaws.  These were dubbed Spectre (variant 1 and 2) and Meltdown (variant 3).

Google had identified and informed affected companies about the possibility of Spectre attacks as early as June 2017 and Meltdown towards the end of July 2017, but chose not to make the information public to allow companies to build patches before hackers got wind of the vulnerabilities.

What is Meltdown and how can it be fixed?

Meltdown, is the flaw initially reported by the Register, which is known to affect Intel CPUs manufactured since 1995, except Itanium server chips and pre-2013 Atom processors as well as the ARM Cortex-A75. Meltdown can be exploited by normal programs, such as JavaScript in web browsers and database applications, to read the contents of private kernel memory. It does this by overcoming the kernel space/user space memory isolation barrier of x86 architecture and exploiting side-channel information made available by the cache after speculative execution of a prepared instruction stream executed out-of-order.

Luckily, Meltdown is a vulnerability that can be fixed through patching and some of the industry’s biggest players have been preparing for it since security researchers first warned them of it in June 2017. Apple has already partially done it through the iOS 11.2, macOS 10.13.2, and tvOS 11.2 updates by altering existing programming requirements related to the kernel memory data and more fixes will be added to future updates. watchOS was their only product not affected by the flaw.

For Windows and Linux, patches took a Kernel Page-Table Isolation or KPTI approach, by splitting page tables, until now shared between user and kernel space, into two sets of tables, one for each side. This is a fundamental change to how the kernel’s memory management works, one that has proven controversial due to estimates that machines applying them would take a 5 to 30% speed hit.

Cloud providers have taken Meltdown seriously as well, with Amazon Web Services, Google Cloud, and Microsoft Azure all deploying patches against it despite no clear indication that this type of attack could be used against them.

Intel, AMD and other vendors are also releasing firmware updates that will work with OS and software patches to rectify the vulnerability.

The Spectre that will haunt CPUs for years to come

The two types of attacks falling under the umbrella of Spectre, according to the researchers that discovered them, break the isolation between applications and trick otherwise error-free programs into leaking sensitive information. They can affect most modern processors with support for speculative execution manufactured by Intel, AMD and other vendors.

• Variant 1 or the bounds check bypass mainly targets information found within browsers and applications, by arranging code to execute speculatively and read data it should not into the system cache from where it can be retrieved using a side-channel attack. This variant can be dealt with by applying countermeasures at individual software binary level.
• Variant 2 or branch target injection, can be used to exploit the boundary between the operating system kernel and a hypervisor, or between different virtual machines running on the same hardware. By manipulating branch predictors to run privileged code over the code it should be executing in the hypervisor, access can be gained to trusted hypervisor data that can then be extracted via a side channel. It therefore poses a great risk to private and public clouds. However, this variant can be fixed by a CPU microcode update from CPU vendors or by applying protection such as Retpoline to vulnerable binaries.

The Spectre attacks are harder for hackers to exploit, as, according to Google, those using them can only read kernel memory at the rate of 1500-2000 bytes/second, making it possible to get only about 130 to 173 MB of data/day.

Due to the changes that need to be applied directly at application level, Spectre’s Variant 1 has proved the most troubling to security specialists and developers. While software build from now on may very well take into consideration this vulnerability from its design phases, every software already out there will have to issue an update to ensure it cannot be exploited through it.

Crisis (Partially) Averted

The biggest problem with both Meltdown and Spectre attacks is that they are untraceable as, given their implementation, they leave no traces in traditional log files. It is therefore impossible at the moment to assess whether an attack has or has not taken place, although Proof of Concepts have been made available proving that they can be executed.

While big tech companies have stepped up and acted promptly to mitigate the crisis as soon as the news broke, most of the patches they released were aimed at processors manufactured within the last five years and the latest OS versions. What this will mean for computers running on older Intel processors – this was, after all, a vulnerability going back 20 years – remains to be seen.

Intel claims that its latest software and firmware updates will make systems running on its processors immune to both Meltdown and Spectre attacks, but security analysts have been skeptical about the statement, fearing the company, scrambling to pick up its falling stock and too eager to reassure its investors, might be claiming victory too soon.