Meltdown and Spectre: Critical processor vulnerabilities

Published
January 08, 2018

Summary

Security research from the industry and academia alike, have independently reported on a series of critical vulnerabilities found in various types of processors including chips from Intel, AMD, ARM, and ARM based processors used by Apple, Samsung, and Qualcomm. These vulnerabilities affect any computing device that uses these processors such as, personal computers, cloud systems, mobile devices and consequently most of the operating systems available. These vulnerabilities have been publicly disclosed in early January 2018 and were entitled Meltdown and Spectre. From a high-level perspective, the vulnerabilities affect the fundamental principles of isolation between user applications and the operating system, and between different applications respectively. Exploiting these vulnerabilities may permit the attacker to gain access to secret or privileged data processed by a system, such as credentials and secret keys stored on a system’s memory or on multi-tenant environments with shared virtualized infrastructure such as cloud platforms. Given the fact that the affected processors are ubiquitous, one can easily imagine the far-reaching consequences of these vulnerabilities especially in multi-layered cloud environments. These vulnerabilities require a solution also at the hardware level, but hardware updates might not be practical measures. Despite the fact that software solutions might not address these vulnerabilities (or future variations thereof) completely, they are the only way to go for the time being. Hence, until new hardware can be deployed, operating system and software vendors have been working on software based solutions and workarounds, and many of them have already provided patches. All end-users and system operators are advised to follow the guidelines provided by the operating system and software vendors to mitigate these vulnerabilities.

Background

To fully understand the vulnerabilities, a strong knowledge of modern processor and operating system architecture is required. The following part provides the basics required to understand the main concepts behind the vulnerabilities. It sheds some light on terms mentioned frequently in various articles covering the topic.

User/kernel address space: A fundamental security principle of modern processors and operating systems is process isolation. Modern processors support virtual address spaces per process. Each process is contained within its own virtual address space. Each virtual address space is divided into the user space, which can be accessed by a normal process, and the kernel space, which should only be accessed by the operating system. Furthermore, all major operating systems map the entire physical memory, into the kernel address space (Figure 1: Virtual address space, and physical adress space).

Meltdown 

Figure 1: Virtual address space, and physical address space (figure from the Meltdown paper)

Out-of-order execution: Modern processors can improve their performance by using a technique called “out-of-order execution”. As its name suggests, this feature allows them to execute instructions in a non-sequential manner, i.e. in parallel, whenever possible. As a result, they often execute instructions in parallel or before executing preceding instructions.

Speculative execution & branch prediction: Speculative execution is a feature that is available in processors according to which when a processor reaches a conditional branch and does not yet know what to do, the processor speculates which path to follow based on past decisions (using a method called branch prediction) and executes the respective instructions. If it turns out that the processor predicted the path correctly, it keeps up. If the prediction was wrong, it executes the correct instructions and discards the incorrect ones. For instance if in an e-banking application a user name is inserted, processing moves to the password cache module.

Analysis

This part provides a technical overview of the vulnerabilities, it points out their similarities and differences (see also Table 1: Meltdown and Spectre comparison below), and assesses their potential risk.

Technical overview

Meltdown: It is a vulnerability that currently affects every Intel processor shipped since 1995 (with the exception of Intel Itanium and Intel Atom before 2013), ARM's Cortex-A75 chip, and ARM based processors used by Apple. It allows unprivileged user processes to read kernel memory and physical memory, which is a critical security violation and essentially leads to privilege escalation. In other words, a malicious user able to run code (as a normal user) on a system vulnerable to Meltdown, can read the memory of other processes running on the same system, and in the case of cloud systems, the memory of other virtual machines hosted on the same system. Hence, they can read secret data, such as passwords, private keys etc. from the memory of a vulnerable system, which should not be possible.

Meltdown exploits the side-effects of a method called ”out-of-order execution”, which helps increase a processor’s performance. An attacker abusing the ”out-of-order execution” and carrying out a side-channel attack[1] can leak secret data from the kernel/physical memory of the system. According to published research, Meltdown is easier to exploit than the second vulnerability (Spectre) and the one currently receiving most of the attention. Meltdown can be addressed with patches/workarounds from operating system vendors and cloud providers.

 Spectre: It is a vulnerability that affects Intel, ARM, AMD, Apple, Samsung and Qualcomm processors (the last three use ARM based chips) and it tricks other applications into accessing arbitrary locations in their memory. This means that a malicious process exploiting Spectre can conditionally read locations of the user address space of a single process and access data it should not have access to. Hence, it can extract secret user data, e.g. passwords stored in the browser, from that target process. Spectre exploits speculative execution and branch prediction, and, similarly to Meltdown it uses a side-channel to leak secret data from a victim process. ProjectZero's proof-of-concept has suggested that (under certain circumstances) reading kernel memory is also possible. According to published research, the vulnerability is harder to exploit, and to mitigate. Additionally, it is a more general attack than Meltdown, and, currently there is no operating system level patch against Spectre as it is mostly tailored to specific processes. Finally, it is important to note that according to the researchers there is a potential remote vector for this attack through a web-based attack using JavaScript.

For the complete technical details of the vulnerabilities one should consult the corresponding papers (Meltdown and Spectre), and a detailed blogpost by Google’s ProjectZero. Currently, the three following variants comprise the two vulnerabilities: Spectre: bounds check bypass (CVE-2017-5753), Spectre: branch target injection (CVE-2017-5715) and Meltdown: rogue data cache load (CVE-2017-5754).

Vulnerability comparison

Below, we provide our comparison table of the two vulnerabilities.

Vulnerability

Meltdown

Spectre

Processors affected

Intel, ARM's Cortex-A75, ARM based chips used by Apple

Intel, AMD, ARM, (ARM based chips used by Apple, Samsung, and Qualcomm)

Method

Out-of-order execution

Speculative execution, branch prediction

Attack vector

The attacker must be able to execute code on the target system.

The attacker must be able to execute code on the target system.

Potential remote exploitation through a web-based attack using JavaScript, e.g. to attack browsers.

 

Impact

Reads kernel memory and physical memory from the user space (privilege escalation), i.e. the attacker can read secret data on the system.

In cloud systems, the attack can result in access to secret data of other tenants.

Reads the memory of a target/victim process running on the system, i.e. the attacker can leak process specific secret data.

The attack needs to be tailored to the target process.

Proof-of-concept has suggested that (under certain circumstances) reading kernel memory is possible.

The attack can also be carried out in a scenario involving a virtualised environment.

Solution

Operating system patch specific to Meltdown.

Hardware-level fixes in future products.

Software patches for vulnerable processes, e.g. browsers.

Bios/firmware updates.

Hardware-level fixes in future products.

Table 1: Meltdown and Spectre comparison

Risk/Impact

Experts argue that Meltdown and Spectre are two vulnerabilities that are most likely to be exploited in targeted attacks against specific targets, rather than in massive campaigns. It is suggested that Spectre has a potential remote exploitation attack vector, as opposed to Meltdown that requires an attacker to gain foothold on a target system first. Although there are already numerous PoCs (proof-of-concept code) available that demonstrate how the vulnerabilities can be exploited, currently there appears to be no actual exploitation spotted in the wild.

  • Since the vulnerabilities also affect cloud (multi-tenant) systems, the risk is higher for such use cases. In the cases where an attacker has monetary incentive to attack a service the risk is also high. Furthermore, system operators that use legacy software or hardware that cannot be patched are at stake as well and should consider alternative mitigation measures.
  • As far as average users are concerned, the risk will decrease once they install the respective operating system patches and software updates to their devices, e.g. personal computers, mobile devices, virtual machines etc.
  • There is a potential web-based attack vector for Spectre using JavaScript. If such an exploit becomes available e.g. with attacks against users’ browsers through malvertising etc., it could have a high impact on users.

Considerations

  • Usually, hardware vulnerabilities cannot be fixed completely with solutions at a higher level, i.e. the operating system. The patches available offer a temporary workaround that does not fix the root cause of the problem.
  • Applying the patches has an impact on the performance of the system. Microsoft published a blogpost providing insights about the performance impact of Spectre and Meltdown.
  • There have been cases where antivirus solutions caused crashes on patched systems. Therefore, Microsoft Windows systems ensure compatibility by checking with endpoint security software prior to downloading and installing any patch. This is done by setting a key in the system registry. Additionally, there have been cases where some systems with AMD processors crashed after installing the relevant Microsoft Windows updates, therefore Microsoft paused updates to AMD devices. Finally, in other cases reported, users were unable to boot their systems.
  • As of 22 January 2018, Intel recommended OEMs, cloud service providers, system manufacturers, software vendors, and end users, to stop the deployment of current versions of patches, as there were cases where system stability issues were introduced.
  • The potential performance hit has an impact on energy consumption, which translates in extra costs, e.g. for the cloud customers (Pay-per-CPU cycle).
  • Completely fixing the root cause eventually requires re-designing almost all the CPUs and replacing the old CPUs. The impact and scale of such an approach is immense.
  • Hardware flaws are for a long time on the radar of high security sectors (military, government, banking, etc.). In such highly sensitive sectors untrusted hardware is in many cases banned per law due to the risk of compromise.

Mitigation measures/recommendations

  • Users and system operators should consult their operating system vendor prior to applying security patches. Since there might be varying performance impact and/or system stability issues after installing patches, system operators should take this into consideration and assess their specific use case, before applying them.  
  • Users and system operators are advised to keep working backups prior to applying patches. It is best practice to systematically keep system backups. In this case specifically, due to reports of systems crashing after applying patches, users are advised to keep backups prior to applying patches to their systems.
  • Users should install software updates against Spectre as soon as they become available. Spectre is process specific and currently there is no patch against it on operating system level (except BIOS/firmware updates). Vulnerable software, such as browsers, will be introducing updates. Mozilla has already provided an update for Firefox introducing a workaround solution for versions 57 or higher. Google is also expected to provide a Chrome update soon.
  • Users should consider using an ad-blocker while they should always keep their anti-malware software up-to-date. Since Spectre can potentially use a web-based attack vector (JavaScript), e.g. by injecting malicious code in compromised websites or serving it through malvertising, up-to-date ad-blockers and anti-malware software can assist in blocking them.
  • Applying traditional protection measures to prevent unauthorised access into a system is always recommended and can be a first layer of defence against Meltdown and Spectre. After all, regarding Meltdown, foothold must be gained on a system before being able to carry out an attack, unless the targets are virtualised environments and services that allow unprivileged users to execute code.
  • System operators should make sure to protect systems that handle sensitive data from executing unauthorised software and from accessing untrusted websites.
  • If an organisation operates environments where code execution and or unauthorized software cannot be prevented, patches and/or software updates should be applied. It is worthy to note that such patches usually require a reboot.
  • In all cases, system operators should closely monitor their systems and networks for potential malicious activity. This is also true for those cases in which the patches cannot or have not been applied yet.
Latest update: 30/01/2018

[1] Side-channel attacks: Side-channel attacks exploit observable and measurable computational side effects to extract/infer otherwise unavailable secret information/data. Side-channel attacks are well known to be used against cryptographic operations

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information