In the wake of yesterday’s news and speculation about a serious design flaw in Intel processors, the security researchers involved in discovering the issue and the companies affected have started releasing details about it and about their mitigation efforts.
As it turns out, there are two separate attacks that can result in exploitation of different issues:
- Meltdown – exploits CVE-2017-5754, and can lead to rogue data cache load
- Spectre – exploits CVE-2017-5753 and CVE-2017-5715, and can trigger a bounds check bypass and branch target injection, respectively.
For more in-depth technical details about these attacks you can check out these papers and this blog post by Jann Horn, Google Project Zero researcher, who was one of the several researchers who unearthed and reported the issues.
But, in short:
Meltdown breaks the isolation between user applications and the operating system, by exploiting side effects of out-of-order execution on modern processors. This allows a program to access the memory and, therefore, the secrets (including personal data and passwords) of other programs and the OS.
Spectre breaks the isolation between different applications by exploiting processors’ speculative execution capabilities. It allows attackers to trick applications into accessing arbitrary locations in their memory and leaking their secrets (passwords, encryption keys, or sensitive information open in applications).
Which products and companies are affected?
Intel has released a statement saying the issues do not affect just their processors, but also AMD’s and Arm’s.
A more nuanced overview is as follows:
- Meltdown, as far as we known, affects Intel processors, i.e. every Intel processor which implements out-of-order execution, which effectively means every processor since 1995, except Intel Itanium and Intel Atom before 2013. It also affects the Cortex-A75 Arm processor.
- Spectre affects Intel, AMD and Arm processors, i.e. “all modern processors capable of keeping many instructions in flight.” The list of affected Arm processors can be found here and, according to the researchers, AMD’s Ryzen family of processors is affected, as well as the AMD FX and AMD Pro ones. (AMD’s comment on the issues can be found here.)
Meltdown can affect desktop, laptop, and server computers, as well as cloud providers that use Intel CPUs and Xen PV as virtualization, and those that rely on containers that share one kernel, such as Docker, LXC, or OpenVZ. Spectre can affect desktops, laptops, cloud servers, and smartphones.
Solving the problem
Chris Morales, head of security analytics at Vectra, expects that any operating system using impacted Intel processors will have to be rewritten to completely separate user memory space from the kernel memory space. In the meantime, the Meltdown issue can be solved with software patches, and the major OS developers are already on it.
A patch has already been implemented in the Linux kernel, and the various organizations that develop distributions based on it are furiously working on and pushing out updates. (It has been noted that there have already been recorded slowdowns in application performance due to the patch.)
Microsoft is expected to push out the relevant patches to the general user population on Tuesday (Windows Insiders already received them in November), and it seems that Apple has quietly provided patches in macOS 10.13.2 update, released in December.
Cloud services running Intel-powered servers, like Microsoft, Amazon, and Google are also in the process of implementing the patches, as the bug can impact virtual and cloud environments that load entire systems in memory, and could expose workloads to other systems and applications that share the same hardware.
Google has a helpful post that summarizes which of its products are affected, how they are solving the problem, and provides more info on actions expected from users/customers.
Spectre, according to the researchers, is harder to exploit than Meltdown, but it is also harder to mitigate. It is possible to prevent specific known exploits based on Spectre through software patches, they say, but the fix will not be easy.
They proposed several mitigation options, but noted that “any software or microcode countermeasure attempts should be viewed as stop-gap measures pending further research.”
“As the attack involves currently-undocumented hardware effects, exploitability of a given software program may vary among processors,” they say, and note that there is currently no way to know whether a particular code construction is, or is not, safe across today’s processors.
“A great deal of work lies ahead. Software security fundamentally depends on having a clear common understanding between hardware and software developers as to what information CPU implementations are (and are not) permitted to expose from computations,” they pointed out.
“As a result, long-term solutions will require that instruction set architectures be updated to include clear guidance about the security properties of the processor, and CPU implementations will need to be updated to conform.”
While there is currently no indication that Meltdown or Spectre attacks have been mounted in the wild, they also might be difficult to stop as, the researchers noted, “exploitation does not leave any traces in traditional log files.”
Also, worryingly, Mozilla software engineer Luke Wagner stated that their internal experiments “confirm that it is possible to use similar techniques from Web content to read private information between different origins.”
Comments from the security community
“While the security research community continues to find and report flaws like this, we must assume there are many more they did not find that attackers may already know about and have exploited,” Morales noted.
“Every organization needs to assume that perfect prevention is not possible, exploits will always exist and breaches will occur. With this mindset, even with perfect patching, organizations need to focus their efforts on finding the attacker behaviours that occur after a flaw is exploited and before the attacker succeeds in stealing information or causing damage to the organisation.”
Joseph Carson, Chief Security Scientist at Thycotic, says that enterprises will have to weigh the negative effects of system slowdowns and unavailability against those of a possible attack exploiting these flaws, and make a decision on how and when to patch systems.
“The systems at higher risk are those that are internet connected, meaning they are easily accessible by cybercriminals and those systems used by employees, who regularly use them for browsing the internet, so these systems should be the priority for any organisation that takes cybersecurity seriously,” he noted.
“Organisations concerned about the possibility of passwords and login keys being exposed, should consider using a password management solution. Even if a cybercriminal exploited this security flaw, the password or login key exposure would be short lived as an enterprise password management solution could continuously rotate passwords regularly to ensure any compromise would be short lived.”
Interestingly enough, a solution for removing all risk, proposed by the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University, is to replace the vulnerable CPU hardware in order to fully remove the vulnerabilities. While ideal, this will not be an option for many individual and enterprise users due to cost.
Another interesting piece of information is that the vulnerabilities have been disclosed to the affected chipmakers and OS sellers in June 2017, and Intel CEO Brian Krzanich knew about them when he arranged for $24 million in company stock he held to be sold in late November.
UPDATE: Microsoft has pushed out out-of-band security updates with mitigations for this class of attacks, and has promised to continue to evaluate the impact of these CPU vulnerabilities, and introduce additional mitigations accordingly in future servicing releases.
UPDATE #2: Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems – including personal computers and servers – that render those systems immune from both exploits.