Meltdown and Spectre: what we know about the vulnerabilities in CPUs?
In the last hours, the vulnerabilities of the CPU have had a great prominence even in the non-specialized press.
So, I think that would be useful trying to summarize the situation in a simple way.
Google's Project Zero releases three vulnerabilities which affect the ‘speculative execution’ technique utilized by modern processors (CPUs) to optimize performance.
These have been grouped in two separate attacks: CVE-2017-5754 which has been named Meltdown and CVEs 2017-5753 and 2017-5715, named Spectre.
What is Speculative Execution?
When a processor uses speculative execution, instead of performing tasks strictly sequentially, it predicts which calculations it might need to do subsequently, then solves them in parallel.
Using this method, CPU can wast cycles performing unnecessary calculations, but performs chains of commands much faster than if it waited to process them one after the other.
However, a flaw exists in the way modern processors are hardcoded to use speculative execution: they don’t check permissions correctly, and leak information about speculative commands that aren’t run.
User programs can possibly steal glimpses at protected parts of the kernel memory, which is memory dedicated to the most essential core components of an operating system and their interactions with system hardware.
This is supposed to be isolated from user processes at all times to prevent such glimpses from happening, and everything from passwords to stored files could be compromised as a result.
Meltdown breaks the isolation between user applications and the operating system, exploiting a privilege escalation.
This attack allows a program to access the memory, and thus also other sensitive data, of other programs and the operating system.
Meltdown only impacts Intel CPUs.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.
Desktop, Laptop, and Cloud computers may be affected by Meltdown.
More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013).
Spectre breaks the isolation between different applications,by tricking processors into executing instructions they should not have, granting access to sensitive information in other applications’ memory space.
It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones.
More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
The vulnerabilities affect almost all modern CPUs, and therefore the devices and operating systems running on them (servers, laptops, smartphones and IoT devices).
In the worst case, code running on a device can access areas of memory it does not have permission to access, reading sensitive data, including secret keys and passwords.
This means that web browsing could lead to loss of the data held on one device, but could not lead to arbitrary code execution or modification of data.
In the event that attacker exploits the vulnerabilities, they would get only "snippets" of data from the processor that could eventually be pieced together to reveal passwords or encryption keys, so this attacks will at first probably be limited to those prepared to plan and carry out more complex attacks, and string together several vulnerabilities, rather than everyday cyber-criminals.
There are three main potential issues with patching these vulnerabilities;
- AV Compatibility issues: if anti-virus software has not been updated, deploying OS patches can result in a BSOD.
- Performance impacts: the patches are publicly-reported to cause performance impacts when deployed: the impact is minimal for individual laptops but in a range of 5-30% for servers.
- Effectiveness: There are currently no patches available to address Spectre.
Sensitive pieces of code could be amended to include "serializing instructions" that prevent most kinds of speculation from occurring.
ARM has introduced just such an instruction in response to Spectre, and x86 processors from Intel and AMD already have several.
For more technical informations please refer to this github repository mantained by Hanno Böck: https://github.com/hannob/meltdownspectre-patches
Furthermore, here a list of what various vendors are saying to their users and customers (from https://www.grahamcluley.com/spectre-meltdown-fckwit-dont-panic/):
- Amazon AWS - Processor Speculative Execution Research Disclosure
- AMD - An Update on AMD Processor Security
- Apple - About speculative execution vulnerabilities in ARM-based and Intel CPUs
- ARM - Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
- Google - What Google Cloud, G Suite and Chrome customers need to know about the industry-wide CPU vulnerability. Note that if you're a user of Chrome or Chrome OS then it makes sense to enable Site Isolation to further mitigate against the threat.
- Google Android - Android Security Bulletin—January 2018
- Intel - Intel Responds to Security Research Findings
- Microsoft - Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities
- Microsoft - Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
- Microsoft Azure - Securing Azure customers from CPU vulnerability
- Mozilla Firefox - Mitigations landing for new class of timing attack
- Redhat - Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
- Xen - Xen advisory
In a virtualized environment, fixes are required for both the hypervisor and guest virtual machines.
Therefore, when using Infrastructure as a Service (IaaS), you will need to update the operating systems of any virtual machines and container base images that you manage. For Platform as a Service (PaaS) and Software as a Service (SaaS), your provider should install these patches for you.
Compilers and applications
Software compilers need to be updated to protect applications from the Spectre vulnerabilities.
Once compilers have been updated, applications will need to be recompiled.