New Security Bugs in Town – Meltdown & Spectre

Introduction

There have been a lot of buzz around two new processor vulnerabilities called Meltdown & Spectre. In this post, we will discuss what these vulnerabilities are, how these can be exploited and mitigating controls.

  1. Meltdown (CVE-2017-5754) – This vulnerability breaks the information barrier between a user program and operating system. Meltdown vulnerability allows a program to read kernel memory, and thus also the secrets of other programs and operating system by exploiting branch-prediction logic of the processor. Modern processors are always running huge numbers of instructions in a pipeline of activities, without waiting for previous instructions to complete, to maximize performance and execution speed. When processor discovers a code sequence, it executes the code in a sequence of instructions, followed by jump to further instructions. The jump could be unconditional or conditional (if, for, while loops). If jump is unconditional then processor, simply reads instructions line by line and executes simultaneously. However, in case of conditional jump, instead of waiting for jump condition to complete, processor makes a guess of the result of jump condition and when the condition eventually resolves, processor can go back and verify the guess. In case of a wrong guess, processor cancels all wrong instructions.
    If there is a sequence of instructions to read memory addresses from the wrong branch taken from jump condition due to branch-prediction and the first instruction reads an invalid or non-existing memory address then the processor must callback further instructions which are dependent on first instruction, first instruction and the wrong branch-prediction. If first instruction is to read privileged memory address (kernel memory) and further instructions are based on content of first instruction, when processor calls back wrong branch and corresponding instructions, processor’s memory can leak values from privileged memory address. By repeating this several times, a large portion of values from privileged memory can be leaked.
  2. Spectre (CVE-2017-5753 & CVE-2017-5715) – Spectre vulnerability is similar to Meltdown but allows a process to reveal its own data by exploiting side-effects of branch-prediction feature of modern processors instead of snooping on kernel memory. There are 2 variations of the vulnerability has been identified – bounds check bypass (CVE-2017-5753) and branch target injection (CVE-2017-5715).
    Bounds check bypass works with JIT engines used for JavaScript. A website can read data stored in the browser for another website, or the browser’s memory itself by memory leak via cache memory.

Vulnerability Scope

  1. Meltdown – Standalone desktops, laptops, servers, cloud platforms (such as – hypervisor) are affected by Meltdown. Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Meltdown has been verified on Intel processor generations released as early as 2011 but for AMD and ARM processors it is still not verified.
  2. Spectre – Almost every system is affected by Spectre – desktops, laptops, servers, cloud platforms, as well as Smartphones. Spectre has been verified on Intel, AMD, and ARM processors.

Mitigation

Since vulnerabilities exist in processor rather than software, software patches released by different vendors may not fully address all exploit scenarios. All major vendors have released software patches, a list of such vendors and patch details can be found on US-Cert portal. A performance degrade has been observed after applying the patch. This change is unnoticeable in case of standalone systems however, considerable in case of critical applications and services.

References

  1. Meltdown exploit demo (spying on passwords) – https://youtu.be/RbHbFkh6eeE
  2. PoC exploit codes are available at –
    https://github.com/paboldin/meltdown-exploit
    https://github.com/HarsaroopDhillon/SpectreExploit

We offer security configuration review services for organizations to identify missing security configurations and establish mitigation steps and strategy. Please visit Cloud Security section in Service Offerings or Contact Us to hear more from us.