As users continue to demand faster performance from computers, chip designers have baked in a serious design flaw that exposes a computer’s internal memory to hackers via two major security exploits, code named Meltdown and Spectre. These exploits allow an adversary to access kernel-level memory without proper security checks, potentially gaining access to passwords and other sensitive information cached in memory. Google’s Project Zero and cyber security researchers discovered these exploits six months ago and reported them to multiple chip manufacturers. In an effort to keep the malevolent actors from learning of these vulnerabilities, the researchers were asked to sign non-disclosure agreements while fixes were developed. However, The Register broke the story on 2 January 2018 before Intel and other technology and software companies were able to release the necessary patches. This chip security catastrophe has been dubbed, Chipmageddon by the MIT Technology Review.
There are two separate security bugs.
- Meltdown affects Intel and some ARM chips in laptops, desktops and servers.
- Spectre affects Intel, AMD and ARM chips not only in laptops, desktops and servers, but also smartphones and tablets.
In technical terms, both exploits are on the microarchitectural level, which means in the physical hardware design of the chips, making them challenging to fix quickly.
Meltdown and Spectre exploits explained
This exploit has been created as a result of a vulnerability in industry-wide techniques for optimizing CPU performance. Out-of-order instruction execution was developed as a way to execute instructions in a non-sequential manner to the written code to optimize performance for user applications. In principle, a set of user instructions should only have the user-space access privileges, and if one instruction attempts to perform a task at a higher privilege level than the user-space privilege, the operation is rejected and the instruction set stops.
However, in out-of-order execution, instructions that attempt to perform a task at a higher privilege level are allowed. It is only later when the processor “catches up” with the instruction performed in advance, that it identifies and rejects the illegal operation. In this exploit the code is tricked into executing the out-of-order instruction but the program flow is then redirected so the processor never actually reaches (and rejects) the illegal instruction.
Even though it is not possible to directly exfiltrate the value read illegally, by writing to cache memory based on the value bit by bit, it is possible to work out what the value was by a clever ‘side channel’ manoeuvre involving accurate timing. If a memory location was written by the illegal code, it will load faster (because it was cached) than if it was not. Bit by bit, the illegally read value can be reconstituted, and then exfiltrated.
The Meltdown exploit allows access to passwords, encryption keys and other sensitive information stored in the kernel memory. “And when you’ve stolen the keys to the kingdom, such as cryptographic secrets, you’ll probably find you can indeed corrupt, modify or delete data” (Calburn, 4 January 2018). The Meltdown exploit impacts Intel and some ARM chips in laptops, desktops and servers. A more technical explanation of Meltdown can be found in the report by the researchers, on Google’s Project Zero blog post or on a blog post by Raspberry Pi Founder, Eben Upton. “Meltdown breaks all security assumptions given by the CPU’s memory isolation capabilities”. (Calburn, 4 January 2018).
Some new articles suggest that the Meltdown vulnerability is present on modern Intel processors produced since 1995, while the researchers believe it effects Intel CPUs from 2010 onwards.
A solution, kernel page table isolation (KPTI), isolates the kernel memory from user processes. There is speculation as to whether this will slow down computers. Intel states that a slowdown is workload-dependent, meaning if you are using software that routinely interacts with the kernel memory such as database software as opposed to just checking email, you will likely experience a slowdown.
The Spectre exploit is a further expansion on the concept of running an instruction set out-of-order called, speculative execution. When an instruction set is running out-of-order and it gets to a branch in the code, it speculates on what the desired branch will be and runs these speculated instructions in advance, to save time and increase performance. This is called branch prediction. The results of the speculated branch(es) are stored in the kernel memory cache and are accessible via a side-channel attack, thus allowing data to leak out of the kernel memory address space. “Spectre allows, among other things, user-mode applications to extract information from other processes running on the same system. Alternatively, it can be used by code to extract information from its own process” (Williams, 4 January 2018). The Spectre exploit impacts Intel, ARM and AMD chips in laptops, desktops, tablets, smartphones and servers. A more technical explanation of Spectre can be found in the report by the researchers or on Google’s Project Zero blog post.
“Although both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory, while Spectre steals data from the memory of other applications running on a machine” (Greenberg, 2018). Two variants of Spectre and one variant of Meltdown were discovered, shown in Table 1.
Table 1: Summary of the Meltdown and Spectre exploits.
|Variant Number||Vulnerability Number||Vulnerability Name||Exploit||Chips Affected|
|Variant 1||CVE-2017-5753||Bounds check bypass||Spectre||Intel, AMD, ARM|
|Variant 2||CVE-2017-5715||Branch target injection||Spectre||Intel, ARM|
|Variant 3||CVE-2017-5754||Rogue data load||Meltdown||Intel|
Scale of impact
Meltdown and Spectre affect numerous Intel, AMD and ARM chips on laptops, desktops, servers, tablets and smartphones. All operating systems (Apple products are affected too), internet browsers and several other commonly used applications are also releasing updates to address these vulnerabilities. Several companies agreed to release the updates on 9 January (Patch Tuesday) however some vendors have already released their patches while others are still in development. Intel’s CEO Brian Krzanich during his keynote speech at CES this week, told attendees that patches would come out within the next week contrary to previous reports they would be out on the 9th.
As the patches are slow to roll out, there is some concern that hackers will attempt to use these vulnerabilities to steal sensitive information. An unauthenticated advert on a hacking-for-sale site claims that that the hacking group Shadow Brokers can provide a Meltdown/Spectre toolkit to gather passwords or personal information for just $8,900.
MIT Technology Review suggests that about 3 billion computers, smartphones, tablets and other devices are vulnerable to Spectre, both personal and professional devices.
Intel continues to affirm that a typical workload of just checking email will not likely cause a performance decrease. However systems for enterprise workloads, data centres and cloud services that are running programs that repeatedly access the kernel memory, such as a database, are likely to see a significant performance decrease. Some researchers are estimating a 5 to 30% decrease in performance.
As patches are being rolled out to various devices and platforms affected, users of cloud services are already beginning to see an impact of increased utilization of cloud servers and degraded performance. Specific examples of reduced performance have been seen on Amazon AWS services and cloud based gaming platforms (Hern, 2018).
Intel share price saw a 2% decline after the news of these exploits broke last week. Future litigation also awaits for Intel as three class actions have already been filed in the US alleging failure to notify the public of the exploits in a timely manner and requesting compensation for the potential slowdown forthcoming with the patches. Experts also suggest that cloud providers may sue Intel for reduced performance due to patches and fixes that they are forced to make.
Meltdown example scenario
Spectre example scenario
An attacker at Company A targets a competitor, Company B, who is about to release a new gizmo 3.0 and who happens to share the same cloud service provider (CSP). The attacker is able to successfully use the Spectre exploit to leak the confidential login credentials for Company B’s R&D website where the blueprints for gizmo 3.0 are stored. This enables Company A to steal Intellectual Property from Company B. You could substitute Company A for a hacker who is interested in stealing the IP from Company B to sell on the black market.
Patches for the Meltdown exploit should be released soon, but Spectre is more challenging to fix and patches will likely be a temporary salve for the problem. Those at the greatest potential risk of a slowdown are companies who run applications that repeatedly interact with the kernel memory, such as enterprise workloads, data centres and cloud services.
These exploits have highlighted a serious security flaw that have some in the IT community wondering if a hardware redesign is necessary for future CPUs and leaving businesses with increased processing time for applications that are heavy kernel users.
Additional material contributed by Simon Ruffle, Director of Research & Innovation and Eireann Leverett, Senior Risk Researcher.
I’ve been following this topic for a long time now and just discovered your blog post. Super interesting. You clearly have done a lot of research. Please post more!