What We Know So Far About Meltdown And Spectre, The Devastating Vulnerabilities In Modern CPUs

This week, news of massive security vulnerabilities afflicting every modern model of Intel processor went public, even as developers for practically every major platform frantically rushed to roll out fixes. Much more information has now become available about Meltdown and Spectre, a group of attack methods malicious parties could use to break into some of the most sensitive inner workings of any device using the affected CPUs.

Here's what we know so far.

What's the problem?

Photo: AP

In 2017, Google's Project Zero team in collaboration with researchers at a number of different universities identified an absolutely massive problem with speculative execution, one of the techniques employed in modern microprocessors as a way of improving performance.

Essentially, when a processor uses speculative execution, instead of performing tasks strictly sequentially, it predicts which calculations it might need to do subsequently. It then solves them in advance and in parallel fashion. The result is that the CPU wastes some cycles performing unnecessary calculations, but performs chains of commands much faster than if it waited to process them one after the other.

However, there's a serious flaw in the way modern processors are hardcoded to use speculative execution - they don't check permissions correctly and leak information about speculative commands that don't end up being run. Whoops.

As a result, user programs can possibly steal glimpses at protected parts of the kernel memory. That's memory dedicated to the most essential core components of an operating system and their interactions with system hardware, and it's supposed to be isolated from user processes at all times to prevent such glimpses from happening. Everything from passwords to stored files could be compromised as a result.

According to a release by the Graz University of Technology, the researchers have identified three potential attack methods: Meltdown and Spectre, which is two separate vulnerabilities.

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

...

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

As ZDNet wrote, a worst-case scenario is that a low-level user could run JavaScript code hosted on a webpage and gain access to kernel memory. As TechCrunch noted, another worst-case scenario is users on cloud services that share hardware resources being able to peek on other clients' operations.

There's no way to truly fix Meltdown or Spectre on the hardware level. It can't be fixed with a microcode update.

But researchers can rewrite OSes and other platforms to work around the error by severing kernel memory entirely from user processes with a process called Kernel Page Table Isolation -- though as the Register noted, the cost might be processors working up to five to 30 per cent slower depending on the model and task. Cloud-based services like Amazon and Google servers are likely to be the hardest hit, while it's possible the impact on home users could be negligible. Meltdown is more easily patched than Spectre, which security researcher Daniel Gruss told ZDNet is "going to haunt us for years."

Intel CEO Brian Krzanich told CNBC that Google alerted them of the flaw some time ago, but it leaked ahead of time because "Somebody was doing some updates on a Linux kernel and they improperly posted that this was due to this flaw."

Who's impacted?

Photo: AP

Since this is a hardware bug, everything running on affected processors is vulnerable including every major OS (Windows, Linux, and macOS), some mobile devices, and cloud computing providers.

Originally, the Register reported, only Intel processors (which dominate the U.S. market) were believed to be subject to the flaw. But it's become clear that a wide range of processor types could be affected, with Google writing that AMD, ARM, and other devices were also vulnerable -- though only partially and with less performance impact following a fix than Intel-based devices.

In a statement to Gizmodo, AMD said that of the three attack variants, one was easily resolved with "negligible performance impact," while the others have "near zero risk" or "zero risk" due to "architecture differences."

ARM told Gizmodo that it has been working "together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This is not an architectural flaw; this method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory."

Qualcomm did not immediately respond to a request for comment.

On the mobile side, per Reuters, it's unclear whether Apple needs to patch the OS running on iPhones and iPads. According to ZDNet, many Android devices are likely impacted but "given the failure or tardiness of many Android vendors to update their devices with security updates, many on the mobile operating system are likely to remain vulnerable until a new phone is purchased."

What are companies doing about it?

Photo: Getty Images

Companies are rushing to patch platforms. Per Axios, Microsoft has already patched Windows 10 and will release patches for Windows 7 and 8, Amazon Elastic Compute Cloud is already mostly secured, AMD is still investigating, and ARM is still working on how to address the issue. Apple did not respond to Axios' request for comment, though security researcher Alex Ionescu tweeted it is working on a fix for its desktop-based macOS.

"We've found no instances of anybody actually executing this exploit," Krzanich told CNBC. "... I mean, it's very hard -- we can't go out and check every system out there. But when you take a look at the difficulty it is to actually go and execute this exploit - you have to get access to the systems, and then access to the memory and operating system - we're fairly confident, given the checks we've done, that we haven't been able to identify an exploit yet."

WATCH MORE: Tech News


Comments

    NSA.... maybe this is a backdoor for them someone stumbled upon.

    I think Intel's last statement is head in the sand level ignorant. The JavaScript to exploit spectre is literally 2 simple lines of code. Easily implemented into a complete malicious attack.

      I'm not sure on what Gizmodo's policy is on publishing example malicious code when its already published everywhere? Admins feel free to delete the comment if you think it's inappropriate.

      Here is an example of exploitable code:

      Code:
      if (x < array1_size)
      y = array2[array1[x] * 256];

      In this example, the variable x contains attacker-controlled data. The if statement compiles to a branch instruction, whose purpose is to verify that the value of x is within a legal range, ensuring that the access to array1 is valid.

      For the exploit, the attacker first invokes the relevant code with valid inputs, training the branch predictor to expect that the if will be true. The attacker then invokes the code with a value of x outside the bounds of array1 and with array1 size uncached. The CPU guesses that the bounds check will be true, the speculatively exe-cutes the read from array2[array1[x] * 256] using the malicious x. The read from array2 loads data into the cache at an address that is dependent on array1[x] using the malicious x. The change in the cache state is not reverted when the processor realizes that the specu-lative execution was erroneous, and can be detected by the adversary to find a byte of the victim’s memory. By repeating with different values of x, this construct can be exploited to read the victim’s memory.

      edit: Source = https://spectreattack.com/spectre.pdf

      Last edited 05/01/18 10:25 am

        Its an interesting exploit, its certainly a bitch (hardware holes are the bomb of hacks, look at the xbox 360 glitch hack, unpatchable...), but looking at it mark it would be damn hard to "target" info do you think? I mean, sure I can dump a tonne of kernel memory, but its always a turkey shoot as to whether I get any "usable" data (passwords etc)?
        Cheers

          Spectre you cant target info, but slowly retrieve it. Meltdown is a data dump. Basically if you know what you're doing, you can trigger the data you want to be loaded into protected memory then retrieve it. From here you get the keys to the kingdom.

            Ok, so with Meltdown I can target, but I still have to be inside the OS's application domain boundary (as I can only access physical memory that has been mapped by the OS). But it isn't a propagating hack, it isn't using a flaw in the system (buffer overrun etc) to cause something to fail and let me spread executable code from one host to another. Basically I would need to write an application, and the user would have to "execute" it in some fashion for me to start accessing memory without any auth. So I'm assuming the "real" target of an attack like this would be VM based (ESXi etc) cloud systems, from here I could access an entire VMs core memory...fark! I can see why Amazon would be shitting. I noticed on VMwares security board that for the OS patches to be effective, you also need to patch the hypervisor... ;)

              Both JavaScript & C code has been reported.

              Yeah cloud vendors are doing the standard "Nothing to worry here. Move on" spin.

    Can't someone find some sort of exploit that can't be fixed with software, forcing OEM's to replace millions of devices, so that I can score a new laptop to replace my 5yo MacBook Pro..?

      Look ricky, if you want a new Mac Pro, go to the bank and take out a 25 yr loan like everyone else ;)

    I've got to say these articles are pretty misleading, still. Putting the blame entirely on Intel when even AMD and ARM processor manufacturers have confirmed they have the same vulnerability to the speculative execution: spectre variants.

    For AMD see: https://www.amd.com/en/corporate/speculative-execution
    For ARM: see: https://developer.arm.com/support/security-update

    For those who haven't read the report.

    3 variants of the same vulnerability have been found. 2 are used in one called spectre, the other variant is called Meltdown. Meltdown is unique to Intel processors and the easiest to exploit and as such is considered the "worst" however they are all equally bad.

      Exactly.

      The Meltdown vulnerability relates specifically to Intel and ARM processors (excluding some Itanium and Atom-based processors).
      It allows rogue processes access to mapped memory - this can be patched by OS' maintainers and future CPU architecture improvements.

      Spectre affects Intel, AMD and ARM CPU's, exploiting the 'speculative execution' feature which modern processors utilise to improve performance.
      It's going to be a 'per application' approach to address this issue, possibly some rearchitecting at the processor level.

      Both are terrible flaws, though Spectre is significantly worse due to it's ability to read contents within memory with low-level access rights via a rogue website or JavaScript code; think of cloud instances, virtual machines, web browsers, apps, computers, smartphones, tablets, etc...

      I could put my tin foil hat on and say how many articles has giz run about the new gen Intel chips compared to ryzen series AMD.

    ...and there's no known exploits, so let's panic and spread details all over the web on how it supposedly 'might' be possible. Sounds more like some failed engineer in Google trying to make a reputation for himself.

Join the discussion!