by Moe Janmohammad, GDT Cybersecurity Analyst
2017 was one of the worst years on record for data breaches, computer vulnerabilities and malware attacks. Based on the first four days of 2018, those numbers might be eclipsed after security researchers uncovered a few vulnerabilities in virtually all processors made since 1995. The two vulnerabilities are Meltdown, which has been isolated to only Intel chips, and Spectre, which affects all modern chipsets.
How does it work?
In modern computer architecture, the kernel, which is the central part of an operating system, controls, well, everything. It allows access to system resources by controlling low level hardware, such as programs run by users in a restricted “permission only” environment, also known as Userland. The kernel prevents an application from modifying other applications’ memory stacks, or even modifying the its own memory stacks. The CPU provides hardware support to separate Userland from kernel, so programs won’t be able to take over the kernel and threaten security.
The CPU hardware relies on privilege levels, commonly known as rings, ranked in privilege from 0 – 3; Ring O is the most privileged, 3 the least. In an ideal, secure world, Ring 0 can modify processes running in higher rings, but not vice versa. The processor will block Ring 3, or Userland, applications from accessing kernel memory in Ring 0. Userland applications are not even allowed to see details regarding memory, the allocations, or the address space because all of those could leak critical details about the system and compromise security.
How does Meltdown work?
Modern CPU’s also have a technology called Speculative Execution, which occurs when a processor anticipates what the next few instructions are supposed to accomplish. It then breaks them into smaller instructions and executes them in a (potentially) different order than the program intended. Most instructions are computationally independent, so the order in which they’re run should not matter. In some instances, a speculatively-executed instruction will reference the CPU’s memory cache, instead of the memory space referenced in the instruction, creating a potential side channel that could leak address spaces in Ring 0. Accessing CPU cache is significantly faster than pulling it from the chips, so the shortcut for common values can mean a significant increase in performance at the risk of security.
Basically, if the operations are run out of order, a later instruction that accesses restricted information could be run first, then store that restricted memory in the CPU cache. An earlier instruction that may not have access to that section of memory can now read it clearly in the CPU cache. It breaks down the most fundamental isolation between userland and kernel memory.
How does Spectre work?
Spectre regards multiple vulnerabilities, all of which are completely unprecedented and are a result of the way modern chips are designed. The public won’t have a complete fix until the next generation of chips are released. It is significantly more difficult to exploit, and equally difficult to fix. Spectre is a completely new class of attack, and no one is certain of the extent of the full security consequences. As well, defending against Spectre is not fully understood. Software and CPU microcode can only fix so much, and are only band-aid solutions at present.
What does this mean?
The vulnerabilities require local access to the machines, meaning an attacker must already have access and privilege to execute code on the machine.
These are information disclosure vulnerabilities, meaning that memory cannot be modified, only read. They cannot force code execution and cannot overwrite Ring 0 memory.
The main concern is shared hosting environments, where multiple users are hosting multiple virtual machines on shared hardware. Breaking out of virtualized machines and attacking the underlying hypervisor has always been difficult, but these vulnerabilities may make that task easier. One attacker with an account on shared server hardware could collect information on other users, and over time build a better profile for a future attack. Cloud service providers like Amazon, Microsoft, and Google have updated their hosting servers’ underlying OS and are monitoring the performance degradation (to date it has been extremely minimal).
How can I guard against Meltdown and Spectre?
As Tom Petty wrote, “The waiting is the hardest part.” And that’s what you’ll have to do—wait for patches for all other devices to roll out. These vulnerabilities were supposed to be published later this year, but were leaked early. All vendors are in the process of rolling out updates to mitigate these vulnerabilities. However, not all have had time to fully test these updates. Just make sure—as in make certain!—that all users keep their devices up-to-date with the latest OS and security patches.