Secplicity – Security Simplified

Meltdown and Spectre CPU Vulnerabilities

On 3 January 2018, security researchers at Google, Graz University of Technology, and several other education institutions disclosed multiple vulnerabilities found in most modern Intel, AMD and ARM processors. The more severe vulnerability, Meltdown (CVE-2017-5754), appears isolated to Intel processors developed in the last 10 years. Spectre (CVE-2017-5715 and CVE-2017-5753) on the other hand, theoretically affects all processors that use speculative execution (more on that later), including most modern processors manufactured by Intel, AMD, ARM and potentially more.

Before diving in to a high-level overview of these vulnerabilities and how they work, if you are a WatchGuard customer and want to know how these vulnerabilities affect you, please see our knowledge base article on the subject. As a quick preview to that article, some of our products use affected processors, but the practical impact of these flaws is low because our products do not allow the arbitrary code execution required for exploitation.

CPU Architecture 101

Modern operating systems rely on certain security features that prevent unprivileged processes from reading the memory of other unprivileged processes or privileged processes (like the system kernel). For example, a web browser application should not be able to read the memory used by a password manager. The operating system and CPU work together to prevent unprivileged memory access by allocating individual virtual memory pools for each process, and by setting specific privilege checks like readable, writable, executable, and user-accessible for each virtual-to-physical memory mapping. If an unprivileged process attempts to access a memory mapping that it should not have access to, the CPU raises an exception and process execution is halted.

Modern CPUs also use a feature called “speculative execution” which is a form of pipelining where multiple processing instructions are executed in parallel instead of sequentially. If no issues occur during execution of the instructions, the CPU saves time by having results ready to go as needed instead of having to wait for each instruction execution to complete before moving on to the next. However, if any exceptions occur during one of the instruction executions, the instructions that take place after the exception are discarded.

The Meltdown Vulnerability

The authors of the Meltdown vulnerability discovered that they could exploit this speculative execution feature in Intel CPUs to create a side-channel attack capable of reading arbitrary memory locations used by other processes and even the system kernel itself. The researchers found that even though the CPU correctly discards the result of instructions that logically take place after an exception (which were executed in parallel with the instruction that caused the exception), the CPU still caches the result. An attacker could then use a side channel attack, such as FLUSH+RELOAD, to read the cached result.

The attack method described in the Meltdown white paper is novel, and can be exploited using high-level programming languages like C or potentially even JavaScript. In the paper’s example, the attacker first allocates a “probe” array of 256 x 4096 bytes (assuming a typical 4KB page size). This array size equates to the 256 different possible values of a single byte of memory.  The attacker then attempts to read a single byte of privileged memory, multiply the memory’s value by 4096, and then use the result to index the probe array. Because of speculative execution, the memory read, multiplication, and array index instructions all likely finish before the exception is generated for the privileged memory access. Even though the results are wound back, the array index is still cached by the CPU. A separate process can then use a FLUSH+RELOAD attack to iterate over the full probe array and identify which index was accessed by comparing return times. The cached index should return significantly quicker than the rest of the uncached array. The attacker can repeat this process to read the entirety of the system’s memory (or almost all of it depending on the operating system) at a rate of about 502 KB/s.

Takeaways

Long story short, exploiting Meltdown allows an attacker to read sensitive information directly out of memory, potentially including passwords and cryptographic keys. The sister vulnerability, Spectre, uses similar attack methods but can only read memory from other unprivileged processes, not the operating system kernel. Furthermore, Spectre attacks must be custom-tailored for each target’s own software environment, rendering it even more difficult to exploit successfully. Spectre however, theoretically affects all processors that use speculative execution which includes most modern processors made by Intel, AMD, and ARM.

As of this writing, patches are starting to trickle out from most major operating system vendors. The fix for Meltdown is expected to impact performance on Intel-based systems by anywhere from 5% to 30%. It is possible that later updates may mitigate some of the performance impacts however, once the critical vulnerabilities have been resolved. Keep an eye on your operating system vendor’s security updates or the Meltdown FAQs for more information on how to patch your computer. –Marc Laliberte