(T) The Spectre and Meltdown vulnerabilities, that we learned this week, are affecting pretty much any microprocessor that is used in any of our computing platforms (mobile, desktops, servers, embedded). Reality is somewhat more unbelievable than fiction!
Both vulnerabilities involve the mechanisms implemented by CPUs to optimize their performances, that is reducing their idle time, using their caches. Spectre involves speculative execution from branch prediction (see below) and Meltdown involves rearranging the order of instructions (see below). As a result, side-channel attacks can be launched to extract data from the CPU cache, such as one process can spy on other processes, and an app can access information that it should not.
There are three variants of those vulnerabilities:
- Variant 1 (CVE-2017-5753, Spectre): Bounds check bypass
- Variant 2 (CVE-2017-5715, also Spectre): Branch target injection
- Variant 3 (CVE-2017-5754, Meltdown): Rogue data cache load
In more details, using the notes from the CERT …
“Spectre attacks take advantage of a CPU’s branch prediction capabilities. Modern CPUs include a feature called branch prediction, which speculatively executes instructions at a location that the CPU believes it will branch to. Such speculative execution helps to more fully utilize the parts of the CPU, minimizing the time waiting, and therefore improving performance. When a branch is successfully predicted, instructions will retire, which means the outcomes of the instructions such as register and memory writes will be committed. If a branch is mispredicted, the speculatively-executed instructions will be discarded, and the direct side-effects of the instructions are undone. What is not undone are the indirect side-effects, such as CPU cache changes. By measuring the latency of memory access operations, the cache can be used to extract values from speculatively-executed instructions.
With both variants of the Spectre attack, the impact is that a process may leak sensitive data to other processes on a system. Spectre may also allow one part of an application to access other parts of the same process memory space that would otherwise not be permitted.”
There is no patch for Spectre. CPUs have been designed with branching and speculative instruction for over 20 years. Spectre affects Intel, AMD, and ARM processors.
Spectre was found by:
- Google Project Zero (Jann Horn)
- Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)
“Meltdown is related to the Spectre attack in that it also uses a cache side channel to access data that otherwise wouldn’t be available. The main difference is that it leverages out-of-order execution capabilities in modern CPUs. Like speculative execution due to branch prediction, as used by Spectre, out-of-order execution on a CPU is a technique for ensuring fullest utilization of the CPU’s parts. Although instructions may appear sequentially in the machine language, a CPU that supports out-of-order execution may execute instructions in a non-sequential manner, which can minimize the time that a CPU spends idle.
The impact of Meltdown is that a process running in user space is able to view the contents of kernel memory.”
Meltdown affects the CPUs from Intel. A patch is possible and should not affect the performance of personal computers but might affect the performance of cloud application providers. All operating system vendors (Linux, Apple, Google, and Microsoft) as well as most of the cloud providers (Amazon, Google, Microsoft…), have announced software updates and mitigation steps.
Meltdown was found by:
- Google Project Zero (Jann Horn)
- Cyberus Technology (Werner Haas, Thomas Prescher)
- Graz University of Technology (Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz)
To deeper dive
- Graz University of Technology
- Google Project Zero
- Cyberus Technology
- CERT Vulnerability Note VU#584653
In addition, two good articles from the Linux and Raspberry PI community:
Note: The picture above is the logos of Spectre and Meltdown.
Copyright © 2005-2018 by Serge-Paul Carrasco. All rights reserved.
Contact Us: asvinsider at gmail dot com.