Feb 5, 2018

Spectre and Meltdown


Spectre and Meltdown are attacks on computing systems that exploit characteristics inherent to most modern computer processors.  Specifically, Meltdown is recognized to affect Intel and ARM processors, while Spectre is known to affect Intel, AMD and ARM processors. 

Spectre allows an attacker to see private memory entries of another process while Meltdown allows an attacker to see most all information in resident memory.  This is problematic for most personal computers and mobile phones and particularly problematic in Cloud environments where resources are shared by many users.  Fortunately, many of the larger Cloud providers have acted to patch their systems and operating system providers are providing patches.   However, some assert these corrections slow computer systems down. 

HISTORY

Indications were present in the late 2016 and early 2017 timeframe that researchers were aware of at least the vulnerabilities exploited by Spectre and Meltdown.  On June 1, 2017 and July 28, 2017, Google made some of the affected hardware and software vendors aware of Spectre and Meltdown, respectively.  However, Spectre and Meltdown were not publicized until January 3, 2018, giving time for vendors to take some corrective actions.

The vulnerabilities that Spectre and Meltdown take advantage of are recognized by the following descriptions in the National Vulnerability Database:

Spectre:  CVE-2017-5715 and CVE 2017-5753 - Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Meltdown:  CVE 2017-5754 - Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

HOW THEY WORK

Meltdown works by exploiting the fact that many of today’s processors execute instructions out of order to enable a type of parallel processing and increase processor speed.  This type of execution is controlled by algorithms built into microprocessor chips.  As part of the exploit, Meltdown executes a request to access space in memory that is forbidden.  The targeted chip then fetches information from the forbidden memory space and temporarily stores it in a cache,  but does not return it directly to Meltdown.  Because the targeted data is forbidden to user processes, information on where in the cache to find the data is not provided to user processes.  Meltdown has to find the targeted data in the cache which is like finding a needle in a haystack.  Meltdown gets around this by sequentially querying array elements corresponding to cache addresses.  Because cache tables are used, the targeted cached element will be returned much faster than other cache queries.  The speed increase indicates that the data just read from the cache is the targeted data.  Only small amounts of data are retrievable through such an activity.  However, Meltdown can iteratively query and read in this way until all current memory is revealed.  

Spectre has several variations and in many ways is similar to Meltdown.  However, Spectre differs in that it exploits the fact that many of today’s processors try to guess what a next step will be in a process.  This guessing method of prediction is also built into today’s processors   Spectre trains a processor to wrongly predict next steps in a process it provides.  A user process like Spectre does not have direct access to the output of such predictions if they are wrong.  Spectre, however, like Meltdown, iteratively queries cache memory for quickly returned results that reveal the targeted data.  In this case, the targeted data is in another process's private memory space.

MITIGATION

Mitigation is occurring through patches to operating systems, virus software and browser patches.  Of the two, Spectre is the hardest to fix.  For example, one suggested approach to protecting against one of the Spectre variations is to create new compilers that address the exploit and recompile, using the new compilers, all code that is susceptible to Spectre.  Moreover, because Meltdown and Spectre exploit capabilities that speed up processor performance, some suggest that the fixes slow down process execution.  This is likely most noticeable in infrastructure Cloud environments where processors are essentially rented and charged to customers as a function of processor usage.  As such, a customer might be paying more after the patches because their processor utilization may be more. 

Ron Sulpizio is an engineer and lawyer with 25 years of information technology experience, specializing in identity and access management, policy writing, cryptography systems, cybersecurity, information sharing, export regulation, privacy and patent prosecution. Ron has been part of the PKH Enterprises team since 2016.
Share on Twitter
Share on Facebook