Spectre & Meltdown – What do we know?

Update (11/01/2018): Intel have stated that all of its processors released in the last 5 years will receive updates before the end of January. Those with processors produced over 5 years ago are also expected to receive updates soon, however, no official date has been specified by Intel.

With patches already released by vendors, the impact to performance is of great concern. Red Hat have announced the performance impact of patches ranged from 1 to 20 per cent in its benchmarks, whilst Microsoft also reported similar results. Intel have determined the performance impact depends on the specific workload, platform configuration and mitigation technique. Older systems will be most affected by decreases in performance.

Intel have provided links to Operating System Vendor and System Manufacturer updates:

For non-Intel based systems, Intel have advised you contact your system manufacturer or microprocessor vendor (AMD, ARM, Qualcomm, etc.) for updates. Microsoft have released patches for 41 of the 45 editions of Windows and recommended applying the patches immediately. It is also advised that user antivirus software is up to date, to ensure the patch is compatible.

In some cases, the security patches have had severe drawbacks. On 9th January, Microsoft temporarily paused sending updates to devices with impacted AMD processors, due to devices becoming unbootable after applying the updates. Affected owners will need to visit Microsoft’s support site for fixes to get machines back into a bootable state. They are working with AMD to resolve the issue as soon as possible.

Update (22/01/2018): As of January 18th, Microsoft has resumed rolling out patches for AMD devices running Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, Windows Server 2012 R2 and Windows 10 (version 1709). Updates for 1511, 1607, and 1703 editions of Windows 10 are still paused, as are updates for Windows Server 2016 and Windows 10 Enterprise.

The updates have also been linked to causing BSOD problems, however, this has been attributed to antivirus programs not yet updating their software. Users who experience a BSOD after January’s updates can find a solution on the Microsoft help pages here:

See article for full details.

Background

First revealed on January 3rd 2018, Spectre and Meltdown are two major security flaws that have been found to affect many modern central processing units (CPUs). Before public disclosure, Spectre was discovered independently by Jann Horn from Google’s Project Zero, as well as cryptography consultant Paul Kocher. Meltdown was discovered independently by Jann Horn from Google’s Project Zero, Werner Haas and Thomas Prescher from Cyberus Technology, as well as a research group from Graz University of Technology. At the time of writing, there are three known variants; the first two associated with Spectre, and the final associated with Meltdown, each is listed below with its CVE identifier:

  1. CVE-2017-5715 – Spectre: Branch target injection 
  2. CVE-2017-5753 – Spectre: Bounds check bypass 
  3. CVE-2017-5754 – Meltdown: Rogue data cache load 

Both Spectre and Meltdown take advantage of two CPU performance enhancing features, known as out-of-order execution and speculative execution. Out-of-order execution is a technique to avoid wasting idle execution units by executing instructions based on their availability, rather than their original order. To improve performance and utilization of computer resources, speculative execution schedules instructions for the processor before it’s certain they need to be executed. If it turns out the work was not needed, the changes made by the work are reverted. Overall, this process of guessing the next instruction during idle time improves CPU performance even though some of the guesses it makes are incorrect.

Meltdown

Meltdown (CVE-2017-5754) is a powerful hardware vulnerability recently found within CPUs that largely affects all but a few Intel processors created since 1995, as well as several ARM processors. AMD have stated their CPUs are not affected by the flaw, due to architectural differences. A successful exploit attempt would allow an attacker to read arbitrary physical memory from an unprivileged user program, bypassing all memory security restrictions enforced by the hardware.  

This is a serious vulnerability and thus, greatly appealing to cyber criminals because of the vast attack surface available and the exploits ability to leak sensitive information all without a trace.   

Both Meltdown and Spectre take advantage of a performance feature utilized by modern CPUs known as out-of-order execution. This is a mechanism designed to overcome latencies of busy execution units to increase overall efficiency. For example, a memory fetch unit needs to wait for data arrival from memory. Instead of stalling the execution, modern processors run operations out-of-order. As opposed to waiting for data to arrive, the CPU will look ahead and schedule subsequent operations to idle execution units. However, it is within this mechanism that researchers have discovered a technique of reading arbitrary data through side-channels. 

At its core, Meltdown is a privilege escalation vulnerability that enables malicious code to be executed locally on a target machine or remotely through browsers running JavaScript. Examples are as follows: 

  • Where an application or user with limited permissions can gain elevated access to restricted resources. 
  • Remote execution through JavaScript, which would remove the need for physical access to the target, which significantly increases the threats posed by the vulnerability. JavaScript is often used to improve user browsing experience but can be used by a malicious actor to download JavaScript files through a web browser. 

By forcing direct cache loads and manipulating the out-of-order execution mechanism, an attacker can check access timings to reveal sensitive dataUltimately, kernel page-table isolation is necessary to hide the kernel-space data from the user, however, this does not come without its drawbacks with performance decreases from 5% to 30%. 

Spectre

Spectre is a privilege escalation vulnerability which allows user-mode applications to extract information from other processes running on the same system.The vulnerability breaks the isolation between different applications allowing an attacker to trick error-free programs, which follow best practices, into leaking data.

The branch target injection exploit (CVE-2017-5715) tricks the CPU into incorrectly predicting an indirect branch (commonly used to implement ‘virtual’ functions in C++, or jump tables in the kernel) to speculatively execute program code chosen by the attacker. This vulnerability is potentially useful to a local attacker, as it would mean that an adversary can obtain access to sensitive data (such as cryptographic tokensfrom a privileged address space.

For the bounds check bypass (CVE-2017-5753), the CPU is tricked into speculatively loading data from outside the bounds of an array which is bounds-checked, for example, at a virtual address chosen by an attacker. The bounds-check means that the data is never actually loaded into registers visible to the program. However, the data can be passed through several subsequent speculative instructions, including loads from dependent addresses, so cache-timing effects can be used as a side-channel to access the data.

Spectre exploits are known to affect Intel, AMD and ARM processors, meaning mobile devices are also affected. Additionally, it is considered to be more difficult to exploit than Meltdown but also more difficult to patch.

Mitigation techniques

Meltdown

Intel is currently working with manufacturers to distribute firmware patches for its processors. They have also coordinated with operating system developers to distribute software mitigations, with patches now available for recent versions of Windows, macOS, Linux, ChromeOS, Android, and iOS, detailed in the list below: 

  • Microsoft released updates protecting against Meltdown on January 3rd for Windows 10 (KB4056888, KB4056890, KB4056891, KB4056892, KB4056893), Windows 8.1 and Windows Server 2008 R2 (KB4056898). On January 4th, patches for Windows 7 (KB4056894) and Windows Server 2008 R2 (KB4056898) were released. No patches are currently available for Windows Server 2008 or 2012 non-R2 versions. Additionally, patches for 32-bit systems are not currently provided with Meltdown mitigation. It is important to note that some initial compatibility issues have been discovered.
    • Users should check that their AV provider has made their product compatible with the fix. If the patch is applied to a system with an incompatible AV product running it could render the machine unusable and cause a BSoD. Microsoft has clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the update, further details on compatibility for common antivirus software are available in the Links section.
    • Issues have also been reported involving AMD processors, where PCs have been unable to boot after installing the latest Windows updates. As of 18/01/2018, Microsoft has resumed rolling out patches for AMD devices running Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, Windows Server 2012 R2 and Windows 10 (version 1709). Updates for 1511, 1607, and 1703 editions of Windows 10 are still paused, as are updates for Windows Server 2016 and Windows 10 Enterprise.
  • Apple protected users from Meltdown in macOS High Sierra 10.13.2, released on December 6th, with additional safeguards to be added in 10.13.3. 
  • Kernel patches for Meltdown are available for Linux, with 4.14.11, 4.9.74, 4.4.109, 3.16.52, and 3.2.97 patched.
    • Initially boot issues were reported by Ubuntu users running the Xenial 16.04 series after updating to kernel image 4.4.108. New updates with kernel image 4.4.109 have since been released which address the issue.
  • Chromebooks received protection in Chrome OS 63, released on December 15th, with further mitigation to be included in Chrome 64. 
  • According to Google, the January 5th security patch update protected Android users from Meltdown. 
  • In iOS 11.2, released on December 13th, Apple introduced mitigation for Meltdown. 

Spectre

Despite many security experts saying that Spectre will be particularly difficult to immunize against, last week Intel stated it is “rapidly issuing updates for all types of Intel-based computer systems”, and that 90% of processors introduced in the last 5 years will be patched by the end of the week. 

Google have published a mitigation technique known as Retpoline, which can be applied to the operating system kernel, systems programs, as well as individual software programs, to prevent against one of the Spectre attacks (CVE-2017-5715). Retpoline uses an infinite loop that is never executed to prevent the CPU from speculating on the target of an indirect jump. Google has shared Retpoline with its industry partners and has deployed it on its own systems, including Google Cloud infrastructure, with “negligible impact on performance.” 

On January 8th, Apple released security patches to mitigate against both CVE-2017-5753 and CVE-2017-5715 in macOS High Sierra 10.13.2, iOS 11.2.2, and Safari 11.0.2.

For Windows, mitigation for Spectre variant 1 (bounds check bypass, CVE-2017-5753) are provided in the January 3rd and 4th updates. The Spectre variant 2 vulnerability (branch target injection, CVE-2017-5715) has not yet been addressed.

Exploitation of Spectre through JavaScript is also possible, with a simple defence against any browser-based exploits being to disable JavaScript altogether. Alternatively, Google Chrome has been updated to include an opt-in experimental feature known as Site Isolation, that can help guard against Spectre attacks. Site Isolation is trickier on mobile devices, the feature is unavailable for Chrome on iOS and can create functionality and performance issues for Android. 

Mozilla and Microsoft are also taking steps to protect browsers against Spectre. Mozilla released Firefox 57 in November with some initial safeguards, and Edge and Internet Explorer received an update alongside Windows 10. 

Last updated: January 22nd

 

Links