Meltdown & Spectre – An introduction

By now, most of you have probably heard about the most impactful vulnerabilities discovered this year: Meltdown and Spectre. Their names actually point towards their functionality, Meltdown works by ‘melting’ the protective borders found on a computer, allowing an attacker almost unrestricted access to any data. Spectre, in turn, utilizes a vulnerability which is almost invisible to a user – Like a spectre.

Both rely on technology that has been common-place in devices for several years. This means they affect nearly every device on the market – From your typical PC to your phone. At first it was thought that a file needed to be ran in order for you to be infected, however, later research has shown that a click on a link to a malicious page is all it takes. This means the priority of fixing these vulnerabilities is at an absolute high, especially as a system administrator. Microsoft and other large providers are currently offering patches through their update systems, but specialized systems will need some research in order to resolve.

 

How do they work?

Both Meltdown and Spectre rely on speculative execution. Considered a standard in most modern processor architectures, speculative execution uses probability to beforehand predict results of IF clauses. This is done to reduce the amount of clock cycles used by RAM I/O; Instead of waiting for the real result, the processor attempts to predict the outcome based on previous results. If the prediction is right, we’ve saved a considerable amount of clock cycles and jump the gun in the execution path. If the prediction is wrong however, the processor simply returns to the IF clause, discards the result into the processor cache and pretends that the speculative execution never happened.

Furthermore, even though the two exploits are undeniably different, both of them use vulnerabilities found in the implementation of process isolation and memory management.  Process isolation is critical to security today, preventing one process of leaking information to another, especially due to our reliance on cloud computing and virtual environments. If process isolation were to fail in one environment (i.e. cloud environment), it could lead to major data leakage from the other virtual machines present on the system even if they are securely configured.

In today’s modern processors, processor isolation is achieved by utilizing virtual memory address space. It is also managed by the Memory Management Unit (MMU), located in the CPU. The MMU then links the virtual address space together with the physical memory, ensuring process isolation. But what would happen a flaw exists within the MMU itself? Well, it would trigger a meltdown.

 

Meltdown

Now, what would happen if a read from one process to another process’ memory was attempted? It would of course be denied by the MMU and the kernel, but due to speculative execution it would still be performed and discarded to the cache. However, by using a certain technique of performing legitimate RAM reads and measuring the speeds of which results are returned the Meltdown exploit can effectively “read” the cache, extracting any sensitive data. This type of search is possibly due to the process performing the exploit is in the same scope. This is effectively what Meltdown does.

 

Spectre

The Spectre vulnerability also relies on speculative execution but in a slightly different way. The Branch Prediction Unit used to predict which way to go in an IF clause can essentially be trained, since when an IF clause returns FALSE several times in a row it is very likely it’ll do so again the next time. However, the Branch Prediction Unit does not learn from just once process, but rather all of them, since a lot of programs share algorithms. Spectre utilizes this by performing several constructs, essentially tricking the victim process to act like the attacker wants them to during speculative execution. Through this, vital information can be dumped to the processor cache.

 

How are they mitigated?

Since both of these exploits are based on architecture-level flaws, it’ll take a bit more than just a few software patches to mitigate completely. To defend against Meltdown, the researchers who found the exploit recommends implementing a certain defense mechanism; KAISER. While originally created to protect against kernel-space attacks, it was also found to protect against Meltdown to a large extent.   

Spectre on the other hand is more difficult to mitigate. There exists several ways of forcing a victom process to leak data through speculative execution. This means not all of them have been found and therefore remain unpatched. The in-browser versions of Spectre has already been partially mitigated by Mozilla. The exploit relies heavily on accurate timing, therefore they reduced the precision of the built-in timers.

 

Final thoughts

These exploits are relatively new and affect a majority of people. Therefore, it is important to fix the issue as quickly as possible. Microsoft, Apple, and other large companies are already rolling out patches to temporarily prevent damages, which is key for system administrators and managers, but due to the nature of the vulnerabilities the primary responsibility of fixing them lies on the processor manufacturers However, since the functionality responsible for the vulnerabilities is so common-place it’ll most likely take a long time properly fix, especially concerning Spectre.

 

 

Contributors

• Adam Björkman
• Max Kardos