Meltdown & Specter - An introduction
By now, you have probably heard about the most impactful vulnerabilities discovered this year: Meltdown and Specter. Their names actually point to their functionality, Meltdown works by 'melting' the protective borders found on a computer, allowing an attacker almost unrestricted access to any data. Spectre, in turn, utilizes a vulnerability which is almost invisible to a user - Like a specter.
Both rely on technology that has been common-place in devices for several years. This means they affect nearly every device on the market - From your typical PC to your phone. At first it was thought that a file needed to be ran in order for you to be infected, however, later research has shown that a click on a link to a malicious page is all it takes. This means the priority of fixing these vulnerabilities is at an absolute high, especially as a system administrator. Microsoft and other large providers are currently offering patches through their update systems, but specialized systems will need some research in order to resolve.
How do they work?
Both Meltdown and Specter rely on speculative execution. Considered standard in most modern processor architectures, speculative execution uses to predict predictions of IF clauses. This is done to reduce the amount of clock cycles used by RAM I / O; Instead of waiting for the real result, the processor attempts to predict the outcome based on previous results. If the prediction is right, we've saved a lot of clock cycles and jump the gun in the execution path. If the prediction is wrong, the processor simply returns to the IF clause, discards the result into the processor cache and pretends that the speculative execution never happened.
Furthermore, even though the two exploits are undeniably different, both of them use vulnerabilities found in the implementation of process isolation and memory management. Process isolation is critical to security today, preventing one process of leaking information to another, especially due to our reliance on cloud computing and virtual environments. If process isolation were to fail in one environment (ie cloud environment), it could lead to major data leakage from the other virtual machines present on the system even if they are securely configured.
In today's modern processors, processor isolation is achieved by utilizing virtual memory address space. It is also managed by the Memory Management Unit (MMU), located in the CPU. The MMU then links the virtual address space together with the physical memory, ensuring process isolation. But what would happen a flaw exists within the MMU itself? Well, it would trigger a meltdown.
Now, what would happen if a read from one process to another process' memory was attempted? It would be of course at the MMU and the kernel, but due to speculative execution it would still be performed and discarded to the cache. However, by using a certain technique of performing legitimate RAM reads and measuring the speeds or results returned the Meltdown exploit can effectively read the cache, extracting any sensitive data. This type of search is possibly due to the process of performing the exploit is in the same scope. This is effectively what Meltdown does.
The Specter vulnerability also relies on speculative execution but in a slightly different way. The Branch Prediction Unit used to predict which way to go into an IF clause can essentially be traced since when an IF clause returns FALSE several times in a row it is very likely it'll do so again the next time. However, the Branch Prediction Unit does not learn from just once, but rather all of them, since a lot of programs share algorithms. Specter utilizes this by performing several constructs, essentially tricking the victim process into action like the attacker wants them during speculative execution. Through this, vital information can be dumped to the processor cache.
How are they mitigated?
Since both of these exploits are based on architecture-level flaws, it will take a bit more than just a few software patches to mitigate completely. To defend against meltdown, the researchers who found the exploit recommends implementing a certain defense mechanism; KAISER. While originally created to protect against kernel-space attacks, it was also found to protect against Meltdown to a large extent.
Specter on the other hand is more difficult to mitigate. There are several ways of forcing a process to leak data through speculative execution. This means that all of them have been found and therefore remain unpatched. The in-browser versions of Specter have already been partially mitigated by Mozilla. The exploit relies heavily on accurate timing, therefore they reduce the precision of the built-in timers.
These exploits are relatively new and affect a majority of people. Therefore, it is important to fix the issue as quickly as possible. Microsoft, Apple, and other large companies are already rolling out patches to temporarily prevent damages, which is key for system administrators and managers, but due to the nature of the vulnerabilities the primary responsibility of fixing them lies on the processor manufacturers. most likely take a long time properly fix, especially regarding specter.
- Adam Björkman
- Max Kardos