Stay in touch

Get our research, blog and event invitations before everybody else!

Your data will stay confidential

Meltdown and Spectre challenge IT security professionals

Tuesday, January 9, 2018 By

Two highly significant security flaws in Intel processors Meltdown and Spectre have triggered feverish activity in the security industry, and have also raised wider concerns about the technology industries approach to security.

The two exploits, Meltdown [CVE-2017-5754] and Spectre [CVE-2017-5753 and CVE-2017-5715] exploit vulnerabilities in the way a modern multithreading processor functions by executing multiple instructions simultaneously. The flaws could allow attackers to obtain passwords, encryption keys, and other sensitive information from a computer’s core memory potentially even via a web browser.

Meltdown specifically revolves around the fact that out-of-order memory lookups influence the cache, which in turn can be detected through the cache side channel. This means an attacker can dump the entire kernel memory by reading privileged memory in an out-of-order execution stream, and transmit the data from this state via a covert channel at varying rates according to the system and environment, but up to 503 KB/s.

Meltdown and Spectre challenge IT security professionals

Meltdown breaks all security assumptions given by the CPU’s memory isolation capabilities. We evaluated the attack on modern desktop machines and laptops, as well as servers in the cloud. Meltdown allows an unprivileged process to read data mapped in the kernel address space, including the entire physical memory on Linux and OS X, and a large fraction of the physical memory on Windows. This may include physical memory of other processes, the kernel, and in case of kernel-sharing sandbox solutions (e.g., Docker, LXC) or Xen, memory of the kernel (or hypervisor), and other co-located instances”, said the researchers from Graz University of Technology who uncovered the bugs.

The researchers recommended immediate rollout of a fix, dubbed KAISER, which has been widely accepted by the three major operating systems (Windows, Linux, and OS X) as well as companies from Apple to Google, Cisco to VMware. However, the second vulnerability, Spectre, is less easy to defeat, although also harder to weaponise in the first place. An Apple blog noted: The Spectre “techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call. Analysis of these Spectre techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser.

Intel was quick to quash any suggestion that the company might be responsible, stating in a blogpost that: “This is not a bug or a flaw in Intel products. These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

However, while fixes have been rushed out by most major vendors to combat Meltdown, the rollout has not been as smooth as it could have been. Some patches are reported to have slowed machines significantly, with Redhat reporting slowdowns between one percent and 20 per cent.

The scale of the vulnerabilities is enormous, with at least three billion chips in computers, tablets, and phones currently in use being vulnerable to attack by Spectre, the more widespread of the two flaws. The process of patching Meltdown and Spectre on such a number of devices in so many different environments is likely to take some time, and raises significant questions about the future of technology design.

The wider challenge of keeping up to date with patches and new vulnerabilities like Meltdown and Spectre has been addressed by High-Tech Bridge, which recently launched ImmuniWeb Discovery, a platform designed to reduce AST costs, minimize external attack surface and help achieve compliance and regulatory requirements. The free service provides a continuous and non-intrusive application discovery, leveraging a wide spectrum of reconnaissance and OSINT information gathering techniques.

Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment