Innovative Minds - On Point - One Group  

ISP Blog

05
Jul
2018

Hardware Vulnerability: Understanding Spectre, Meltdown and the Price of Unchecked Modernization

By:

Firewalls, encryption, antivirus software, armed security guards, dual authentication and every other added security mechanism that exists to secure data, do so to protect data from unauthorized access. Most bugs and viruses exploit weaknesses through a lapse in software or by targeting a specific operating system. However, less than a week into 2018, a different type of vulnerability was announced by Google’s Project Zero Team in response to their discovery of a Central Processing Unit (CPU) bug: a hardware vulnerability (Miller).

Dubbed “Spectre” and “Meltdown,” these bugs — despite being like other bugs used to exploit weaknesses on a computing device — differ by functioning at the hardware level of a computing device (Granz University). Hardware bugs, or design flaws, exist as vulnerabilities in the architecture of a specific component inside a computing device, rather than in the code of the software of the operating system or a program that is installed on it.

Why Should You be Concerned about Spectre and Meltdown?

Spectre and Meltdown are so potentially virulent because they operate in a much closer proximity to user data and are not limited to functioning on a specific operating system. Beyond your standard laptops and desktops, Spectre and Meltdown have been proven to access data housed on smartphones, tablets, and cloud computing systems (Weise). They can affect almost every CPU model, possessing the capability to target and exploit nearly every Intel, AMD, and ARM CPU, three of the largest manufacturers of these chips in the world (Greenberg).

How is it that these bugs have existed for years and remained unnoticed as zero-day vulnerabilities? More importantly, what is the cause of these bugs? The answer lies in a critical process run on a CPU called Speculative Execution (SE).

Each user has a pattern when they log onto their computer. For example, the first action you might take after signing into a work computer is to access your email, or similarly, with a home computer, you may open a music application or internet browser. Over time your CPU will take note of this pattern and begin to assume which process it might have to access next. This is called ‘speculative execution’ (SE) and its purpose is to boost the speed of a CPU by making an educated guess at what information or program a user wishes to access and to start loading it before being prompted.

With the intent of overcoming latency, SE frees up processing power by having the CPU spool up several functions ahead of a user’s input. This means that before a key is pushed or a button is clicked, a CPU has already started to predict which commands it will need to carry out next. By using this out-of-order execution, the system operates “on multiple instructions at once…to increase performance” (Apple).  

When you have more than one program running, your CPU will separate your system’s random-access-memory, or RAM, into sections that can only be accessed by a single program. This is to prevent other programs from getting into data they are unauthorized to open.

Speculative execution carries out instructions by exploiting the CPU’s cache memory, rather than via the RAM. By having its own cache, a CPU does not need to send a command to the RAM and take the time to wait for a response. The CPU can process instructions and fetch data within its own memory as soon as a program asks for it. The downside of this faster process is that rather than first checking to see if a program is even allowed to access specific data stored in the CPU cache memory beforehand, the process to identify the specific data has already begun.

How do Spectre and Meltdown manipulate a computer?

If Meltdown was trying to access specific sets of data on a device, it could choose any program as its subversive decoy. For example, Meltdown could prompt Microsoft Outlook to instruct the CPU to reveal Google Chrome’s data – a user’s web history. Chrome could possibly have banking

information, a social security number, passwords, or other sensitive information stored in its memory. Because the CPU has already sectioned the device, it will refuse to allow Office access. The diagram below from left to right represents a criminal utilizing Meltdown, a piece of RAM memory segmented by the CPU into slots 1 through 19, and a CPU.

 

Another common example would be a user who frequently uses Outlook and Chrome. Using SE, the CPU would spool up data requested by each program and transfer it from RAM memory segments that those programs at partitioned too (1-7 and 8-12, respectively), into the temporary CPU cache. Now even though the CPU will not allow the transaction of data between Outlook and Chrome, Meltdown can already access the data that has been transferred to the CPU cache.

By understanding that a CPU will speculate beyond an initial request for a single program’s data, Meltdown now knows that the information it wants has been added to the cache. Although the CPU is not revealing the data at address 8 through 12 directly from the RAM, the processor’s SE moved that data to the cache where it is unprotected.

Using a process called “branch prediction,” Spectre also abuses SE by searching for previously established patterns in CPU execution that can reveal which programs are being accessed most frequently (Mangard). In the same way that if you went to a sandwich shop every Thursday and ordered the same meal, the person working the counter might notice the pattern and have the meal ready for you every Thursday before you show up.

Spectre will then harass the CPU triggering it to execute SE functions and causing the CPU to pull specific information into its unsecured cache. This attack “carefully chooses which transient instructions are speculatively executed” thereby leaking the information that is housed within the “victim’s memory address space” (Mangard).

How did we get here?

In the pursuit of creating the fastest computer CPU manufacturers made their metric of success performance, rather than security. Few foresaw how dependent society would become on complex computing devices in conjunction with the creation of the internet. Securing these devices took more resources and time to address due to the often-nefarious tendencies of humans who inevitably used and abused these tools. CPU manufacturers found themselves beholden to the masses who craved faster devices, and as such, security took a backseat to speed and vulnerabilities such as Meltdown and Spectre were born.

Well…. now what?

To mitigate these vulnerabilities, it would make sense to eliminate the ability for a CPU to use speculative execution and branch predictor. However, the fact of the matter is, people’s livelihood and lives depend on having the fastest machine possible to access information and run programs, which presents a difficult tradeoff of speed versus security. Specifically, patching these vulnerabilities will cause a machine to be significantly slower.

Manufacturers are working on fixing these exploits on future CPU’s because these processes are so fundamental to modern day CPU functions. Users are forced to choose between optimizing their computing devices and sacrificing performance to secure their data.

Protections against Meltdown are available but they come with the cost of a significant performance loss. The ultimate solution to Spectre, on the other hand, has a heavy cost to the manufacturers: a complete redesign for some of their CPUs. AMD and Intel have released firmware patches, however, older products unable to update will still be susceptible to these types of attacks (Newman).

For those of you who believe that we have made it through the storm and all that remains is to clean up the damage and patch these specific security vulnerabilities, think again. As of May 21st, 2018, Intel announced “Variant 4” Spectre, a brand new modified form of the CPU vulnerability with no current patches available (Culbertson). In the meantime: update your hardware, patch your software, and practice good cyber hygiene.

 

Additional Resources:

More Information can be found at  https://meltdownattack.com

Citations:

“Intel Issues Updates to Protect Systems from Security Exploits.” Intel Newsroom, 4 Jan. 2018, newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/.
Metz, Cade, and Nicole Perlroth. “Researchers Discover Two Major Flaws in the World’s Computers.” The New York Times, The New York Times, 3 Jan. 2018, www.nytimes.com/2018/01/03/business/computer-flaws.html?rref=collection%2Fsectioncollection%2Ftechnology.

“About Speculative Execution Vulnerabilities in ARM-Based and Intel CPUs.” Apple Support, 9 Jan. 2018, support.apple.com/en-us/HT20839
“Meltdown and Spectre.” Meltdown and Spectre, 1 Jan. 2018, meltdownattack.com.

Gibbs, Samuel. “Meltdown and Spectre: ‘Worst Ever’ CPU Bugs Affect Virtually All Computers.” The Guardian, Guardian News and Media, 4 Jan. 2018, www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw.
Newman, Lily Hay. “Meltdown and Spectre Fixes Arrive-But Don’t Solve Everything.” Wired, Conde Nast, 6 Jan. 2018, www.wired.com/story/meltdown-and-spectre-vulnerability-fix/.

Tung, Liam (January 18, 2018). “Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch – Intel’s firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs”ZDNet.
Miller, Ron. “Google’s Project Zero Team Discovered Critical CPU Flaw Last Year.” TechCrunch, TechCrunch, 5 Jan. 2018, techcrunch.com/2018/01/03/googles-project-zero-team-discovered-critical-cpu-flaw-last-year/.

Greenberg, Andy. “How So Many Researchers Found a 20-Year-Old Chip Flaw at Once.” Wired, Conde Nast, 8 Jan. 2018, www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-flaw-discovery/.

Apple Inc. January 29th 2018. “About speculative execution vulnerabilities in ARM-based and Intel CPUs” https://support.apple.com/en-us/HT208394.

Greenberg, Andy. “A Critical Intel Flaw Breaks Basic Security for Most Computers.” Wired, Conde Nast, 6 Jan. 2018, www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/.

Weise, Elizabeth. “Own a Mac, PC or Smartphone? A Major Security Flaw Means You Need to Do This Now.” USA Today, Gannett Satellite Information Network, 5 Jan. 2018, www.usatoday.com/story/tech/2018/01/04/use-computer-smartphone-new-broad-security-flaw-means-you-need-do-now/1004400001/ .

Newman, Lily Hay. “The Hidden Toll of Fixing Meltdown and Spectre.” Wired, Conde Nast, 12 Jan. 2018, www.wired.com/story/meltdown-and-spectre-patches-take-toll/.

“Addressing New Research for Side-Channel Analysis.” Intel Newsroom, newsroom.intel.com/editorials/addressing-new-research-for-side-channel-analysis/.

Andrew Nowak

Cybersecurity Analyst at MindPoint Group
Andrew Nowak is a Cybersecurity Analyst with MindPoint Group’s Government Risk and Compliance (GRC) Team. Andrew has a Master of Science in Security Studies with a Concentration in Cybersecurity and a PCP in Innovation and Technology from the Massachusetts Institute of Technology as well as a Security+ certification.
Categories: Authentication, Breach, Encryption, Engineering and Architecture, Vulnerability Assessment, Vulnerability Management and tagged , ,
Share:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your data is processed.