Meltdown and Spectre – coming to a PC or Cloud Server near you
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
Google’s Project Zero (GPZ) is a think tank of leading edge security researchers who have established a track record of ground breaking research. Yesterday they announced a set of flaws in CPU architectures that create two kinds of vulnerabilities.
It is early in the year, but this may be the most important and impactful security vulnerability in 2018. This affects any software running on Intel chips, no matter the operating system or vendor. This affects every Intel processor since 1995 that implements out-of-order execution, except Itanium, and the Atom before 2013. The newer Google devices seem to be ok.
Who reported Meltdown?
Meltdown was independently discovered and reported by three teams:
- Jann Horn (Google Project Zero),
- Werner Haas, Thomas Prescher (Cyberus Technology),
- Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz(Graz University of Technology)
Who reported Spectre?
Spectre was independently discovered and reported by two people:
- Jann Horn (Google Project Zero) and
- Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)
The flaws were first reported confidentially by researchers to CPU makers Intel, AMD and ARM on June 1st, 2017. Disclosure was under embargo until next week, but public speculation on kernel patches that fix this issue lead to early disclosure starting on January 1st, 2018. Most information was finally disclosed by the researchers involved yesterday, January 3rd. Research associated with the security flaws was published on the Google Project Zero blog.
Both of these vulnerabilities stem from performance optimizations in CPUs. The security fixes may have a performance impact. Some news sources are claiming up to 30% performance impact, while more authoritative sources indicate this number is exaggerated. Intel’s official statement says “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Intel has been accused of downplaying the seriousness of the vulnerability, both in terms of how badly Intel CPUs are affected and the negative effects of these vulnerabilities.
The Meltdown Vulnerability
Meltdown is the first of the two vulnerabilities that GPZ disclosed. It exploits a CPU performance optimization known as ‘out-of-order execution’ to read arbitrary kernel memory locations. The attack is independent of operating system and does not rely on any software vulnerabilities. In other words, it is a vulnerability in chip hardware that is exploitable on any system, no matter what operating system it is running, no matter whether the software on the system has a vulnerability or not.
Meltdown allows an attacker to read memory that they should not have access to in other processes, other virtual machines on the same system and across various other permission boundaries. This affects a huge number of cloud service providers and personal computer and device users.
There is a mechanism that operating system developers can use to protect against this attack. You will be seeing a large number of operating system patches released and deployed during the coming days to secure systems against ‘Meltdown’.
Spectre is a vulnerability that exploits another performance enhancement in modern CPUs, known as speculative execution. Hence the name, Spectre.
Modern processors use speculative execution to improve performance. The mechanism allows processors to guess which code will execute and to go ahead and execute that code while waiting for a memory location to be read. Once the read operation is complete, if the processor guessed right, it keeps the results of the computation. If it guessed wrong, it discards the computation results. This improves performance.
Specter attacks will get a victim processor to perform operations that would not occur during correct program execution. These operations leak confidential information.
This attack violates many security models including process separation, containerization and others.
Of particular concern to those of us in the website security community is the following passage from the research paper:
According to the research, makeshift processor-specific countermeasures for Spectre are possible, but a long term fix will require a fundamental improvement to CPU architectures.
Fixing Meltdown and Spectre and Their Impact
Both of these vulnerabilities are hardware level vulnerabilities that exist because of a flaw in CPU architecture. They are very serious vulnerabilities because they are operating system and software independent. The long term fix for both of these issues will require that CPU makers change the way their chips work, which means redesigning and releasing new chips.
That is not feasible for existing chips and in order to fix this issue for existing CPUs, operating system vendors are going to have to release fixes. That means that you will see security fixes for the following OS’s released in the coming days: Windows, OS X, Linux and probably Android. When you see a fix available for your PC or device, apply it as soon as is practical because it will probably contain a fix for these issues.
Because the vulnerabilities are in algorithms in CPUs that improve performance, the fixes may have a performance impact. Chip vendors like intel are playing down the impact, while some news media is playing it up. I would suggest taking a wait-and-see approach, because ultimately, benchmarks of the new operating system patches are the only accurate way to reliably determine if there will be any performance impact and if so, of what magnitude.
If you are a hosting provider that uses cloud services for your customers, expect your cloud provider to reboot systems during the coming days and have your operations team on standby to ensure that everything cycles back normally. And of course, keep your customers apprised of the situation.
If you use hosting services, like WordPress hosting, you should be aware that your hosting or cloud provider may need to reboot systems over the coming days as they apply patches for Meltdown and Spectre. Unless you have a 100% fully managed WordPress site, it may be up to you to check that certain services for your site came back up after the reboot. Keep a close eye on bulletins from your host over the coming hours and days and ensure you check your site and systems as soon as they come back up after any reboot or down time.
So far we are seeing notifications of maintenance or reboots for the following hosts and cloud providers:
- Amazon is reporting that they have patched most of the underlying operating systems for AWS and will complete the rest soon. They are saying that customers are responsible for updating the operating systems of their instances and have provided information to do that.
- Linode are saying that they will need to do a “fleet-wide reboot” to protect against these issues. Keep an eye on their blog for updates.
- DigitalOcean are reporting that they also may need to reboot droplets and are monitoring the situation.
- Vultr are reporting a reboot may be needed.
If your cloud provider is not listed above, keep an eye on their blog and Twitter account for updates.
At this time we are not seeing updates from major hosting providers to their customers. The operational impact of these updates will probably flow upwards in architectural terms. In other words, CPU vendors were first notified and responded, then operating system vendors, then cloud providers like AWS and Linode and next we will see service providers respond.
These would include hosting companies, DNS service providers, storage providers, backup providers and other providers of services and applications. In many cases, for service providers, there may be no operational impact if they have built redundancy into their application and are able to perform partial fleet reboots without disrupting service.
Chrome and Firefox Affected
“Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes.”
They have already implemented and released fixes to mitigate the issue but as the above quote indicates, more fixes are probably forthcoming. Firefox users should update to Firefox 57.
Google Chrome is also affected, and according to Google, Chrome will receive a fix in Chrome 64 which will be released on January 23rd. Chrome also provides options for users to enable that will help reduce the effectiveness of these attacks:
Performance and Business Impact
Systems that receive these security updates may experience a performance impact though it is currently difficult to say to what degree. If you are in an operational role, it is important that you evaluate system performance once you have applied OS patches to determine if it will impact your customers.
At an executive level, consider that in a worst case scenario, system performance may degrade 30% across the board. If you are running your systems at 90% capacity and your financial margins are thin, you may find yourself in a crisis situation which results in raising prices or making other changes to adapt to CPUs no longer delivering the performance to which your business model has become accustomed.
Impact On Hardware Design
Meltdown and Spectre are a new class of vulnerability, both in their sophistication and impact. They use timing attacks to exploit flaws in the underlying hardware we use for a majority of our applications today, both in the cloud and on desktops and devices.
A complete fix for Meltdown and Spectre is going to require a CPU replacement. As CERT says, the solution is to “Replace CPU Hardware”.
It is inevitable that other hardware vulnerabilities like these with wide impact that require hardware changes will emerge in the coming years. We can’t buy new hardware every time this happens. So a long term fix may require that we invent a way to dynamically patch the hardware that our software relies on.
This Was Disclosed Early
These vulnerabilities were under embargo until next week. On January 1st, speculation started on a blog titled Python Sweetness, about a major vulnerability that was hardware based and involved memory manipulation. On January 2nd, The Register published a story with some details.
Yesterday on January 3rd, GPZ published full details on their blog, resulting in a huge amount of press and official statements emerging.
An extract from Intel’s official statement makes it clear the vulnerabilities were disclosed early:
“Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.”
Meltdown in Action
Update: Apple says Meltdown and Spectre flaws affect ‘all Mac systems and iOS devices,’ but not for long
Apple isn’t immune to Meltdown and Spectre, the major bugs in basic computing architecture that were announced yesterday to widespread amazement and horror. In an announcement, the company said that “all Mac systems and iOS devices are affected,” which sounds right, but that mitigations are either already in place or on the way.
Fortunately, as Apple puts it, “there are no known exploits impacting customers at this time.” But you better believe it won’t stay that way for long. To prevent being the lucky first victim (that we know of) of one of the most serious security issues of the decade, please do check if your devices are up to date.
For some devices, it was handled a while ago: “Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2.” Apple Watch is safe, since Meltdown is a problem with Intel processors and it doesn’t have any. Although reports have warned of performance hits, Apple says it has observed “no measurable reduction” in benchmark scores.
For Spectre, which is a trickier beast both to take advantage of and to fix, patches are forthcoming. “Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.”
Windows Meltdown-Spectre patches: If you haven’t got them, blame your antivirus
Microsoft has warned users that its patches for the dangerous Meltdown CPU bug won’t reach them if their third-party antivirus hasn’t been updated to support this week’s Windows security update.
By now Windows users should have received the patches Microsoft released yesterday to plug the widespread Meltdown bug and its companion Spectre, which expose most computers and phones to speculative execution side-channel attacks that affect chips from Intel, AMD, and Arm.
Microsoft released software updates for Internet Explorer, Microsoft Edge, Windows, and SQL Server, but customers will also need to apply firmware updates from their respective hardware vendors too.
Surface and Surface Book users can expect an automatic firmware update from Microsoft but those with other hardware will need to check with their vendors.
Unless the antivirus vendor has set a Windows registry key that provides compatibility with the update, users of the affected Windows platform will not be protected by the security updates.
Microsoft also cautions that besides Windows 7, Windows Server 2008 R2, and Windows 2012 do not have antivirus installed by default. Customers with these platforms can install Microsoft Security Essentials.
Microsoft also confirmed that its testing showed the mitigation did produce “some performance impact”, adding it would not be noticeable to most users. However, it noted that specific impact will vary by the age of the hardware and implementation by the chip vendor.
- Google Project Zero Announcement
- Spectre Paper
- Meltdown Paper
- Intel Official Statement
- ARM Official Statement
- AMD Official Statement
- Amazon AWS Response
- Linode Response
- DigitalOcean Response
- Early speculation on Monday which lead to early announcement
- The Register coverage on Tuesday breaking the story
- Mozilla commentary on Firefox being vulnerable
- Chrome fix release date
- Chrome advice to mitigate these attacks
- CERT official vulnerability note
- Sophos technical analysis and commentary
- BleepingComputer coverage on the vulnerability of Chrome and Firefox