Nearly Every Modern Microprocessor Impacted by Meltdown, Spectre Flaws
A pair of flaws in modern computer processors revealed Wednesday could allow attackers to steal passwords, encryption keys, or access system memory.
Researchers from Google’s Project Zero, the Technical University of Graz, and Cerberus Security late Wednesday cleared a cloud of confusion that was gathering over a flaw in Intel microprocessors.
Experts speculated at length Monday, Tuesday and much of the day Wednesday over the specifics of the flaw until Google finally published details late yesterday.
It turns out the issue isn't one flaw but two critical flaws in chips present in most modern day machines. One of the flaws, Meltdown, affects practically every Intel processor since 1995 – save for Intel Itanium and Intel Atom chips prior to 2013. Google said that its researchers tested Meltdown on processors dating back to 2011 but that technically any Intel processor that implements out-of-order execution - a concept that makes use of instruction cycles that would otherwise be wasted - is affected.
“If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information,” a description of the bug on meltdownattack.com reads, “This applies both to personal computers as well as cloud infrastructure.”
A patch for Meltdown (CVE-2017-5754) could slow down machines by as little as 5 percent but as much as 30 percent, depending on the task and processor model, experts have said.
The second flaw, Spectre, (CVE-2017-5753, CVE-2017-5715) cannot be fixed and affects essentially anything running select processors manufactured by Intel, AMD and ARM, including desktop machines, laptops, cloud servers, and smartphones.
The flaws take advantage of speculative execution, a technique used by modern computer processors to optimize performance. Bad actors could exploit the technique to read system memory that should otherwise be inaccessible. Attacks could let sensitive information, like passwords, encryption keys, or system memory left often in an application, be accessed.
The memory-leaking flaw has forced programmers to overhaul the memory systems of both the Linux and Windows kernels over the last several months.
Google had planned to disclose the vulnerabilities next week, on January 9 - the same day patches for Meltdown would've found their way to Windows machines - but published it early after speculation reached a fever pitch this week.
Google said that one particular test it ran showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and via that, gain read-access to the memory of a different virtual machine on the same host.
The flaw was first reported by The Register on Tuesday after mitigations for it popped up in the Linux kernel earlier this week. The issue was initially referred to by some as KPTI, or Kernel Page Table Isolation, a fix for the flaw that involves separating the kernel’s memory from user processes. A Tumblr blog about the bug, "The mysterious case of the Linux Page Table Isolation patches," surfaced the day before The Register's post on Monday and quickly went viral, adding fuel to the proverbial fire around the flaw.
Mitigation similar to that made to the Linux kernel began on public NT kernels in early November according to Alex Ionescu, a kernel-programming expert who spotted the changes and posted about them on Twitter at the time.
Apple partially fixed the flaw with macOS High Sierra 10.13.12 in December and reportedly plans to further tweak code to protect kernel memory data with 10.13.3, the beta of which is currently being seeded to Apple developers. According to Ionescu Apple is calling its KPTI solution "Double Map."
The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 -- and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63
— Alex Ionescu (@aionescu) January 3, 2018
Engineers with Mozilla said that it could be possible to use techniques similar to those described in the attack to target browser users. Specifically Luke Wagner, an engineer with Mozilla, said an attacker could theoretically be able to read private information between different origins. Wagner said Wednesday the company is disabling and reducing the precision of time sources in its Firefox browser in order to prevent attacks from measuring intervals, something that could lead to exploitation.
Microsoft pushed out an emergency, out-of-band security update to remedy the issue on Windows 10 machines late Wednesday. Machines running older systems like Windows 7 and 8 are expected to be patched next Tuesday, when the company pushes its regularly scheduled Patch Tuesday updates.
Amazon said its included an updated kernel for Amazon Linux in its repositories and that instances launched should include the updated package. The company is encouraging customers to also patch their instance operating systems in order to fully be protected.
Intel also encouraged users to check with their operating system vendor and apply any available updates in a press release on Wednesday. The company stopped short of calling Google's findings a "bug" or "flaw" in its products and instead said "many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits."
Arm, a U.K.-based chip manufacturer said the majority of its processors aren’t affected by the attacks. It included a list of Arm-designed processors that are affected on its site.
In an email to the Linux Kernel Mailing List, Thomas Lendaclky, a PMTS Software Engineer at AMD, said shortly after Christmas that AMD processors are not vulnerable to the same type of attacks.
"AMD processors are not subject to the types of attacks that the kernelpage table isolation feature protects against. The AMD microarchitecturedoes not allow memory references, including speculative references, thataccess higher privileged data when running in a lesser privileged modewhen that access would result in a page fault," Lendacky wrote.
AMD stood by Lendacky by largely refuting the research on Wednesday.
"When AMD learned that researchers had discovered a new CPU attack targeting the speculative execution functionality used by multiple chip companies’ products, we immediately engaged across the ecosystem to address the teams’ findings," the company said in a statement. AMD added that its research team identified three variants of the research, one that's expected to have a negligible performance impact on its chips, one that has "a near zero risk of exploitation," and another that has "Zero AMD vulnerability due to AMD architecture differences."
As expected it didn't take long for keen researchers to devise proof of concept attacks, like ways to steal passwords in real time, on Wednesday.
— Michael Schwarz (@misc0110) January 4, 2018
Jann Horn, a researcher with Google's Project Zero team, had a hand in discovering both security issues. A pair of researchers from Cyberus, a German cybersecurity startup and a quartet of researchers from Graz University of Technology in Austria assisted him on Meltdown. Horn’s Spectre research was assisted by a handful of academics, namely Paul Kocher, a renown cryptographer who usually sits in on the Cryptographers' Panel at the RSA Conference each year.