Two critical architectural flaws in CPUs that allow applications to read kernel memory have been discovered. The first, named Meltdown, relates to the behavior of out-of-order execution on CPUs, neutralizing security models based on address space isolation and paravirtualized software containers, such as Docker. This allows applications to read any mapped physical memory, including at the kernel level. The second, Spectre, is a flaw in branch prediction and speculation that allows applications to read kernel memory.
SEE: Information security incident reporting policy (Tech Pro Research)
It is important to note that Meltdown and Spectre generally represent hardware-level flaws. While software vulnerabilities are comparatively easy to patch, this class of vulnerability requires architectural changes for future products. For existing devices, software patches and configuration changes–including limiting or removing access to specific CPU instructions–can assist in minimizing risk, but complete risk mitigation may not be possible. Presently, it is unclear if CPU microcode updates can completely mitigate these vulnerabilities.
What the vulnerabilities include, and who is vulnerable
Spectre includes a bounds check bypass covered in CVE-2017-5753 and branch target injections covered in CVE-2017-5715. Meltdown is a rogue data cache load, which is covered in CVE-2017-5754. These vulnerabilities allow attackers to read system memory that would not otherwise be accessible by a program. Of the two, Meltdown is faster (about 120 KB per second), while Spectre has been demonstrated only at 1500-2000 bytes per second. Meltdown and the Spectre bounds check bypass are exploitable after boot, though branch target injection vulnerability requires 10-30 minutes for initialization on a system with 64 GB RAM, which is anticipated to scale “roughly linearly” with increases in host RAM size.
SEE: Google reveals trio of speculative execution flaws, says AMD affected (ZDNet)
AMD processors appear to not be vulnerable to branch target injections, with the company claiming a “near zero” risk, noting that there has not yet been any demonstrated vulnerability. Additionally, the researchers note that AMD and ARM processors are not vulnerable to Meltdown. A previously submitted patch to the Linux kernel to address Meltdown has been modified to exclude AMD.
That patch is causing considerable consternation, as Intel processors are all affected by Meltdown and Spectre (except for Atom processors before 2013, and the Itanium series). The workarounds to prevent memory from being improperly read on Intel processors result in performance regressions. Early estimates were quite harsh, though real-world impact has been lower than the 30% figure bandied about thus far. Naturally, all performance is workload-dependent, though noted benchmarking website Phoronix has measured VM performance regression at roughly 10% for Redis, Apache, and PostgreSQL, with higher numbers for synthetic tests like Stress-NG, and negligible change for Himeno and Parboil.
The most critical problem the pair of vulnerabilities poses long term is for the entire cloud computing industry. With minimal time and investment, hackers can leverage Meltdown to escape from the confines of a VM to read information in memory-passwords, SSH keys, etc. from other VMs on the same machine. While Meltdown is being patched presently, and is substantively easier to exploit than Spectre, there is at present no solution to Spectre other than hardware replacement. Additionally, the aggregate effect of performance regressions as a result of patching means longer processing time for tasks, and higher cloud computing costs.
Vulnerabilities in the wild
It’s unclear if Meltdown or Spectre have been used in the wild, as the vulnerabilities are not software exploits, and would not be traceable in system logs. This also makes the pair difficult to detect as part of a malware attack, though known malware signatures are still possible to determine by traditional means.
How vendors are responding
Intel has released a statement which scarcely addresses the vulnerabilities, noting that “Intel believes these exploits do not have the potential to corrupt, modify or delete data,” though no claims that it could have been made by the researchers.
Google has patched this in Google Cloud Platform, in the January 2018 Android security bulletin, and on Chromebooks running Linux kernel 3.18 and 4.4 as of Chrome OS 63. For Chrome Browser users, Site Isolation can be used to mitigate attacks, with additional patches to be delivered in Chrome 64, which is due for release on January 23rd.
Other statements have been released by AMD, ARM, Mozilla, and Red Hat.