Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Featured Meltdown and Spectre - Every computer/phone at risk

  1. Jan 4, 2018 #1
    Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?

    https://techcrunch.com/2018/01/03/k...s-affecting-nearly-every-computer-and-device/
     
  2. jcsd
  3. Jan 4, 2018 #2
    Thanks, interesting reading.
     
  4. Jan 4, 2018 #3

    ISamson

    User Avatar
    Gold Member

    Interesting and breaking!
    The article mentions that using this 'exploit' it is possible to access anything a computer is doing at any moment by 'viewing' the logic the computer is doing at any moment, and it is also possible to change it. So I could hack my calculator!? Cool.

    Does anybody believe that there might be an attack soon taking advantage of this vulnerability? Or have the issue and the solution been announced at the same time?
     
  5. Jan 4, 2018 #4
    The fix doesn't actually fix the problem, it just slows down the attackers ability to access side channel cache data, which contains protected memory.
    The KAISR fix randomises the kernel memory page which slows down the cache read process.

    I would say this attack has been in use for some time, drive by website attacks from adverts etc.

    It's a fundamental problem arising from low level CPU speed optimisations using out of order pre processing and branch pre processing, which leaves the cache in a "dirty" state (i.e. all the memory used in the branch remains in the cache, and the CPU doesn't check where the calling code originated for the pre processing for speed reasons.
     
  6. Jan 4, 2018 #5

    ISamson

    User Avatar
    Gold Member

    Could an attack on this topic be done wirelessly, remotely? Or just physically, on the same computer that is the victim?
    I don't think the article mentions this.
     
  7. Jan 4, 2018 #6

    ISamson

    User Avatar
    Gold Member

  8. Jan 4, 2018 #7
    The side channel (Cache read) code has to execute on the processor in question so no not directly.
    But if the machine has been compromised and the machine code cache reader has been loaded and is running on the machine then yes.

    If you look into the attack binaries that are available to hackers (See Metasploit etc) it's a simple process after that to transmit the data to a remote host.
     
  9. Jan 4, 2018 #8
    It'd have to be a multi stage attach, drive by advert or phishing to infect the machine, then cache read binaries executed to actually interrogate the machine.

    If your interested I'd suggest one of the white hat hacking courses on source forge ...
    https://deals.sourceforge.net/collections/hacking
     
  10. Jan 4, 2018 #9

    ISamson

    User Avatar
    Gold Member

    Could it be done remotely, wirelessly? @Idyit
     
  11. Jan 4, 2018 #10
    Yes,brute force wireless attack and then man in the middle attack.
     
  12. Jan 4, 2018 #11

    ISamson

    User Avatar
    Gold Member

  13. Jan 4, 2018 #12
  14. Jan 4, 2018 #13

    ISamson

    User Avatar
    Gold Member

    I deeply appreciate your help.
    My gratitude.
     
  15. Jan 4, 2018 #14
    You're welcome :-)
     
  16. Jan 5, 2018 #15
    Unfortunately the patch for Meltdown could mean a 30% performance hit for computers including PF's server.

    This is the the bad underbelly of a monopoly. There are two choices in Intel and AMD (ARM for mobile). All are affected.
     
  17. Jan 5, 2018 #16

    Nugatory

    User Avatar

    Staff: Mentor

    There is an astounding amount of misinformation circulating about these two vulnerabilities, so I would strongly recommend going straight to the source for both:
    https://spectreattack.com/spectre.pdf
    https://meltdownattack.com/meltdown.pdf

    They work through the same general principle (observing the side effects of speculatively executed instructions) but are very different both in terms of what they do and how immediately dangerous they are. A summary of the key differences (based on a quick read, so I reserve the right to clarify or correct anything below):
    - Meltdown allows a malicious unprivileged program to read kernel memory, and thus, most or all physical memory on most OSes including Windows and Linux, with very high bandwidth. A layman-level summary of the previous sentence is "OMG! Red alert! Red alert! Air raid, Pearl Harbor - This is not a drill! Send lawyers, guns, and money - the stuff has truly hit the fan" - this is a bona fide emergency. Spectre allows a malicious unprivileged program to extract data from another program if you supply input to it and you have found certain (very common) idioms in its compiled code. The layman-level summary is "Gotta get to work on mitigations, pronto".
    - Meltdown is straightforward enough that a moderately determined wolf cub with an internet connection and a bent hairpin can open a very high-bandwidth channel on any system that will run the exploit code. Spectre requires appreciably more sophistication and leaks data more slowly.
    - Meltdown affects Intel and a few ARM models but not AMD. Spectre will be at least somewhat effective against any modern processor architecture; it's not clear that, even now that we know about the problem a practical design can be completely safe as opposed to having a low upper bound on the rate at which data can be extracted.
    - The software workaround for Meltdown can be built into the OS and is very effective. It's also good hygiene, something that maybe should be done even if we didn't have this problem. Spectre may have to be fixed like buffer overflow vulnerabilities, one at a time.
     
    Last edited: Jan 5, 2018
  18. Jan 7, 2018 #17

    russ_watters

    User Avatar

    Staff: Mentor

    Windows 10 updated for me on Friday, with, among other things, this:
    https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892

    I think this is the patch referenced here:
    http://www.zdnet.com/article/window...-if-you-havent-got-them-blame-your-antivirus/

    But it also says you need a firmware flash?

    What's the risk here, guys? Doesn't your computer have to already be infected with a virus in order to read this data and if your computer is infected you've already lost the war?
     
  19. Jan 7, 2018 #18

    Nugatory

    User Avatar

    Staff: Mentor

    Yes, as long as your physical computer is only running software that you know and trust - this is the job of your antivirus protection, your local network administrator, and your own caution clicking links, browsing, and installing software - then you are safe from these exploits. And if I were to get remote execution capability on your computer I'd more likely be installing a root kit than exploiting either of these security vulnerabilities. Nonetheless, you need to patch against them because you, your network admin, your AV software all might (in fact, eventually will) miss something so you want to have done everything you can to limit the damage when that happens.

    The really big danger from these vulnerabilities is to servers, especially those hosting multiple VMs. The owner of any application running on the server has read access, via Meltdown, to everything going on that physical machine - passwords, confidential data, encryption keys, everything. Typically if you're using a hosting service you have no idea and no control over who else is hosted on the same physical machine with you so this is a big hairy deal.
     
    Last edited: Jan 7, 2018
  20. Jan 7, 2018 #19

    Vanadium 50

    User Avatar
    Staff Emeritus
    Science Advisor
    Education Advisor
    2017 Award

    The idea is to have layers of security. If A is breached, then B will hold, and if B is then breached, C will hold, etc. One of those lines of defense was that if a process somehow managed to run on your machine, it couldn't get access to the data being used by any other process. This was true in 1982. It's not true anymore.
     
  21. Jan 7, 2018 #20

    russ_watters

    User Avatar

    Staff: Mentor

    Ok, that's what I figured.

    I was also thinking that this could be a way around encryption. For example if you were using some local encryption, most viruses wouldn't be able to read the data, but they might be able to get the data (or even the key?) if they were able to watch it be encrypted/decrypted.
     
Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook

Have something to add?
Draft saved Draft deleted