Meltdown and Spectre - Every computer/phone at risk

  • Thread starter Greg Bernhardt
  • Start date
  • Featured
In summary: OMG! Red alert! Red alert! Air raid, Pearl Harbor - This is not a drill! Send lawyers, guns, and money - the stuff has truly hit the fan" - this is also a bona fide emergency. In summary, Meltdown and Spectre are two major flaws affecting nearly every computer and device. These flaws allow attackers to access anything a computer is doing at any moment, and to change it. The fix doesn't actually fix the problem, it just slows down the attackers ability to access side channel cache data, which contains protected memory. There is a lot of misinformation circulating about these vulnerabilities, so I would strongly recommend going straight to the source.
  • #1
19,407
9,949
Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?

Security researchers released official documentation — complete with nicknames and logos — of two major flaws found in nearly all modern central processing units, or CPUs.

It’s not a physical problem with the CPUs themselves, or a plain software bug you might find in an application like Word or Chrome. It’s in between, at the level of the processors’ “architectures,” the way all the millions of transistors and logic units work together to carry out instructions.

https://techcrunch.com/2018/01/03/k...s-affecting-nearly-every-computer-and-device/
 
  • Like
Likes WWGD, davenn, ShayanJ and 4 others
Computer science news on Phys.org
  • #2
Thanks, interesting reading.
 
  • #3
Interesting and breaking!
The article mentions that using this 'exploit' it is possible to access anything a computer is doing at any moment by 'viewing' the logic the computer is doing at any moment, and it is also possible to change it. So I could hack my calculator!? Cool.

Does anybody believe that there might be an attack soon taking advantage of this vulnerability? Or have the issue and the solution been announced at the same time?
 
  • #4
The fix doesn't actually fix the problem, it just slows down the attackers ability to access side channel cache data, which contains protected memory.
The KAISR fix randomises the kernel memory page which slows down the cache read process.

I would say this attack has been in use for some time, drive by website attacks from adverts etc.

It's a fundamental problem arising from low level CPU speed optimisations using out of order pre processing and branch pre processing, which leaves the cache in a "dirty" state (i.e. all the memory used in the branch remains in the cache, and the CPU doesn't check where the calling code originated for the pre processing for speed reasons.
 
  • Like
Likes scottdave and ISamson
  • #5
Could an attack on this topic be done wirelessly, remotely? Or just physically, on the same computer that is the victim?
I don't think the article mentions this.
 
  • #6
  • #7
The side channel (Cache read) code has to execute on the processor in question so no not directly.
But if the machine has been compromised and the machine code cache reader has been loaded and is running on the machine then yes.

If you look into the attack binaries that are available to hackers (See Metasploit etc) it's a simple process after that to transmit the data to a remote host.
 
  • Like
Likes ISamson
  • #8
It'd have to be a multi stage attach, drive by advert or phishing to infect the machine, then cache read binaries executed to actually interrogate the machine.

If your interested I'd suggest one of the white hat hacking courses on source forge ...
https://deals.sourceforge.net/collections/hacking
 
  • Like
Likes ISamson
  • #9
Could it be done remotely, wirelessly? @Idyit
 
  • #10
Yes,brute force wireless attack and then man in the middle attack.
 
  • Like
Likes ISamson
  • #11
  • #13
Idyit said:
The pay what you want course starts at $1, so freeish ... it's well worth it :-) , You will need a credit/debit card though :-(

You could also try these ...
https://phoenixts.com/blog/free-hacking-resources/

I deeply appreciate your help.
My gratitude.
 
  • #14
You're welcome :-)
 
  • #15
Unfortunately the patch for Meltdown could mean a 30% performance hit for computers including PF's server.

This is the the bad underbelly of a monopoly. There are two choices in Intel and AMD (ARM for mobile). All are affected.
 
  • Like
Likes 1 person
  • #16
Greg Bernhardt said:
Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?
There is an astounding amount of misinformation circulating about these two vulnerabilities, so I would strongly recommend going straight to the source for both:
https://spectreattack.com/spectre.pdf
https://meltdownattack.com/meltdown.pdf

They work through the same general principle (observing the side effects of speculatively executed instructions) but are very different both in terms of what they do and how immediately dangerous they are. A summary of the key differences (based on a quick read, so I reserve the right to clarify or correct anything below):
- Meltdown allows a malicious unprivileged program to read kernel memory, and thus, most or all physical memory on most OSes including Windows and Linux, with very high bandwidth. A layman-level summary of the previous sentence is "OMG! Red alert! Red alert! Air raid, Pearl Harbor - This is not a drill! Send lawyers, guns, and money - the stuff has truly hit the fan" - this is a bona fide emergency. Spectre allows a malicious unprivileged program to extract data from another program if you supply input to it and you have found certain (very common) idioms in its compiled code. The layman-level summary is "Gotta get to work on mitigations, pronto".
- Meltdown is straightforward enough that a moderately determined wolf cub with an internet connection and a bent hairpin can open a very high-bandwidth channel on any system that will run the exploit code. Spectre requires appreciably more sophistication and leaks data more slowly.
- Meltdown affects Intel and a few ARM models but not AMD. Spectre will be at least somewhat effective against any modern processor architecture; it's not clear that, even now that we know about the problem a practical design can be completely safe as opposed to having a low upper bound on the rate at which data can be extracted.
- The software workaround for Meltdown can be built into the OS and is very effective. It's also good hygiene, something that maybe should be done even if we didn't have this problem. Spectre may have to be fixed like buffer overflow vulnerabilities, one at a time.
 
Last edited:
  • Like
Likes ShayanJ, scottdave, FactChecker and 1 other person
  • #17
Windows 10 updated for me on Friday, with, among other things, this:
  • Security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Windows Datacenter Networking, Windows Graphics, Microsoft Edge, Internet Explorer, and the Microsoft Scripting Engine.
https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892

I think this is the patch referenced here:
http://www.zdnet.com/article/window...-if-you-havent-got-them-blame-your-antivirus/

But it also says you need a firmware flash?

What's the risk here, guys? Doesn't your computer have to already be infected with a virus in order to read this data and if your computer is infected you've already lost the war?
 
  • #18
russ_watters said:
What's the risk here, guys? Doesn't your computer have to already be infected with a virus in order to read this data and if your computer is infected you've already lost the war?
Yes, as long as your physical computer is only running software that you know and trust - this is the job of your antivirus protection, your local network administrator, and your own caution clicking links, browsing, and installing software - then you are safe from these exploits. And if I were to get remote execution capability on your computer I'd more likely be installing a root kit than exploiting either of these security vulnerabilities. Nonetheless, you need to patch against them because you, your network admin, your AV software all might (in fact, eventually will) miss something so you want to have done everything you can to limit the damage when that happens.

The really big danger from these vulnerabilities is to servers, especially those hosting multiple VMs. The owner of any application running on the server has read access, via Meltdown, to everything going on that physical machine - passwords, confidential data, encryption keys, everything. Typically if you're using a hosting service you have no idea and no control over who else is hosted on the same physical machine with you so this is a big hairy deal.
 
Last edited:
  • Like
Likes russ_watters
  • #19
russ_watters said:
What's the risk here, guys?

The idea is to have layers of security. If A is breached, then B will hold, and if B is then breached, C will hold, etc. One of those lines of defense was that if a process somehow managed to run on your machine, it couldn't get access to the data being used by any other process. This was true in 1982. It's not true anymore.
 
  • Like
Likes russ_watters
  • #20
Ok, that's what I figured.

I was also thinking that this could be a way around encryption. For example if you were using some local encryption, most viruses wouldn't be able to read the data, but they might be able to get the data (or even the key?) if they were able to watch it be encrypted/decrypted.
 
  • #21
In principle, anything in memory can be read by any process.
 
  • Like
Likes ISamson
  • #22
Nugatory said:
Yes, as long as your physical computer is only running software that you know and trust.

Page 2 of the spectre white paper:
Attacks using JavaScript. In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.
 
  • #23
russ_watters said:
I was also thinking that this could be a way around encryption. For example if you were using some local encryption, most viruses wouldn't be able to read the data, but they might be able to get the data (or even the key?) if they were able to watch it be encrypted/decrypted.
Encryption is well and thoroughly defeated. Encryption keys are exposed, and buffers holding plaintext before encryption and after decryption are wide open.
 
  • #24
Nugatory said:
Yes, as long as your physical computer is only running software that you know and trust
DavidSnider said:
Page 2 of the spectre white paper:
Attacks using JavaScript. ...
Yes indeed. "Software that you know and trust" has to include the Javascript that you're allowing to run on your computer.
 
  • Like
Likes PeterDonis
  • #26
Big Surprise, just another security hole in our computers. This one though seems to be not at the software level but at the hardware level. The only thing that fixes it is to change hardware and since it seems most CPUs are affected we have to wait for the next generation of CPUs...
 
  • #27
In short, Meltdown works like this: Intel CPUs do not check permissions to access memory when load ("read from memory") instructions are executing in the pipeline - permissions are only checked at retirement, when CPU decides to make results of execution permanent (on in this case, decides to raise an exception instead).

Therefore, result of the "prohibited" load *is visible* and can be used by subsequent speculatively executed instructions. If the next speculatively executed instruction is "x=array[load_result]", it will initiate caching of array[load_result]. Even though speculative results are later discarded, the presence of different array elements in cache may then be probed by timing reads, deducing the value of load_result, which in effect means you can read from prohibited memory areas.

CPU was made to work like this probably because CPU performs more speculative operations than retired ones (inevitably, some speculation turns out to be wrong and is discarded), and doing access privilege checks only at retirement saves a tiny bit of power.

AMD is different: it performs access privilege checks during address translation. Disallowed accesses do not load the data (they even do not populate TLB).
 
  • Like
Likes ISamson and Delta2
  • #28
It is important to note that these vulnerabilities occur at HARDWARE level and do not require privilege escalation. It is not yet clear if even CPU microcode updates will be sufficient to completely defend against such attacks as, unlike software dependent attacks, no logs are triggered. AMD and ARM are safer than Intel, but all are at some risk. It is also important to not fall into the trap of mix-match between Meltdown and Spectre. They are quite different. Meltdown has probably been stymied for now with a combination of kernel updates and firmware microcode, especially on SOHO Desktops, Laptops, Tablets. etc. The Cloud may not be so lucky due to massive use of VMs and Spectre which has yet to be fixed. There is a 3rd similar hardware-based vulnerability whose name I can't recall atm but is of somewhat lesser concern.

Thankfully, the early estimates of 30% "tax" on performance were a bit alarmist. It is highly workload type dependent but wide-ranged benchmarking has so far only logged a worst case 10% hit. Despite massive news coverage, so far not a single attack "in the wild" has yet occurred so "the sky ain't falling" , but it is potentially quite serious... maybe especially if you own Intel stock.

It is worthy of note that some machines running AMD that have a switched bit in the kernel are nearly as vulnerable to Meltdown as Intel, but these kernels are rare. AMD however is just as vulnerable to Spectre. Public perception though may tend to lean on Intel as the major fault, though it remains to be seen if Intel's ME (which has access to drives and wifi among other features even when not booted up!) will play a roie in any such exploit.
 
Last edited:
  • Like
Likes russ_watters
  • #29
enorbet said:
AMD however is just as vulnerable to Spectre.

Yes. In truth, Spectre is not a "bug", unlike Meltdown. Any sufficiently OoO CPU should be vulnerable to this type of attacks. Making CPU immune to it would require that CPU stops speculating as soon as it reaches second speculative memory access - but early speculation for memory accesses is very useful for hiding RAM latency!

(There is a variation of Spectre which uses branch prediction buffer. This _can_ be fixed in hardware by tagging BPB entries with thread IDs, and by providing a fast way to purge BPB on task switches).

It's rather non-trivial to exploit Spectre. You need to execute a particular code fragment _in kernel_ - basically, you need to find and abuse specific system call's code to do what you need. You need to target a specific kernel version, build with specific compiler version.

OS can be audited for places where that is possible, and speculation barriers inserted to fix that.
 
  • #30
nikkkom said:
CPU was made to work like this probably because CPU performs more speculative operations than retired ones (inevitably, some speculation turns out to be wrong and is discarded), and doing access privilege checks only at retirement saves a tiny bit of power.

BTW, not only Intel fell into this trap. ARM and one other company (not AMD) has a Meltdown-type bug in its CPUs.
 
  • #31
Australian Cyber Security Centre:
https://www.acsc.gov.au/news/update-on-processor-vulnerabilities-spectre-meltdown.html
 
  • #33
Bruce Schneier is a prominent computer security expert. Here are some excerpts from his blog post on this topic. But I recommend that you read the whole thing (1083 words)

https://www.schneier.com/crypto-gram/archives/2018/0115.html#1 said:
"Throw it away and buy a new one" is ridiculous security advice, but it's what US-CERT recommends. It is also unworkable. The problem is that there isn't anything to buy that isn't vulnerable. Pretty much every major processor made in the past 20 years is vulnerable...Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.

This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There...aren't mechanisms to push patches onto the devices.
...
The second is that some of the patches require updating the computer's firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong.
...
The final reason is...These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.
...
It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it.
...
Spectre and Meltdown ...only affect the confidentiality of data.
...
For the average user, this is just another attack method amongst many...It's a much bigger problem for cloud vendors...

Of particular significance is where he said, "...only affect the confidentiality of data." That means that these attacks can't crash computers or cause them to stop working. That is a critical point.
 
  • Like
Likes Greg Bernhardt
  • #34
While these newly found hardware level vulnerabilities are indeed serious it is also important to keep perspective on how they affect us or can affect us, first as individuals and secondly "in the wild" using the services of others. One fact remains that has always been true and that is the first line of security is restricted access. The greatest compromise of security is physical access. If someone can sit at your keyboard it's nearly impossible to be secure against a determined and knowledgeable attack. The only slightly reduced risk is if the person at the keys can be induced to enable an attack by usually nefarious means like getting that person to allow or even introduce malicious code by clickbait or thumbdrive.

Remote access is substantially easier to secure, or at least potentially so on your personal PC, but much more vulnerable on some of our embedded devices and, of course in the cloud where restricted access is often anathema to doing business. This is partly why credit card farmers don't and haven't ever targeted individual PCs but rather that of banks. Why go after one account when one can harvest many thousands with only a little more work?

That last bit should be a clue as to where the greatest vulnerabilities lie and why we shouldn't be freaking out just because one more, or three more, vulnerabilities have been discovered. Granted that Intel's inclusion of the now expanded functions of the ME, which has access to drives and wifi even when owners view their PCs as essentially powered "Off" and Win10's ability, by individual user's granted access, to read even encrypted disks and farm data which can be and is sent via insecure wifi, have seriously "upped the ante", still it is the Cloud and Internet Enterprise that has millions, even billions, at stake and are the somewhat "low hanging fruit". Individually, limited physical access, a properly configured 2-way firewall and a predilection to avoid clickbait renders even these new vulnerabilities to minimal risk. Don't over react. We can afford to wait and see at least for now.
 
  • #35
enorbet said:
While these newly found hardware level vulnerabilities are indeed serious it is also important to keep perspective on how they affect us or can affect us, first as individuals and secondly "in the wild" using the services of others. One fact remains that has always been true and that is the first line of security is restricted access. The greatest compromise of security is physical access. If someone can sit at your keyboard it's nearly impossible to be secure against a determined and knowledgeable attack. The only slightly reduced risk is if the person at the keys can be induced to enable an attack by usually nefarious means like getting that person to allow or even introduce malicious code by clickbait or thumbdrive.

Remote access is substantially easier to secure...

Well, the problem is, javascript or flash code running in your browser is in this terminology a _local_ attack.

Remote attack is someone out there on the net sending some packets at you, or looking at your packets flying past him.
 
  • Like
Likes PeterDonis
<h2>1. What are Meltdown and Spectre?</h2><p>Meltdown and Spectre are two security vulnerabilities that affect almost every computer and phone. They exploit a flaw in the design of modern processors, allowing malicious programs to access sensitive data stored in the computer's memory.</p><h2>2. How do Meltdown and Spectre work?</h2><p>Meltdown and Spectre work by taking advantage of a technique called "speculative execution" used by modern processors to improve performance. They trick the processor into accessing sensitive data and leaking it to the attacker.</p><h2>3. How can Meltdown and Spectre affect my computer/phone?</h2><p>Meltdown and Spectre can affect your computer/phone by allowing attackers to access sensitive data such as passwords, emails, and documents stored on your device. This can lead to identity theft, financial loss, and other security issues.</p><h2>4. Is there a way to protect my computer/phone from Meltdown and Spectre?</h2><p>Yes, there are ways to protect your computer/phone from Meltdown and Spectre. Manufacturers have released security patches and updates to fix the vulnerabilities. It is important to regularly update your device's software to ensure you have the latest security patches.</p><h2>5. Are all computers/phones at risk of Meltdown and Spectre?</h2><p>Yes, all computers and phones with modern processors are at risk of Meltdown and Spectre. This includes devices with Intel, AMD, and ARM processors. It is estimated that billions of devices are affected by these vulnerabilities.</p>

1. What are Meltdown and Spectre?

Meltdown and Spectre are two security vulnerabilities that affect almost every computer and phone. They exploit a flaw in the design of modern processors, allowing malicious programs to access sensitive data stored in the computer's memory.

2. How do Meltdown and Spectre work?

Meltdown and Spectre work by taking advantage of a technique called "speculative execution" used by modern processors to improve performance. They trick the processor into accessing sensitive data and leaking it to the attacker.

3. How can Meltdown and Spectre affect my computer/phone?

Meltdown and Spectre can affect your computer/phone by allowing attackers to access sensitive data such as passwords, emails, and documents stored on your device. This can lead to identity theft, financial loss, and other security issues.

4. Is there a way to protect my computer/phone from Meltdown and Spectre?

Yes, there are ways to protect your computer/phone from Meltdown and Spectre. Manufacturers have released security patches and updates to fix the vulnerabilities. It is important to regularly update your device's software to ensure you have the latest security patches.

5. Are all computers/phones at risk of Meltdown and Spectre?

Yes, all computers and phones with modern processors are at risk of Meltdown and Spectre. This includes devices with Intel, AMD, and ARM processors. It is estimated that billions of devices are affected by these vulnerabilities.

Similar threads

  • Computing and Technology
Replies
12
Views
2K
Replies
10
Views
2K
  • Sticky
  • Programming and Computer Science
Replies
13
Views
4K
Replies
23
Views
5K
  • General Discussion
Replies
1
Views
8K
Back
Top