Meltdown and Spectre - Every computer/phone at risk

[Greg Bernhardt]

Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?

Security researchers released official documentation — complete with nicknames and logos — of two major flaws found in nearly all modern central processing units, or CPUs.

It’s not a physical problem with the CPUs themselves, or a plain software bug you might find in an application like Word or Chrome. It’s in between, at the level of the processors’ “architectures,” the way all the millions of transistors and logic units work together to carry out instructions.

https://techcrunch.com/2018/01/03/k...s-affecting-nearly-every-computer-and-device/

 

[Idyit]

Thanks, interesting reading.

 

[ISamson]

Interesting and breaking!
The article mentions that using this 'exploit' it is possible to access anything a computer is doing at any moment by 'viewing' the logic the computer is doing at any moment, and it is also possible to change it. So I could hack my calculator!? Cool.

Does anybody believe that there might be an attack soon taking advantage of this vulnerability? Or have the issue and the solution been announced at the same time?

 

[Idyit]

The fix doesn't actually fix the problem, it just slows down the attackers ability to access side channel cache data, which contains protected memory.
The KAISR fix randomises the kernel memory page which slows down the cache read process.

I would say this attack has been in use for some time, drive by website attacks from adverts etc.

It's a fundamental problem arising from low level CPU speed optimisations using out of order pre processing and branch pre processing, which leaves the cache in a "dirty" state (i.e. all the memory used in the branch remains in the cache, and the CPU doesn't check where the calling code originated for the pre processing for speed reasons.

 

[ISamson]

Could an attack on this topic be done wirelessly, remotely? Or just physically, on the same computer that is the victim?
I don't think the article mentions this.

 

[ISamson]

Some more resources: https://phys.org/news/2018-01-google-flaws-intel-chips.html

I have been looking for some information on how the attack and procedure could actually have been done, out of interest. I have found nothing so far. Does anybody have a link?

 

[Idyit]

The side channel (Cache read) code has to execute on the processor in question so no not directly.
But if the machine has been compromised and the machine code cache reader has been loaded and is running on the machine then yes.

If you look into the attack binaries that are available to hackers (See Metasploit etc) it's a simple process after that to transmit the data to a remote host.

 

[Idyit]

It'd have to be a multi stage attach, drive by advert or phishing to infect the machine, then cache read binaries executed to actually interrogate the machine.

If your interested I'd suggest one of the white hat hacking courses on source forge ...
https://deals.sourceforge.net/collections/hacking

 

[ISamson]

Could it be done remotely, wirelessly? @Idyit

 

[Idyit]

Yes,brute force wireless attack and then man in the middle attack.

 

[ISamson]

If your interested I'd suggest one of the white hat hacking courses on source forge ...
https://deals.sourceforge.net/collections/hacking

Is there something basic and free? I am 12 years old.:)
Thank you for this resource.

 

[Idyit]

The pay what you want course starts at $1, so freeish ... it's well worth it :-) , You will need a credit/debit card though :-(

You could also try these ...
https://phoenixts.com/blog/free-hacking-resources/

 

[ISamson]

The pay what you want course starts at $1, so freeish ... it's well worth it :-) , You will need a credit/debit card though :-(

You could also try these ...
https://phoenixts.com/blog/free-hacking-resources/

I deeply appreciate your help.
My gratitude.

 

[Idyit]

You're welcome :-)

 

[Greg Bernhardt]

Unfortunately the patch for Meltdown could mean a 30% performance hit for computers including PF's server.

This is the the bad underbelly of a monopoly. There are two choices in Intel and AMD (ARM for mobile). All are affected.

 

[Nugatory]

Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?

There is an astounding amount of misinformation circulating about these two vulnerabilities, so I would strongly recommend going straight to the source for both:
https://spectreattack.com/spectre.pdf
https://meltdownattack.com/meltdown.pdf

They work through the same general principle (observing the side effects of speculatively executed instructions) but are very different both in terms of what they do and how immediately dangerous they are. A summary of the key differences (based on a quick read, so I reserve the right to clarify or correct anything below):
- Meltdown allows a malicious unprivileged program to read kernel memory, and thus, most or all physical memory on most OSes including Windows and Linux, with very high bandwidth. A layman-level summary of the previous sentence is "OMG! Red alert! Red alert! Air raid, Pearl Harbor - This is not a drill! Send lawyers, guns, and money - the stuff has truly hit the fan" - this is a bona fide emergency. Spectre allows a malicious unprivileged program to extract data from another program if you supply input to it and you have found certain (very common) idioms in its compiled code. The layman-level summary is "Gotta get to work on mitigations, pronto".
- Meltdown is straightforward enough that a moderately determined wolf cub with an internet connection and a bent hairpin can open a very high-bandwidth channel on any system that will run the exploit code. Spectre requires appreciably more sophistication and leaks data more slowly.
- Meltdown affects Intel and a few ARM models but not AMD. Spectre will be at least somewhat effective against any modern processor architecture; it's not clear that, even now that we know about the problem a practical design can be completely safe as opposed to having a low upper bound on the rate at which data can be extracted.
- The software workaround for Meltdown can be built into the OS and is very effective. It's also good hygiene, something that maybe should be done even if we didn't have this problem. Spectre may have to be fixed like buffer overflow vulnerabilities, one at a time.

 

[russ_watters]

Windows 10 updated for me on Friday, with, among other things, this:

• Security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Windows Datacenter Networking, Windows Graphics, Microsoft Edge, Internet Explorer, and the Microsoft Scripting Engine.

https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892

I think this is the patch referenced here:
http://www.zdnet.com/article/window...-if-you-havent-got-them-blame-your-antivirus/

But it also says you need a firmware flash?

What's the risk here, guys? Doesn't your computer have to already be infected with a virus in order to read this data and if your computer is infected you've already lost the war?

 

[Nugatory]

What's the risk here, guys? Doesn't your computer have to already be infected with a virus in order to read this data and if your computer is infected you've already lost the war?

Yes, as long as your physical computer is only running software that you know and trust - this is the job of your antivirus protection, your local network administrator, and your own caution clicking links, browsing, and installing software - then you are safe from these exploits. And if I were to get remote execution capability on your computer I'd more likely be installing a root kit than exploiting either of these security vulnerabilities. Nonetheless, you need to patch against them because you, your network admin, your AV software all might (in fact, eventually will) miss something so you want to have done everything you can to limit the damage when that happens.

The really big danger from these vulnerabilities is to servers, especially those hosting multiple VMs. The owner of any application running on the server has read access, via Meltdown, to everything going on that physical machine - passwords, confidential data, encryption keys, everything. Typically if you're using a hosting service you have no idea and no control over who else is hosted on the same physical machine with you so this is a big hairy deal.

 

[Vanadium 50]

What's the risk here, guys?

The idea is to have layers of security. If A is breached, then B will hold, and if B is then breached, C will hold, etc. One of those lines of defense was that if a process somehow managed to run on your machine, it couldn't get access to the data being used by any other process. This was true in 1982. It's not true anymore.

 

[russ_watters]

Ok, that's what I figured.

I was also thinking that this could be a way around encryption. For example if you were using some local encryption, most viruses wouldn't be able to read the data, but they might be able to get the data (or even the key?) if they were able to watch it be encrypted/decrypted.

 

[Vanadium 50]

In principle, anything in memory can be read by any process.

 

[DavidSnider]

Yes, as long as your physical computer is only running software that you know and trust.

Page 2 of the spectre white paper:

Attacks using JavaScript. In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.

 

[Nugatory]

I was also thinking that this could be a way around encryption. For example if you were using some local encryption, most viruses wouldn't be able to read the data, but they might be able to get the data (or even the key?) if they were able to watch it be encrypted/decrypted.

Encryption is well and thoroughly defeated. Encryption keys are exposed, and buffers holding plaintext before encryption and after decryption are wide open.

 

[Nugatory]

Yes, as long as your physical computer is only running software that you know and trust

Page 2 of the spectre white paper:

Attacks using JavaScript. ...

Yes indeed. "Software that you know and trust" has to include the Javascript that you're allowing to run on your computer.

 

[Lord Crc]

Yes indeed. "Software that you know and trust" has to include the Javascript that you're allowing to run on your computer.

Aka random untrustworthy code:

https://hackernoon.com/im-harvestin...swords-from-your-site-here-s-how-9a8cb347c5b5

 

[Delta2]

Big Surprise, just another security hole in our computers. This one though seems to be not at the software level but at the hardware level. The only thing that fixes it is to change hardware and since it seems most CPUs are affected we have to wait for the next generation of CPUs...

 

[nikkkom]

In short, Meltdown works like this: Intel CPUs do not check permissions to access memory when load ("read from memory") instructions are executing in the pipeline - permissions are only checked at retirement, when CPU decides to make results of execution permanent (on in this case, decides to raise an exception instead).

Therefore, result of the "prohibited" load *is visible* and can be used by subsequent speculatively executed instructions. If the next speculatively executed instruction is "x=array[load_result]", it will initiate caching of array[load_result]. Even though speculative results are later discarded, the presence of different array elements in cache may then be probed by timing reads, deducing the value of load_result, which in effect means you can read from prohibited memory areas.

CPU was made to work like this probably because CPU performs more speculative operations than retired ones (inevitably, some speculation turns out to be wrong and is discarded), and doing access privilege checks only at retirement saves a tiny bit of power.

AMD is different: it performs access privilege checks during address translation. Disallowed accesses do not load the data (they even do not populate TLB).

 

[enorbet]

It is important to note that these vulnerabilities occur at HARDWARE level and do not require privilege escalation. It is not yet clear if even CPU microcode updates will be sufficient to completely defend against such attacks as, unlike software dependent attacks, no logs are triggered. AMD and ARM are safer than Intel, but all are at some risk. It is also important to not fall into the trap of mix-match between Meltdown and Spectre. They are quite different. Meltdown has probably been stymied for now with a combination of kernel updates and firmware microcode, especially on SOHO Desktops, Laptops, Tablets. etc. The Cloud may not be so lucky due to massive use of VMs and Spectre which has yet to be fixed. There is a 3rd similar hardware-based vulnerability whose name I can't recall atm but is of somewhat lesser concern.

Thankfully, the early estimates of 30% "tax" on performance were a bit alarmist. It is highly workload type dependent but wide-ranged benchmarking has so far only logged a worst case 10% hit. Despite massive news coverage, so far not a single attack "in the wild" has yet occurred so "the sky ain't falling" , but it is potentially quite serious... maybe especially if you own Intel stock.

It is worthy of note that some machines running AMD that have a switched bit in the kernel are nearly as vulnerable to Meltdown as Intel, but these kernels are rare. AMD however is just as vulnerable to Spectre. Public perception though may tend to lean on Intel as the major fault, though it remains to be seen if Intel's ME (which has access to drives and wifi among other features even when not booted up!) will play a roie in any such exploit.

 

[nikkkom]

AMD however is just as vulnerable to Spectre.

Yes. In truth, Spectre is not a "bug", unlike Meltdown. Any sufficiently OoO CPU should be vulnerable to this type of attacks. Making CPU immune to it would require that CPU stops speculating as soon as it reaches second speculative memory access - but early speculation for memory accesses is very useful for hiding RAM latency!

(There is a variation of Spectre which uses branch prediction buffer. This _can_ be fixed in hardware by tagging BPB entries with thread IDs, and by providing a fast way to purge BPB on task switches).

It's rather non-trivial to exploit Spectre. You need to execute a particular code fragment _in kernel_ - basically, you need to find and abuse specific system call's code to do what you need. You need to target a specific kernel version, build with specific compiler version.

OS can be audited for places where that is possible, and speculation barriers inserted to fix that.

 

[nikkkom]

CPU was made to work like this probably because CPU performs more speculative operations than retired ones (inevitably, some speculation turns out to be wrong and is discarded), and doing access privilege checks only at retirement saves a tiny bit of power.

BTW, not only Intel fell into this trap. ARM and one other company (not AMD) has a Meltdown-type bug in its CPUs.