Spectrum and Meltdown: processors pay the price of speculation

Spectrum and Meltdown: processors pay the price of speculation

Intel‬, ‪Advanced Micro Devices‬, ‪ARM architecture

Security: Last night, breaking the embargo of Intel, Google revealed details of the vulnerabilities within Intel processors that attracted the attention of the community earlier this week. The Spectrum and Meltdown vulnerabilities allow an attacker to access the memory of the machine, despite any protections put in place.

If we listened to the evening yesterday, we could hear the cries of sysadmins pain that finally discovered the details of the latest security breach affecting Intel processors, but also those of other manufacturers. The rumors had begun following The Register's discovery of several patches planned for an upcoming update of the Linux Kernel and correcting the behavior of components interacting directly with the processor, which suggested a flaw in the Intel processors. But on the side of the founder, radio silence: the details of the security breach were embargoed until January 9 and Intel did not expect such a rapid publication.

Unfortunately, in the face of speculation and questions, the Google engineers behind the discovery decided to fire first and break the embargo by publishing details of two major vulnerabilities affecting the processors: Specter and Meltdown.

In a series of post blogs and sites dedicated to the flaws, Google engineers take stock and summarize the scope of the two vulnerabilities discovered. These two vulnerabilities are made possible by circumventing so-called KSLR memory space protection techniques as well as the integration within the processors of so-called "speculative execution" techniques used by many processors to improve their performances. These techniques are used by the vast majority of Intel processors marketed since 1995, but also by the competition: some models of ARM processors, as well as some AMD processors are also affected by these security vulnerabilities.

Two Flaws, Two Moods

Meltdown (CVE-2017-5754) is an exclusive Intel vulnerability. This flaw allows privilege elevation, since it allows a process to access protected memory resources at the Kernel, the operating system kernel. This flaw can thus allow an attacker to access confidential data stored on the machine, such as passwords or access identifiers. Meltdown allows an attacker capable of executing code on the machine to recover all of the memory address space allocated to the Kernel, as well as its contents.



In particular, it is problematic for machines shared by several users, such as cloud instances: a user of the Meltdown operating instance can access all the memory of the machine and thus potentially recover the data of others. users. Meltdown must be corrected at the operating system level, by implementing a so-called Kernel Page Table Isolation (KPTI) method that ensures complete separation between the memory space allocated to the kernel and those allocated to users. This included what was implemented by the Linux kernel patch set that put the community on the trail of these security holes.

Intel‬, ‪Advanced Micro Devices‬, ‪ARM architecture

Spectrum (CVE-2017-5753 and CVE-2017-5715) is not an exclusive Intel vulnerability and other manufacturers are also affected by this variant. Spectrum allows, using mechanisms similar to Meltdown, to allow a program to access the memory spaces of another program and thus to retrieve confidential information.

Google researchers evoke a scenario that allows an attacker to steal data stored in the machine's RAM directly from a malicious website, running JavaScript code to exploit the security hole. Spectrum may nevertheless be a little more difficult to correct, since it this time requires corrections made directly at the level of the applications themselves or a redesign in depth of the architectures of the processors to completely eliminate this vulnerability.


These two flaws have so far not been exploited by cybercriminals, but the details of these are now public and they could be integrated with new malware in the future.

Do not confuse speed with precipitation

These flaws are made possible by exploiting methods used by processors to speed up the execution of commands. Meltdown relies on Out of order execution, a method used by processors to efficiently execute instructions sent to the processor. These are not necessarily executed in order, but the researchers discovered that this mechanism had defects, allowing an attacker to recover the memory of the machine by exploiting this technique.

The use of Meltdown allows access to all the memory of the machine, without security restrictions. Google researchers explain that this method can be used to recover data at a rate of 503kb / s.

Spectrum relies on a rather close mechanism, also used to improve the performance of the processors: the speculative execution, which consists of a processor executing instructions before they are actually transmitted to the processor, in order to optimize the performances. performance.

These different methods are quite common in the microprocessor industry and if Intel is widely blamed, the founder is not the only one whose processors have been affected by the security breach: AMD and ARM are also part of victims to a lesser extent. Intel remains the first manufacturer affected, because of its architecture choices as well as its dominance in the processor market. He defended it last night in a statement, but hard to deny: this security hole is mainly hurting the image of Intel.

The attack is therefore a real headache: besides the fact that it is particularly dangerous and not necessarily obvious to correct, the setbacks of synchronized communication and broken embargoes do not really simplify things. The flaw was discovered last year by researchers, and the industry planned to silently fix its systems before revealing the details of the vulnerability on January 9. Unfortunately for them, the embargo will not have held up there.