Meltdown (cybersecurity vulnerability)
Meltdown is the name given to a cybersecurity vulnerability in the processors of computers, tablets, phones, and other such electronic devices. It enables code to be executed on a machine which "breaks" certain "isolation walls" in the processor, enabling user applications to access core operating system information. In this way, software can steal passwords, hashes, and other sensitive information from the operating system itself, and even other programs which are running on the device.[1] This vulnerability affects Intel x86 microprocessors which have been produced since 1995, and some ARM processors.[2][3]
Discovery
This vulnerability was reported by Jann Horn (Google Project Zero), Werner Haas, Thomas Prescher (Cyberus Technology), Daniel Gruss, Moritz Lipp, Stefan Mangard, and Michael Schwarz (Graz University of Technology).[4] This "rogue data cache load" vulnerability has been assigned the Common Vulnerabilities and Exposures identifier CVE-2017-5754. There are also two other variants of this threat: "bounds check bypass" (CVE-2017-5753) and "branch target injection" (CVE-2017-5715) which have been named "Spectre."[2]
Interestingly, this is not an exploitation of a newly discovered vulnerability, but something which has been known for some time. In fact, a paper published in 1992 spoke of this abuse of the predictive processing, but it was largely dismissed. Three years later in 1995, another paper was published based on the first, but with more detail.
Process
| "In any setting where short-term performance optimizations have global effect, a sufficiently clever task can infer the recent history of other tasks by observing its own performance." -Steve Gibson |
Due to the complexity of modern processors, every action they take has a consequence. As a result, it can be possible for a malicious process to acquire data which it should never have access to. By watching time passage and processor activity very carefully, malicious software can gather data which should have been protected from it.
Limitations
While this vulnerability is significant, it is important to note that it can only be exploited by malicious code running on the targeted machine. Software can access information on the system it should not be able to, but it must first get to that machine. Therefore, an attack using this requires either a delivery system, or physical access. At attacker may be able to use malware to deliver it, such as a trojan or even worm, or simply convince the user to install it outright. Otherwise, the attacker must have physical access to the target in order to get their code running on it.
Also, the released proof-of-concept code could only read kernel data at a speed of about 2KB/s. While this is a fairly high bandwidth, it still many not be fast enough to access everything the attacker wants.[4]
Solutions
This vulnerability can be patched in a few different ways. One method is to flush the cache used by the CPU every time it switched form processing kernel information to processing user information.[1] Although Intel initially stated that this change probably would not have a noticeable impact on performance, Microsoft disagrees. They report that anyone using processors manufactured in or before 2015 will see a drop in speed.[5]
Indeed, this mitigation tactic does come at a cost. Since caching is used by the CPU to improve performance, emptying the cache causes a noticeable slow-down in processing speed. Information which has been recently used is stored in the cache, and can be quickly accessed again as needed. However, all other information must be stored on the main memory (RAM) which is much slower to retrieve. When the cache is flushed, the processor must "stall" and wait for the needed data to be transferred from RAM.
When this patch is applied, users are seeing speed reductions in many of their devices. There were also some problems when the patch was first released, which were reportedly preventing some computers from turning on. This interrupted the patching process.[6]
Newer Intel chips support a method of theoretically protecting privileged information using Process-Context Identifiers. When implemented, cached memory is stored with a flag stating which process ID it belongs to. Although this feature has never been fully used, it is believed by some that this offers the best permanent solution to the problem. By flagging cached data in this way, other processes are theoretically unable to access it. However, this solution is not without problems either.
- Only newer Intel chips support it, so older devices would not be protected
- Not all processor manufacturers support it at all
- The operating system must support it as well as the hardware. At the time this vulnerability was officially announced, only Linux had OS support for it, and even there it was not being utilized
- Some say that even this does not afford adequate protection
Another option to prevent this threat is to simply reduce the granularity of the clock readings available to software. When this Meltdown was discovered, the system clock provided very (and probably unnecessarily) precise time data to all processes. By simply reducing the precision of the clock available to them, (for example, restricting them to milliseconds) a malicious process would not have enough precision to carry out this attack.
Thankfully, mitigation of this threat does not require firmware updates.
References
- ↑ 1.0 1.1 https://meltdownattack.com/meltdown.pdf
- ↑ 2.0 2.1 https://developer.arm.com/support/security-update
- ↑ https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
- ↑ 4.0 4.1 https://meltdownattack.com
- ↑ https://www.cnbc.com/2018/01/09/microsoft-says-meltdown-and-spectre-fixes-will-slow-some-pcs-down-significantly.html
- ↑ https://www.theverge.com/2018/1/9/16867068/microsoft-meltdown-spectre-security-updates-amd-pcs-issues
