What are Meltdown and Spectre Security Vulnerabilities and How does it affect your Intel / AMD CPU

Author: Shazin Sadakath


This has not been a good couple of years for Intel, arguably the largest and most innovative CPU manufacturer for Computers. We talked about a how an Intel CPU can help to spy on someone with it is problematic IME in the past and now it is surfacing that Intel CPUs are once again vulnerable for two more types of attack vectors.

Meltdown and Spectre in Short

These two attacks are similar. Meltdown is specific to Intel processors and kernel fixes (basically workarounds implemented by operating systems) will result in a 5%-30% speed penalty depending on how the CPU is being used. Spectre is not unique to Intel, but also affects AMD and ARM processors and kernel fixes are not expected to come with a speed penalty.

In the words of Security researcher Joe Fitz following explanation can be given for the Spectre and Meltdown vulnerabilities:

"Let's say you go to a library that has a 'special collection' you're not allowed access to, but you want to to read one of the books. You go in and go to the librarian and say "I'd like special book #1, and the Sue Grafton novel that corresponds to the first letter of page 1 of that book. The librarian dutifully goes and gets special book #1, looks at page 1, sees 'C', and also grabs 'C is for Corpse', and comes back to the desk, but does not show you the books. The librarian scans your card, then scans the first book, and says "sorry, you don't have access to this book, let's start over." But puts the books on the nearby re-shelve cart instead of back on the shelf.

In response you say "I'd like to borrow 'A is for Alibi' and the librarian responds "just a moment while I get that". You interrupt and ask for 'B is for Burgler and the librarian responds "just a moment while I get that" again. When you interrupt again, and say "I'd also like C is..." the librarian interrupts you to say ' oh I have that one right here on the cart!" You say "Great! But actually I don't want any books. You can put all those back!" and write down 'C' in your notebook. 

The dutiful librarian re-shelves all the books and then you repeat the process... For every single letter on every page in special book #1. The librarian is especially dutifully and luckily fast, so this only takes you a few moments. Let's try fixing it by having a separate shelf, reshelving rack, librarian, and line for the special collection. It solves the problem, but all the people who have access to and use the special collection complain about how it takes 5 to 30% longer to get their books.

So, the books are memory. The special collection is operating system or other programs memory. The reshelving rack is cache and/or register file. The librarian is the page management. It's not a perfect analogy, but it describes it in non-technical terms. Feedback welcome." (Joe Fitz Twitter)

It’s about Speculative Execution.

In the words of Alan Hightower who is an expert in this topic:

"Suppose you have a variable P that represents some protected non-readable memory location. You create two variables A and B and place them in cache lines that are separate. Then you ensure the cache lines for A and B are not loaded – though any variety of means such as reading a cache size of other data. Then you execute the following pseudo code:

if (bit 0 of P) print A; else print B;

The speculative function of the branch predictor will fetch and evaluate the ‘if’ conditional without consideration of protection bits. It will then pre-fetch the value of A or B depending on the value of bit 0 of P. When it does, it will load the cache line containing the resulting variable. Once the execution point catches up to the predictor, the process will experience an exception.. as any attempt to ready P is illegal. But the damage has been done. Either the cache line containing A or B but not both will be loaded. If you then measure the access time of reading variable B vs A, you can infer the value of bit 0 of P based on the difference. Rinse and repeat for all bits in all values of protected memory.

Not an easy to code or execute exploit… but an potential attack vector all the same.

The current pursued OS work-around is to not map kernel pages into all VM spaces – even if they are protected."

For the most comprehensive info, you can read the PDF whitepapers on Meltdown and Spectre.

Mitigation

These vulnerabilities are in silicon — so they can’t be easily fixed. An Intel “fix” would amount to a product recall. They’ve already said they won’t be doing a recall.

So the fixes fall on the operating systems at the kernel level. It is understandably frustrating for the kernel developers to have to spend time and resources patching these vulnerabilities, which displaces planned feature updates and improvements.



Tags: Meltdown Spectre Intel AMD Kernel
Views: 837
Register for more exciting articles

Comments

Please login or register to post a comment.


There are currently no comments.