Details of “Meltdown” and “Spectre” Attacks Against Intel and AMD Chips Disclosed
Researchers have disclosed technical details of two new attack methods that exploit critical flaws in CPUs from Intel, AMD and other vendors. They claim billions of devices are vulnerable, allowing malicious actors to gain access to passwords and other sensitive data without leaving a trace.
There have been reports in the past few days about a critical flaw in Intel CPUs that allows an attacker to gain access to kernel space memory. It turns out that there are actually two different attacks and researchers say one of them impacts AMD and ARM processors as well.
AMD representatives have claimed that their products are not vulnerable, which has contributed to the company’s stock going up 7 percent. Intel released a statement saying that the vulnerabilities are not unique to its products after its shares lost 4 percent in value.
Meltdown and Spectre
The side-channel attacks, dubbed Meltdown and Spectre by researchers, allow malicious applications installed on a device to access data as it’s being processed. This can include passwords stored in a password manager or web browser, photos, documents, emails, and data from instant messaging apps.
Attacks can be launched not only against PCs, but also mobile devices and cloud servers. While there is no evidence of exploitation in the wild, researchers pointed out that the attacks don’t leave any traces in traditional log files and they are unlikely to be detected by security products – although security products may detect the malware that launches Meltdown and Spectre.
Meltdown was discovered independently by Jann Horn of Google Project Zero, researchers from Cyberus Technology, and a team from the Graz University of Technology in Austria. Spectre was found independently by Horn, and a group of experts from various universities and companies. Technical papers and proof-of-concept (PoC) code have been published for each of the attack methods, and Intel, Microsoft, ARM and Google Project Zero are expected to publish their own advisories.
Memory isolation mechanisms found in modern computer systems should normally prevent applications from reading or writing to kernel memory or accessing the memory of other programs. However, the Meltdown and Spectre attacks bypass these protections.
Meltdown, named so because it “melts” security boundaries normally enforced by hardware, can be leveraged to read arbitrary kernel memory locations. A malicious unprivileged app can use it to read memory associated with other programs and even virtual machines in cloud environments. The vulnerability behind Meltdown is tracked as CVE-2017-5754.
Researchers say it’s unclear if Meltdown affects ARM and AMD processors, but it has been confirmed to impact nearly every Intel processor made since 1995, specifically CPUs that implement a system known as out-of-order execution.
Spectre, on the other hand, has been confirmed to affect not just Intel, but also AMD and ARM processors. However, AMD claims there is a “near zero risk” to its processors due to their architecture.
Desktops, laptops, smartphones and cloud servers are impacted, but the vulnerability is more difficult to exploit compared to Meltdown.
The attack has been named Spectre because its root cause is speculative execution and it will “haunt us for quite some time” due to the fact that it’s not easy to fix. The CVE identifiers CVE-2017-5753 and CVE-2017-5715 have been assigned to Spectre.
Spectre breaks isolation between different applications and it allows an attacker to trick programs that follow best practices to leak secrets stored in their memory.
“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory,” researchers explained. “Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”
Meltdown attacks can be prevented using kernel page table isolation (KPTI), a hardening technique designed to improve security by isolating the kernel space from user space memory. It’s based on the KAISER system developed last year by a team of researchers at Graz University.
KPTI has already been implemented in the Linux kernel and Microsoft has been working on a similar system for Windows. Apple is also said to be working on patches for macOS.
Cloud providers that use Intel CPUs and Xen paravirtualization are impacted. Amazon Web Services (AWS) and Microsoft Azure have been working on patches and they have informed customers that cloud instances will need to be rebooted in the upcoming days to apply security patches.
Google has addressed the vulnerabilities in its Cloud products and services. The company pointed out that while attacks are not easy to launch against Android devices, the latest Android security updates do provide additional protection.
Spectre attacks are more difficult to block. However, researchers say it’s possible to prevent specific known exploits using software patches.
Intel addresses concerns of performance penalties introduced by mitigations
Since KPTI has already been implemented in the Linux kernel before the disclosure – this actually led to experts figuring out that there was a serious vulnerability in Intel CPUs – several tests have been conducted to determine the impact of the mitigation on performance.
The researchers who developed the KAISER method reported a negative impact of only 0.28 percent on performance, but tests conducted now showed that performance penalties can reach as much as 30 percent, depending on what types of operations are being conducted.
Michael Schwartz, one of the researchers involved in the discovery of the Meltdown and Spectre vulnerabilities, has confirmed for SecurityWeek that there definitely can be a significant performance penalty for certain types of workloads.
“We ran some benchmarks on our initial KAISER implementation which showed only small performance impacts on modern CPUs. However, we guess that the performance penalties reported by other people (something between 5% – 30%) are realistic on older CPUs and unusual workload (e.g., many syscalls),” Schwartz said.
Intel has reassured customers that any performance impacts are workload-dependent and they should not be significant for the average user. Furthermore, the chip maker says performance impact will be mitigated over time.
* Updated with information on Google patches