Understanding Spectre e Meltdown
2018 began with the discovery of the bugs Spectre and Meltdown that is disturbing the sleep of many people, especially Intel's engineers, whose CPUs are affected by both bugs, but also ARM is not immune in some variants of its Cortex CPUs, and in a different measure even of AMD, while affected only by Spectre.
Both flaws are putting a strain on trust in CPU security even for risks in virtualized environments and in the cloud.
was discovered independently by Jann Horn from Google's Project Zero, Werner Haas and Thomas Prescher from Cyberus Technology, as well as Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz Technology.
The same research teams that discovered Meltdown also discovered a related CPU security vulnerability now called Spectre.
Background
The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
However, Meltdown and Spectre are flaws that exploit the way modern processors are hardcoded to use speculative execution—they don’t check permissions correctly and leak information about speculative commands that don’t end up being run. Oops.
As a result, user programs can possibly steal glimpses at protected parts of the kernel memory. That’s memory dedicated to the essential core components of an operating system and their interactions with system hardware, and it’s supposed to be isolated from user processes at all times to prevent such glimpses from happening. Everything from passwords to stored files could be compromised as a result.
Apparently, Meltdown which would be caused by a process design error that regulates virtual memory management is "remediable," and the software solution is downloaded with updates, but this also leads to a slowdown in performance. The vulnerability concerns defects in hardware, the software mitigates them, but with the processor designed as it is now, the same performance can no longer be obtained.
As for Spectre instead, the problem is different in some aspects much more severe, because it concerns in addition to the kernel every single process.
In simple terms, the processor does not check the cancellation of any information at the memory level individually and leaves the possibility to read also those concerning processes passed in predicate tracing some traces.
This is a vulnerability of unprecedented gravity, especially that can expose cloud virtualization solutions to the highest risks regarding data on servers that generate virtual machines that could be read by the guest.
The solution for the Spectre vulnerability can only come with the rewriting of every single software application to avoid an attack by exploiting the CPU bug, a job that is unthinkable in a short time and with very high costs.
I believe that the lesson that we can learn from this story is that vendors thought to fully control their CPUs and instead have just failed to design, and this does not seem a trivial matter.
Spectre and Meltdown have therefore undermined the foundations of trust on a critical component also for cloud solutions. Usually we are used to keeping the software producers in the crosshairs, but in this case, the hardware manufacturers are involved, in particular, the CPUs.
These two flaws require the redesign of the CPU and essential portions of the operating systems and despite the clamor the importance of the revelations, the reflections will be much higher than expected
Who’s at risk?
Since this is a hardware bug, everything running on affected processors is vulnerable including every major OS (Windows, Linux, and macOS), some mobile devices, and cloud computing providers such as Amazon and Google.
Microsoft has prepared a patch for Windows 10 and is working on fixes for Windows 7 and Windows 8. More info here.
Apple has released updates for iOS, macOS High Sierra, and Safari Sierra and El Capitan to help defend against Spectre. Apple Watch is unaffected by both Meltdown and Spectre.
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and 11.2 to help defend against Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre.
What do you need to do?
Update your devices! Find 5 minutes spare out of your day to check for updates, and make sure they’re fully installed. I recommend checking frequently over the next few days as new patches are released that make it much more difficult for hackers to leverage these vulnerabilities.
What about IBM Power series?
On Jan 4, 2018 10:05 pm EST, IBM released a note explaining that the vulnerability impacts all microprocessors, including processors in the IBM POWER family and specifying that the first line of defense is the firewalls and security tools that most organizations already have in place and that the complete mitigation of this vulnerability for Power Systems clients involves installing patches to both system firmware and operating systems.
IBM recommends that impacted customers should review the available patches in the context of their Datacenter environment and standard evaluation practices to determine if they should be applied. More information is available here.
Jair Ribeiro