Information security news & discussion
from the Defiant team.

The Impact of Meltdown & Spectre Vulnerabilities

This entry was posted in Security on Jan 4, 2018 by Mark Maunder 10 Replies

Google’s Project Zero (GPZ) is a think tank of leading edge security researchers who have established a track record of ground breaking research. Yesterday they announced a set of flaws in CPU architectures that create two kinds of vulnerabilities.

It is early in the year, but this may be the most important and impactful security vulnerability in 2018. This affects any software running on Intel chips, no matter the operating system or vendor. This affects every Intel processor since 1995 that implements out-of-order execution, except Itanium, and the Atom before 2013.

The vulnerabilities were discovered by collaborating researchers at University of Pennsylvania, University of Maryland, Graz University of Technology, Cyberus Technology, Rambus Cryptography Research Division, University of Adelaide and Data61 along with researchers at GPZ.

The flaws were first reported confidentially by researchers to CPU makers Intel, AMD and ARM on June 1st, 2017. Disclosure was under embargo until next week, but public speculation on kernel patches that fix this issue lead to early disclosure starting on January 1st, 2018. Most information was finally disclosed by the researchers involved yesterday, January 3rd. Research associated with the security flaws was published on the Google Project Zero blog.

They have named the flaws Spectre and Meltdown. You can find the academic paper on Spectre on this page (PDF) and the paper on Meltdown on this page (also PDF). I am providing mirrored copies of both PDF papers on our site because at the time of writing, both source websites were down, probably due to excess traffic. Spectre Mirror and Meltdown Mirror.

Both of these vulnerabilities stem from performance optimizations in CPUs. The security fixes may have a performance impact. Some news sources are claiming up to 30% performance impact, while more authoritative sources indicate this number is exaggerated. Intel’s official statement says “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel has been accused of downplaying the seriousness of the vulnerability, both in terms of how badly Intel CPUs are affected and the negative effects of these vulnerabilities.

ARM also released an official statement, as did AMD.

The Meltdown Vulnerability

Meltdown is the first of the two vulnerabilities that GPZ disclosed. It exploits a CPU performance optimization known as ‘out-of-order execution’ to read arbitrary kernel memory locations. The attack is independent of operating system and does not rely on any software vulnerabilities. In other words, it is a vulnerability in chip hardware that is exploitable on any system, no matter what operating system it is running, no matter whether the software on the system has a vulnerability or not.

Meltdown allows an attacker to read memory that they should not have access to in other processes, other virtual machines on the same system and across various other permission boundaries. This affects a huge number of cloud service providers and personal computer and device users.

There is a mechanism that operating system developers can use to protect against this attack. You will be seeing a large number of operating system patches released and deployed during the coming days to secure systems against ‘Meltdown’.

Spectre

Spectre is a vulnerability that exploits another performance enhancement in modern CPUs, known as speculative execution. Hence the name, Spectre.

Modern processors use speculative execution to improve performance. The mechanism allows processors to guess which code will execute and to go ahead and execute that code while waiting for a memory location to be read. Once the read operation is complete, if the processor guessed right, it keeps the results of the computation. If it guessed wrong, it discards the computation results. This improves performance.

Specter attacks will get a victim processor to perform operations that would not occur during correct program execution. These operations leak confidential information.

This attack violates many security models including process separation, containerization and others.

Of particular concern to those of us in the website security community is the following passage from the research paper:

Attacks using JavaScript. In addition to violating process isolation boundaries using native code, Spectre attacks
can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.

According to the research, makeshift processor-specific countermeasures for Spectre are possible, but a long term fix will require a fundamental improvement to CPU architectures.

Fixing Meltdown and Spectre and Their Impact

Both of these vulnerabilities are hardware level vulnerabilities that exist because of a flaw in CPU architecture. They are very serious vulnerabilities because they are operating system and software independent. The long term fix for both of these issues will require that CPU makers change the way their chips work, which means redesigning and releasing new chips.

That is not feasible for existing chips and in order to fix this issue for existing CPUs, operating system vendors are going to have to release fixes. That means that you will see security fixes for the following OS’s released in the coming days: Windows, OS X, Linux and probably Android. When you see a fix available for your PC or device, apply it as soon as is practical because it will probably contain a fix for these issues.

Because the vulnerabilities are in algorithms in CPUs that improve performance, the fixes may have a performance impact. Chip vendors like intel are playing down the impact, while some news media is playing it up. I would suggest taking a wait-and-see approach, because ultimately, benchmarks of the new operating system patches are the only accurate way to reliably determine if there will be any performance impact and if so, of what magnitude.

If you are a hosting provider that uses cloud services for your customers, expect your cloud provider to reboot systems during the coming days and have your operations team on standby to ensure that everything cycles back normally. And of course, keep your customers apprised of the situation.

If you use hosting services, like WordPress hosting, you should be aware that your hosting or cloud provider may need to reboot systems over the coming days as they apply patches for Meltdown and Spectre. Unless you have a 100% fully managed WordPress site, it may be up to you to check that certain services for your site came back up after the reboot. Keep a close eye on bulletins from your host over the coming hours and days and ensure you check your site and systems as soon as they come back up after any reboot or down time.

So far we are seeing notifications of maintenance or reboots for the following hosts and cloud providers:

If your cloud provider is not listed above, keep an eye on their blog and Twitter account for updates.

At this time we are not seeing updates from major hosting providers to their customers. The operational impact of these updates will probably flow upwards in architectural terms. In other words, CPU vendors were first notified and responded, then operating system vendors, then cloud providers like AWS and Linode and next we will see service providers respond.

These would include hosting companies, DNS service providers, storage providers, backup providers and other providers of services and applications. In many cases, for service providers, there may be no operational impact if they have built redundancy into their application and are able to perform partial fleet reboots without disrupting service.

Chrome and Firefox Affected

Luke Wagner has confirmed on the Mozilla blog that Firefox is affected by these attacks:

“Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes.”

They have already implemented and released fixes to mitigate the issue but as the above quote indicates, more fixes are probably forthcoming. Firefox users should update to Firefox 57.

Google Chrome is also affected, and according to Google, Chrome will receive a fix in Chrome 64 which will be released on January 23rd. Chrome also provides options for users to enable that will help reduce the effectiveness of these attacks:

https://www.chromium.org/Home/chromium-security/ssca

Updating your browser is very important because delivering malicious Javascript or web based code is one of the easiest ways for an attacker to have their code infiltrate your system.

Performance and Business Impact

Systems that receive these security updates may experience a performance impact though it is currently difficult to say to what degree. If you are in an operational role, it is important that you evaluate system performance once you have applied OS patches to determine if it will impact your customers.

At an executive level, consider that in a worst case scenario, system performance may degrade 30% across the board. If you are running your systems at 90% capacity and your financial margins are thin, you may find yourself in a crisis situation which results in raising prices or making other changes to adapt to CPUs no longer delivering the performance to which your business model has become accustomed.

As a customer or end-user, I would reserve judgement on any performance impact until benchmarks are released. If someone tells me that sunspot activity is slowing down my workstation, I tend to notice slowness on my workstation. It is difficult to quantify performance changes until someone does the work to produce accurate and precise benchmarks.

Impact On Hardware Design

Meltdown and Spectre are a new class of vulnerability, both in their sophistication and impact. They use timing attacks to exploit flaws in the underlying hardware we use for a majority of our applications today, both in the cloud and on desktops and devices.

A complete fix for Meltdown and Spectre is going to require a CPU replacement. As CERT says, the solution is to “Replace CPU Hardware”.

It is inevitable that other hardware vulnerabilities like these with wide impact that require hardware changes will emerge in the coming years. We can’t buy new hardware every time this happens. So a long term fix may require that we invent a way to dynamically patch the hardware that our software relies on.

This Was Disclosed Early

These vulnerabilities were under embargo until next week. On January 1st, speculation started on a blog titled Python Sweetness, about a major vulnerability that was hardware based and involved memory manipulation. On January 2nd, The Register published a story with some details.

Yesterday on January 3rd, GPZ published full details on their blog, resulting in a huge amount of press and official statements emerging.

An extract from Intel’s official statement makes it clear the vulnerabilities were disclosed early:

“Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.”

Conclusion

This story is now major news with plenty of coverage and commentary. The authoritative sources for this story are the GPZ blog, the research papers, statements from chip makers Intel, AMD and ARM and the blog posts from cloud providers like AWS and Linode. Check your vendor blogs and vendor Twitter accounts for updates on security and service interruptions.

If you have any additional reliable and accurate resources, research or commentary related to this, I would appreciate if you would leave them in the comments.

Mark Maunder – Defiant Founder/CEO.

Resources

10 Comments on "The Impact of Meltdown & Spectre Vulnerabilities"

John January 4, 2018 at 7:53 am • Reply

"If someone tells me that sunspot activity is slowing down my workstation, I tend to notice slowness on my workstation."

Indeed correct. We humans are our own worst enemy sometimes.

Luke January 4, 2018 at 8:04 am • Reply

This sounds like the new heartbleed 😬 I hope this is resolved quickly and feel bad for everyone it will affect. Hopefully, it won't cause too many issues before it's patched.

Lisa Rose January 4, 2018 at 8:05 am • Reply

It is inevitable that other hardware vulnerabilities like these with wide impact that require hardware changes will emerge in the coming years

Jeremy OConnell January 4, 2018 at 8:11 am • Reply

I agree the exact performance hits are unknown. I tend to think the average home user and small website will not see much or anything of a performance hit.

I did however raise an eyebrow that PostgreSQL is seeing a rather noticeable hit. That isn't good. While most people don't stress or need the power of their current systems key servers along with video editors and graphic designers often push their systems to the limit.

The bottom line is we need better hardware patch management that is OS neutral. In fact we really need patches from say Intel that may be applied without having to wait on say Asus, Gigabyte, Dell, HP, etc or the OSes themselves. Of course having patches from additional sources is a good but still we need to be able to patch Intel, AMD, etc CPUs directly.

In reality a lot of this should be turned over to more open projects and why Google is working on replacing a lot of Intel code with open code after the Intel Management Engine flaws.

I realize no one can find all the bugs but I have a growing sense to much is being added to these processors with little to no security testing. It is wasteful and unrealistic to think the world can just go buy all new CPUs. Also what about the next issue in the replacements? Perhaps it is time to bring back the openness of RISC.

Paul January 4, 2018 at 10:57 am • Reply

"Perhaps it is time to bring back the openness of RISC."

Exactly what I was thinking...

Gregg Buchanan January 4, 2018 at 11:07 am • Reply

Thank you Defiant Team for quickly bring this to our attention. I am waiting for my AV product support to give me the OK to apply the fixes. There are a lot of reasons to be a Wordfence Premium user.

Jordan January 4, 2018 at 12:03 pm • Reply

So is it only Intel that's affected? Should I warn Intel users not to use Chrome for a while? Let's face it, no common user is going to enter Chrome settings to enable a feature that will help with security. Kind of surprised Google is not releasing the patch sooner.

JudyK January 4, 2018 at 6:31 pm • Reply

From Software Project Management Guru Gerald Weinberg:

"Weinberg's Second Law: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization."

Having been a low-level software engineer (embedded, real time systems) for part of my previous life (and software QA geek for another part), I find the degree of our dependence such fallible tech frightening...

We already have a successful assault on DNS servers via IoT devices... and if insufficient attention has been paid to the security of cpu chips, imagine how insufficient it is with IoT devices...

...the number of successful attacks on supposedly, or hopefully, secure systems is, like I said about this, disturbing.

I lobbied for software security training in 2016 with one organization which offers free certificated courses in web development and was told there wasn't sufficient demand. :( (They may have such courses now, I'm not sure.)

The degree and impact of these kinds of security problems just seems to keep getting bigger.

Greg January 5, 2018 at 4:01 am • Reply

I personally feel that these days new techniques and technologies are being developed to make all kinds of tasks easier, the focus is on that and not the security implications. Most of the groundbreaking technologies then duffer some kind of huge flaw or vulnerability that could potentially have been averted if there was more focus on security.

Jones January 5, 2018 at 2:43 pm • Reply

It will have a big impact on people who are not aware of such vulnerability. For many of computer users and displaying whatever information they access, it´s ok. What about the company who just bought few new server to replace the old ones?

Leave a Reply

All comments are moderated before being published. Inappropriate or off-topic comments may not be approved.