Google security blog recently revealed a security flaw in all the modern day processors. The vulnerability is based on the speculative execution which is used by the CPUs to optimize system performance. As a consequence, nearly all the Cloud Services Providers which includes AWS, Azure, IBM, Google had to update their systems to protect them from the possible vulnerabilities. These vulnerabilities are Spectre and Meltdown. You can find out the detailed information on both of these vulnerabilities here.
So what are Meltdown and Spectre ?
Understanding CPU architecture will help us to set the back ground. There are two architectures of CPUs, 32 bit and 64 bit, which essentially means that processor can process this much data and memory addresses.
32 bit architecture : The CPU has a limitation that it can address 4 GB of data. There are two types of data which the CPU handles 1. Kernel data 2. User data. In 32 bit architecture Kernel data takes 1 GB of data and is always at the beginning of the memory space. Whereas User data takes remaining data and it occupies the remaining 3 GB. Theoretically visibility from User memory to kernel memory is restricted.
64 bit architecture : The addresses which CPUs can read got increased and the 4 GB restriction was also removed. There is one more important change. Kernel now has something called KASLR, Kernel Address Space Layout Randomisation. KASLR reserves an address space for Kernel data which is random and thus becomes difficult to identify where the Kernel data is stored. This was done to resolve the vulnerabilities that could happen when an attacker could find out Kernel data.
The processor has a Translation Lookaside buffer (TLB) which is used to switch between user space and kernel space. Kernel space entries of TLB are not flushed because it’s a time consuming process to repopulate TLB. So long as memory leaks from kernel space do not find their way into user space, an attacker would not be able to infer the kernel’s location. Unfortunately, such leaks do occur, either from software errors or the hardware itself.
Another important concept that has to be understood is speculative execution which means some tasks are performed even before it’s determined whether they are needed to be done or not. If the speculation is correct that the tasks will have to be performed then it’s fine otherwise the results are ignored or discarded. It’s like you carry the umbrella or rain coat speculating that it may rain today.
It’s discovered that user space instructions can be used to retrieve kernel memory due to processors’ use of “speculative execution” that will attempt to guess what code will be executed in the next few cycles and “pre-execute” it in an attempt to increase performance. At times, this may mean that multiple code segments are pre-executed at the same time until the correct one is needed. The other segments are then discarded. Attackers may take the advantage of this speculative execution, insert their malicious code and retrieve sensitive information.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Spectre ; Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Below devices are affected because of Spectre and Meltdown :
- IoT Devices
The attacker can do the following And here is all that are vulnerable :
- Steal passwords from password manager and browser
- Personal Photos
- Instant Messages
- Business Critical documents
Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers