Nearly a dozen cybersecurity researchers this week reported two potentially serious exploits of vulnerabilities that exist in most modern processors.
Three teams — Jann Horn at Google Project Zero, a team at Cyberus Technology, and a team at the Graz University of Technology — independently discovered and reported the Meltdown exploit.
Two teams — Google Project Zero’s Horn; and a team led by Paul Kocher, including representatives from the University of Pennsylvania, University of Maryland, Rambus, University of Adelaide, and Data61 — independently discovered and reported the Spectre exploit.
The Meltdown and Spectre exploits leave no traces in traditional log files, but they could be used to capture sensitive information on devices, including passwords and even encryption keys.
Because Meltdown and Spectre are difficult, if not impossible, to distinguish from regular applications, traditional antivirus software is unlikely to detect or block them.
The security researchers haven’t been able to determine if either has been used in the wild to date, but they did note that there now are patches for Meltdown for Linux, Windows, and OS X. Work to harden software against exploitation by Spectre is ongoing.
“Meltdown” is so named because the malware, in essence, “melts” security boundaries that hardware normally enforces. The “Spectre” name is based on its root cause, namely the speculative execution.
Beyond Windows and PCs
What makes both Meltdown and Spectre especially insidious is that it isn’t just desktops and laptops that are potentially at risk. Because the malware works by exploiting the out-of-order execution that is implemented by Intel processors, there is a risk for virtually all of the company’s processors produced since 1995 — with the exception of Intel Itanium and Intel Atom before 2013.
Both Meltdown and Spectre work by utilizing side channels to obtain information. Meltdown works by breaking the mechanism that should keep applications from accessing arbitrary system memory, while Spectre tricks other applications into accessing arbitrary locations.
Meltdown can exploit Intel processor generations going back almost a decade, the researchers have found, but they currently have verified only chipsets made by Intel. It is not known if Meltdown will affect ARM or AMD processors.
However, almost every system is affected by Spectre. That includes desktops, laptops, cloud servers, and even smartphones.
Spectre takes advantage of all modern processors that are capable of keeping many instructions in flight. To date, the researchers have found that processors from Intel, AMD, and ARM are, in fact, affected. Thus, devices made by Amazon, Apple, Google, Microsoft, and other consumer electronics and computer makers all are at risk from this exploit.
Breakdown in the System
For years there have been warnings against trusting strange emails or clicking on suspicious links. There have been strong recommendations to run antivirus and antimalware software. However, the existence of problems like these in the core of computer systems goes beyond what anyone expected.
“Not all programs on your computer deserve the same trust, and that is especially true of programs that make up your device’s operating system,” said Jim Purtilo, associate professor in the computer science department at the University of Maryland.
Modern hardware is designed so that only specialized programs that are needed to keep the device going are totally trusted. All other programs run in isolation, so they don’t break one another, he told TechNewsWorld. In addition, data may be shared only by going through trusted services and gaining their permission.
“That’s how it is supposed to work, and chip manufacturers go to extraordinary lengths to design products so that resources become shared between programs only when a trusted service gives permission,” Purtilo added.
“The rules are stringent, and enforcing them in hardware is the bedrock of computer security today,” he noted. “Unfortunately, the chips in question allow one program to access another’s data without following these rules; an obscure sequence of instructions can deceive the hardware and allow data access without following all the rules.”
Multilevel Security Fail
Because computers run software from multiple vendors, there are frequent opportunities to open new holes. However, researchers often find hidden flaws that could date back years or more.
“It is probably in an old part of the code that hasn’t been changed, revised, or updated,” said Roger Entner, principal analyst at Recon Analytics.
“It has always worked, so nobody went back to check it,” he told TechNewsWorld. “If it ain’t broken, don’t fix it.”
“Processors are such huge engineering feats that you try to minimize the things you change,” Entner added.
Because chips are spectacularly complex, even after extensive testing, it is not unheard of to find that some combination of instructions can produce a defective result. Usually, it is very minor.
“We hate to see this happen in the hardware related to enforcing rules on multilevel security, though. That’s especially awkward,” said Purtilo.
“When it comes to protecting a shared resource, a chipmaker needs to defend all the paths in, whereas a malicious program only needs to find one path in,” he pointed out, “and buried among the complex paths these chips offer, Intel simply missed an important one.”
Exploiting the Flaws
The actual danger that Meltdown presents to Intel chipsets and Spectre to virtually all vendors is a matter of debate, as neither apparently has been exploited as yet.
“In fact, they’re rather difficult to exploit,” said Roger Kay, principal analyst at Endpoint Technologies Associates.
“The companies were all working toward a solution when The Register leaked the news about a week early, and that’s why everyone is scrambling,” he told TechNewsWorld.
“For Intel, which essentially owns the server market, the biggest vulnerability is in cloud service customers like Amazon, Google, and Microsoft,” he added.
“The issue here is that a malicious tenant in a joint tenancy virtual machine can invade the space of another, at least theoretically,” Kay explained.
Yet, because the news has broken, there is a concern that it could become weaponized, which has resulted in vendors scrambling to address it quickly. Were this a software hole, the issue would be much easier to address.
“Since the problem is in hardware and can’t be fixed, the workaround involves software patches for all the operating environments — but the problem is the patches slow performance,” said Kay.
“Intel made an architectural decision that favored performance — speed — over security at a time before something like virtualization became commonplace,” Kay noted. “It allowed data to remain in memory so that a user program could access elements in kernel memory.”
That approach may have been convenient and quick, but it left open cases having to do with speculative and out-of-order execution. The result is Meltdown and Spectre.
Plugging the Holes
Normally software updates can patch vulnerabilities, but when it is the chipsets that are affected, addressing the issue is far more complex. To date, Google has reported that it has secured its products, while Amazon announced it would work to ensure that its products are secure.
Perhaps most worrisome is the fact that now that the exploits have been discovered and published, hackers could try to take advantage of them before users can take corrective measures.
Chipmakers will need to roll out software updates, but users can help protect themselves in other ways — including by keeping all programs up to date, running security software to ensure that devices are free of malware, and exercising good old-fashioned due diligence.
That could include watching for phishing scams that might introduce malware aimed at utilizing Meltdown and Spectre.
“Operating system designers now know to add software checks to prevent this obscure condition from causing an exploit,” said Purtilo, “so this is a good reminder of the importance of applying patches and keeping your devices up to date.”