The new year started hard for three major processor manufacturers. On 3 January 2018 two big flaws were discovered in Intel, AMD and ARM processors. The first only affects Intel products, while the second weakness can be found in Intel, AMD and ARM processors alike. Let’s see what Meltdown and Spectre is about.
Meltdown (CVE-2017-5754 is the official reference to Meltdown) was found independently by researchers from Google’s Project Zero, Cybereus Technology, and Graz University of Technology. Meltdown affects every modern Intel processor produced in the last decade.
Microcode update can not fix this error (it is in the x86-64 architecture), so this has to be fixed at the OS level if you want to keep using your current processor with the design flaw. Unfortunately these fixes will hinder your processor’s performance by 5 to 30% (although it is still being benchmarked).
KPTI (Kernel Page Table Isolation) patches move the kernel to a different address space, so it will not just be invisible to the programs, it will not be there. To prevent the bypassing of kernel access protection they need to do this, but now the OS needs to switch between two address spaces for every system call or every interrupt from the hardware. Obviously this will slow down the existing systems. The amount of performance loss will vary of the processor types (chips with PCID will likely be less affected by the performance loss).
At best case this can lead to malicious users exploit other security bugs more easily. At worst, running programs or logged in users can read the kernel’s memory. The kernel’s memory space is hidden from anything for a reason, any sensitive information could be accessed from there.
Luckily there are fixes for Linux, Microsoft and OS X.
Spectre (CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre) is the second big vulnerability that was discovered by Google’s Project Zero and Paul Kocher in collaboration with other researchers. They confirmed that both Intel, AMD and ARM processors are vulnerable. And while it is harder to fix, thankfully it is also more tricky to exploit.
Spectre can break the isolation between applications themselves allowing one application to access other processes memory or it’s own process alike. This means – for example – a Java script from a website can learn about cookies from other sites running from the same browser. It also allows the malicious programs to access information about error-free programs.
The tricky part of Spectre, that it is not a single vulnerability, but the paper describes a whole class of potential vulnerabilities. Read this article from ARM for more info on the variants.
It is possible, that guests can access the host server’s memory using a KVM virtual machine. Google says: “When running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian’s distro kernel running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM.“
There are no known fixes for Spectre yet due to it’s complex nature.
The reactions were really different: CERT suggests to throw out your CPU and buy a new one without the fault, while Intel responded trying to deny that there is a big problem. Look for the fixes as soon as you can and wait for the benchmarks to see how much performance loss do Intel processors suffer.