04 Jan Meltdown & Spectre Critical CPU Vulnerabilities
Meltdown & Spectre: Critical CPU Vulnerabilities
Google’s Project Zero (GPZ) is a think tank of leading edge security researchers who have established a track record of ground breaking research. Yesterday they announced a set of flaws in CPU architectures that create two kinds of vulnerabilities.
It is early in the year, but this may be the most important and impactful security vulnerability in 2018. This affects any software running on Intel chips, no matter the operating system or vendor. This affects every Intel processor since 1995 that implements out-of-order execution, except Itanium, and the Atom before 2013.
The vulnerabilities were discovered by collaborating researchers at University of Pennsylvania, University of Maryland, Graz University of Technology, Cyberus Technology, Rambus Cryptography Research Division, University of Adelaide and Data61 along with researchers at GPZ.
The flaws were first reported confidentially by researchers to CPU makers Intel, AMD and ARM on June 1st, 2017. Disclosure was under embargo until next week, but public speculation on kernel patches that fix this issue lead to early disclosure starting on January 1st, 2018. Most information was finally disclosed by the researchers involved yesterday, January 3rd. Research associated with the security flaws was published on the Google Project Zero blog.
They have named the flaws Spectre and Meltdown. You can find the academic paper on Spectre on this page (PDF) and the paper on Meltdown on this page (also PDF). I am providing mirrored copies of both PDF papers on our site because at the time of writing, both source websites were down, probably due to excess traffic. Spectre Mirror and Meltdown Mirror.
Both of these vulnerabilities stem from performance optimizations in CPUs. The security fixes may have a performance impact. Some news sources are claiming up to 30% performance impact, while more authoritative sources indicate this number is exaggerated. Intel’s official statement says “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Intel has been accused of downplaying the seriousness of the vulnerability, both in terms of how badly Intel CPUs are affected and the negative effects of these vulnerabilities.
ARM also released an official statement, as did AMD.
The Meltdown Vulnerability
Meltdown is the first of the two vulnerabilities that GPZ disclosed. It exploits a CPU performance optimization known as ‘out-of-order execution’ to read arbitrary kernel memory locations. The attack is independent of operating system and does not rely on any software vulnerabilities. In other words, it is a vulnerability in chip hardware that is exploitable on any system, no matter what operating system it is running, no matter whether the software on the system has a vulnerability or not.
Meltdown allows an attacker to read memory that they should not have access to in other processes, other virtual machines on the same system and across various other permission boundaries. This affects a huge number of cloud service providers and personal computer and device users.
There is a mechanism that operating system developers can use to protect against this attack. You will be seeing a large number of operating system patches released and deployed during the coming days to secure systems against ‘Meltdown’.
Spectre is a vulnerability that exploits another performance enhancement in modern CPUs, known as speculative execution. Hence the name, Spectre.
Modern processors use speculative execution to improve performance. The mechanism allows processors to guess which code will execute and to go ahead and execute that code while waiting for a memory location to be read. Once the read operation is complete, if the processor guessed right, it keeps the results of the computation. If it guessed wrong, it discards the computation results. This improves performance.
Specter attacks will get a victim processor to perform operations that would not occur during correct program execution. These operations leak confidential information.
This attack violates many security models including process separation, containerization and others.
Of particular concern to those of us in the website security community is the following passage from the research paper:
According to the research, makeshift processor-specific countermeasures for Spectre are possible, but a long term fix will require a fundamental improvement to CPU architectures.
Fixing Meltdown and Spectre and Their Impact
Both of these vulnerabilities are hardware level vulnerabilities that exist because of a flaw in CPU architecture. They are very serious vulnerabilities because they are operating system and software independent. The long term fix for both of these issues will require that CPU makers change the way their chips work, which means redesigning and releasing new chips.
That is not feasible for existing chips and in order to fix this issue for existing CPUs, operating system vendors are going to have to release fixes. That means that you will see security fixes for the following OS’s released in the coming days: Windows, OS X, Linux and probably Android. When you see a fix available for your PC or device, apply it as soon as is practical because it will probably contain a fix for these issues.
Because the vulnerabilities are in algorithms in CPUs that improve performance, the fixes may have a performance impact. Chip vendors like intel are playing down the impact, while some news media is playing it up. I would suggest taking a wait-and-see approach, because ultimately, benchmarks of the new operating system patches are the only accurate way to reliably determine if there will be any performance impact and if so, of what magnitude.
If you are a hosting provider that uses cloud services for your customers, expect your cloud provider to reboot systems during the coming days and have your operations team on standby to ensure that everything cycles back normally. And of course, keep your customers apprised of the situation.
If you use hosting services, like WordPress hosting, you should be aware that your hosting or cloud provider may need to reboot systems over the coming days as they apply patches for Meltdown and Spectre. Unless you have a 100% fully managed WordPress site, it may be up to you to check that certain services for your site came back up after the reboot. Keep a close eye on bulletins from your host over the coming hours and days and ensure you check your site and systems as soon as they come back up after any reboot or down time.
So far we are seeing notifications of maintenance or reboots for the following hosts and cloud providers:
- Amazon is reporting that they have patched most of the underlying operating systems for AWS and will complete the rest soon. They are saying that customers are responsible for updating the operating systems of their instances and have provided information to do that.
- Linode are saying that they will need to do a “fleet-wide reboot” to protect against these issues. Keep an eye on their blog for updates.
- DigitalOcean are reporting that they also may need to reboot droplets and are monitoring the situation.
- Vultr are reporting a reboot may be needed.
If your cloud provider is not listed above, keep an eye on their blog and Twitter account for updates.
At this time we are not seeing updates from major hosting providers to their customers. The operational impact of these updates will probably flow upwards in architectural terms. In other words, CPU vendors were first notified and responded, then operating system vendors, then cloud providers like AWS and Linode and next we will see service providers respond.
These would include hosting companies, DNS service providers, storage providers, backup providers and other providers of services and applications. In many cases, for service providers, there may be no operational impact if they have built redundancy into their application and are able to perform partial fleet reboots without disrupting service.
Chrome and Firefox Affected
Luke Wagner has confirmed on the Mozilla blog that Firefox is affected by these attacks:
“Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes.”
They have already implemented and released fixes to mitigate the issue but as the above quote indicates, more fixes are probably forthcoming. Firefox users should update to Firefox 57.
Google Chrome is also affected, and according to Google, Chrome will receive a fix in Chrome 64 which will be released on January 23rd. Chrome also provides options for users to enable that will help reduce the effectiveness of these attacks:
Performance and Business Impact
Systems that receive these security updates may experience a performance impact though it is currently difficult to say to what degree. If you are in an operational role, it is important that you evaluate system performance once you have applied OS patches to determine if it will impact your customers.
At an executive level, consider that in a worst case scenario, system performance may degrade 30% across the board. If you are running your systems at 90% capacity and your financial margins are thin, you may find yourself in a crisis situation which results in raising prices or making other changes to adapt to CPUs no longer delivering the performance to which your business model has become accustomed.
As a customer or end-user, I would reserve judgement on any performance impact until benchmarks are released. If someone tells me that sunspot activity is slowing down my workstation, I tend to notice slowness on my workstation. It is difficult to quantify performance changes until someone does the work to produce accurate and precise benchmarks.
Impact On Hardware Design
Meltdown and Spectre are a new class of vulnerability, both in their sophistication and impact. They use timing attacks to exploit flaws in the underlying hardware we use for a majority of our applications today, both in the cloud and on desktops and devices.
A complete fix for Meltdown and Spectre is going to require a CPU replacement. As CERT says, the solution is to “Replace CPU Hardware”.
It is inevitable that other hardware vulnerabilities like these with wide impact that require hardware changes will emerge in the coming years. We can’t buy new hardware every time this happens. So a long term fix may require that we invent a way to dynamically patch the hardware that our software relies on.
This Was Disclosed Early
These vulnerabilities were under embargo until next week. On January 1st, speculation started on a blog titled Python Sweetness, about a major vulnerability that was hardware based and involved memory manipulation. On January 2nd, The Register published a story with some details.
Yesterday on January 3rd, GPZ published full details on their blog, resulting in a huge amount of press and official statements emerging.
An extract from Intel’s official statement makes it clear the vulnerabilities were disclosed early:
“Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.”
This story is now major news with plenty of coverage and commentary. The authoritative sources for this story are the GPZ blog, the research papers, statements from chip makers Intel, AMD and ARM and the blog posts from cloud providers like AWS and Linode. Check your vendor blogs and vendor Twitter accounts for updates on security and service interruptions.
If you have any additional reliable and accurate resources, research or commentary related to this, I would appreciate if you would leave them in the comments.
Mark Maunder – Defiant Founder/CEO.
- Google Project Zero Announcement
- Spectre Paper
- Meltdown Paper
- Intel Official Statement
- ARM Official Statement
- AMD Official Statement
- Amazon AWS Response
- Linode Response
- DigitalOcean Response
- Early speculation on Monday which lead to early announcement
- The Register coverage on Tuesday breaking the story
- Mozilla commentary on Firefox being vulnerable
- Chrome fix release date
- Chrome advice to mitigate these attacks
- CERT official vulnerability note
- Sophos technical analysis and commentary
- BleepingComputer coverage on the vulnerability of Chrome and Firefox