Double Bite CPU Vulnerabilities – MELTDOWN & SCEPTRE attacks

Double Bite CPU Vulnerabilities – MELTDOWN & SCEPTRE attacks

First thing first, guys MAJOR security vulnerabilities have been discovered by collaborative effort, primarily by Google and Co. There are vulnerabilities that can be exploited by attacks like

  • MELTDOWN
  • SPECTRE

This information was revealed on just beginning of 2018. Bit late, but just thought, I should inform my readers about this major Security flaws exist in almost all CPUs exists in current world.  Just to understand the extend of the security vulnerabilities, HACKERS can exploit these vulnerabilities and can read data exists in CPU memory including any sensitive data e.g. credential data or execute any malicious instructions/program without passing any security check. These vulnerabilities exist for last 20 years in all most majority of CPUs that have been created so far, primarily for all Intel, AMD & ARM processors.

Interestingly, this type of vulnerabilities can be exploited even all Software above kernel run as designed. Hence, relatively any data in memory can be revealed by this vulnerability.

Let’s try to understand bit more about these two.

What is MELTDOWN

In short, MELTDOWN is an attack that can exploit a vulnerability, specifically in Intel processor (CPU) to access unauthorized memory area of CPU where normal User should not have access. This can revel personal sensitive information.

What is SCEPTER

There is bit bigger and complicated version of vulnerability exists and it existed in almost all processors from Intel, AMD & ARM for long 20 yrs. Due to this vulnerability, hacker can execute process/task long before the process is supposed to be executed within CPU memory. Also, a different executable process/task can be injected and then executed without any security check.

Out of these two variants of vulnerabilities, SCEPTER type vulnerability is bit tricky and difficult to exploit and still FIX under process. On other hand, MELTDOWN attack can be easily done but easy to FIX too, at least from software stand point.

Note, these two attacks reveal vulnerabilities within hardware that is not easy to patch in hardware alone. Hence, Software workaround is way to go for quick resolution. Therefore, all the major Cloud Service Providers have already either patched their platform kernel or started releasing relevant patches as we discuss. As per latest news Google, Amazon, Azure and IBM have patched their respective Cloud platform (underlying Kernel) from Software stand point.

Now if you are more interested to know and like to dig into more detail, please read on.

Background

Let’s try to understand background of CPU Memory region and Architecture before deep diving how exploitation can be done for these two vulnerabilities. In short, Computer Kernel memory is supposed to be completely isolated from remaining computer processes & memories. Memory isolation is the fundamental security of Computer architecture. For example, Operating System ensures that all the users who are simultaneously using the computer must not have access to each other’s data from corresponding memory and prevent them writing or reading any data in kernel memory. Basically, user space instruction must not have access to Kernel memory. Underlying Processor has a supervising mechanism which decides whether memory space of Kernel can be accessed or not.  Operating system keeps a track of mapping between user space and kernel memory for further execution. Now, when Processor executes a job in user space and switch to other user space for execution, usually, stated mapping is cleared.

Now, let’s understand another aspect that for modern processor, all renowned supplier specifically, Intel has introduced a mechanism to enhance performance of the processor. The mechanism allows processor to predict or speculate next task execution and make it ready for execution. This speculative execution is out of order and not sequential request from Processor perspective. Processor tries to “guess” probable operation and schedule the execution as appropriate. This is all about increasing the performance of processor or CPU.

MELTDOWN, bit more technical

Meltdown attack can be performed to attempt read kernel memory from user space without checking necessary security check. Speculative execution from Kernel memory is the root fo a vulnerability. Vulnerable CPUs allow an unprivileged process to load data from a kernel memory address into a temporary CPU register. Moreover, the CPU even performs further computations based on this register value, e.g., access to an array based on the register value. The processor ensures correct program execution, by simply discarding the results of the memory lookups, if it turns out that an instruction should not have been executed.

However, it is observed that out-of-order memory lookups influence the cache, which in turn can be detected through the cache side channel. As a result, an attacker can dump the entire kernel memory by reading privileged memory in an out-of-order execution stream, and transmit the data from this elusive state via a covert channel to the outside world. On the receiving end of the covert channel, the register value is reconstructed. Hence, there is an exploitable security problem.

This attack specifically exploit privilege escalation vulnerability exists in Intel processors.

How to fix this vulnerability?

KASLR is the answer, ahh! At least best option at this moment. Kernel address space layout randomization (KASLR) had been introduced to the Linux kernel (starting from version 3.14 [4]) allowing to randomize the location of the kernel code at boot time. However, only as recently as May 2017, KASLR had been enabled by default in version 4.12 [27]. With KASLR also the direct-physical map is randomized and, thus, not fixed at a certain address such that the attacker is required to obtain the randomized offset before mounting the Meltdown attack. However, the randomization is limited to 40 bit. Thus, if we assume a setup of the target machine with 8GB of RAM, it is sufficient to test the address space for addresses in 8GB steps. This allows to cover the search space of 40 bit with only 128 tests in the worst case. If the attacker can successfully obtain a value from a tested address, the attacker can proceed dumping the entire memory from that location. This allows to mount Meltdown on a system despite being protected by KASLR within seconds.  The KAISER patch by Gruss et al. [8] implements a stronger isolation between kernel and user space. KAISER does not map any kernel memory in the user space, except for some parts required by the x86 architecture (e.g., interrupt handlers). Thus, there is no valid mapping to either kernel memory or physical memory (via the direct-physical map) in the user space, and such addresses can therefore not be resolved. Consequently, Meltdown cannot leak any kernel or physical memory except for the few memory locations which must be mapped in user space. We verified that KAISER indeed prevents Meltdown, and there is no leakage of any kernel or physical memory. Furthermore, if KASLR is active, and the few remaining memory locations are randomized, finding these memory locations is not trivial due to their small size of several kilobytes.

SPECTRE, bit more technical

There are two variants of SCEPTER attacks on CPU vulnerabilities as following

  • Bounds check bypass.
  • Branch target injection.

Spectre attack can be done on Intel, AMD and ARM processors. That means, it affects almost all Computer exits in the planet now. All giants are working together to tackle this vulnerability, so hacker cannot take advantage of this.

Spectre mainly attacks by predicting branch for speculative execution, bypass security check and inducing a victim to perform operations that would not run in correct program execution.

Understanding of SPECTRE attack requires knowledge of CPU architecture and workflow, there re many things such as Branch instructions, transient instructions, Microarchitectural Side Channel etc. I would suggest going through the paper published by team of Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom.

How to fix this vulnerability?

This type of vulnerability is really hard to fix completely just by patch, processor companies may need to think hard and come up with new architecture or design decisions to tackle this vulnerability completely. However, there are few options such as halting speculative execution for sensitive information path.

There are Work to be done and hopefully, someday we will get vulnerability free processors for our computer. However, as we are gradually moving towards Cloud era , most likely all giant Cloud platform providers will take care of these vulnerabilities as fast as possible, at least from Software end by patching kernel.

Though, patching kernel by putting additional security check may hinder performance. There is debate going around that this patch may reduce performance by 5 to 30%.

Want to know more ? .. read on Google Project Zero

**Special thanks for Google Project Zero report and above mentioned team for all the information, they have shared publicly. Most information is taken from these two sources.

 

Author: Dhrubo

I am passionate about sharing Knowledge , Information and wisdom what ever way is possible. This is small contribution to our society from my part. I am a Programmer and love to architect and modernize IT infrastructure / solution / applications for my clients.

I am sharing my experience what I have gained so far via CTT and will keep doing so in regular basis. This is the whole purpose of founding this Knowledge Center for Cloud Technologies.

One Reply to “Double Bite CPU Vulnerabilities – MELTDOWN & SCEPTRE attacks”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.