Meltdown and Spectre challenge IT security professionals
Two highly significant security flaws in Intel processors Meltdown and Spectre have triggered feverish activity in the security industry, and have also raised wider concerns about the technology industries approach to security.
The two exploits, Meltdown [CVE-2017-5754] and Spectre [CVE-2017-5753 and CVE-2017-5715] exploit vulnerabilities in the way a modern multithreading processor functions by executing multiple instructions simultaneously. The flaws could allow attackers to obtain passwords, encryption keys, and other sensitive information from a computer’s core memory potentially even via a web browser.
Meltdown specifically revolves around the fact that out-of-order memory lookups influence the cache, which in turn can be detected through the cache side channel. This means an attacker can dump the entire kernel memory by reading privileged memory in an out-of-order execution stream, and transmit the data from this state via a covert channel at varying rates according to the system and environment, but up to 503 KB/s.
“Meltdown breaks all security assumptions given by the CPU’s memory isolation capabilities. We evaluated the attack on modern desktop machines and laptops, as well as servers in the cloud. Meltdown allows an unprivileged process to read data mapped in the kernel address space, including the entire physical memory on Linux and OS X, and a large fraction of the physical memory on Windows. This may include physical memory of other processes, the kernel, and in case of kernel-sharing sandbox solutions (e.g., Docker, LXC) or Xen, memory of the kernel (or hypervisor), and other co-located instances”, said the researchers from Graz University of Technology who uncovered the bugs.
Intel was quick to quash any suggestion that the company might be responsible, stating in a blogpost that: “This is not a bug or a flaw in Intel products. These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.”
However, while fixes have been rushed out by most major vendors to combat Meltdown, the rollout has not been as smooth as it could have been. Some patches are reported to have slowed machines significantly, with Redhat reporting slowdowns between one percent and 20 per cent.
The scale of the vulnerabilities is enormous, with at least three billion chips in computers, tablets, and phones currently in use being vulnerable to attack by Spectre, the more widespread of the two flaws. The process of patching Meltdown and Spectre on such a number of devices in so many different environments is likely to take some time, and raises significant questions about the future of technology design.
The wider challenge of keeping up to date with patches and new vulnerabilities like Meltdown and Spectre has been addressed by High-Tech Bridge, which recently launched ImmuniWeb Discovery, a platform designed to reduce AST costs, minimize external attack surface and help achieve compliance and regulatory requirements. The free service provides a continuous and non-intrusive application discovery, leveraging a wide spectrum of reconnaissance and OSINT information gathering techniques.