WARNING: This article may get a tad nerdy. We promise to break this down in layman’s terms and use the phrase ‘speculative execution’ as little as possible.
By now, you’ve probably heard a lot about Meltdown and Spectre. The last two weeks have been filled with extensive reports on the subject with more coming each day.
As researchers and chip manufactures scurry to find, test, and deploy patches for the bugs, many people still don’t have an accurate idea of what they are, what they do, and what can be done about it.
- There are two major computer processor security vulnerabilities: Meltdown and Spectre
- They affect nearly almost every device made in the last 20 years
- The total impact of these vulnerabilities are still unknown
So, what is Meltdown?
Meltdown is the vulnerability that only affects Intel based chips. It is easier to execute than Spectre. In order to increase performance there are no security controls around Intel’s speculative execution, and in most operating systems every process has all the memory space for the user level and the kernel mapped to it.
What is Speculative Execution?
Speculative execution is an optimization technique where a computer system performs some task that may not be needed. Work is done before it is known whether it is actually needed, so as to prevent a delay that would have to be incurred by doing the work after it is known that it is needed. If it turns out the work was not needed after all, most changes made by the work are reverted and the results are ignored.
How Does Meltdown Work?
Meltdown works by running a set of instructions (a snippet of code) that creates an exception and tries to access memory space that the instructions don’t have the rights to access within the kernel space. But in the very short amount of time that it takes the processor to attempt to execute the bad instructions and terminate it, the process will have already cued up and initiated the next few instructions as part of the speculative execution algorithm.
In those next few instructions there are specific requests to access the memory that is outside of the current thread’s allowed user area, and copy it somewhere that the thread can ‘legally’ access. So, if this is done over and over again, an attacker could download the entire contents of all of the memory in the computer.
Ok. Then what is Spectre?
Spectre is the more widespread of the two and impacts more processors than Meltdown. The Spectre vulnerability affects Intel, AMD, and ARM processors – including video cards. It is much harder to execute than Meltdown and requires some tailoring to the target environment.
How Does Spectre Work?
Spectre works by manipulating branch prediction (I know, sorry). It starts by training the speculative algorithm and manipulating the end results of the branch after the processor is trained to cache specific ‘choice’ results. Once the branch prediction has been trained, the values in the code is changed and memory that should be inaccessible to the attacking thread is requested. Even though the speculative results will be rolled back because they are no longer valid, the data put in the cache stays there.
The good news is that the Spectre vulnerability has some limitations – it can only be used to get information from memory areas the victim thread is allowed to access. Unlike Meltdown, there is no privilege escalation or the ability to read memory outside of the target thread.
Due to this restriction of only allowing access to the memory space allowed by the target thread, the best targets are DLL files or other shared library-type files. This is because those use a single thread spread across multiple processes, giving it access to data from multiple programs instead of just a single one.
Wait. Is this how Skynet gets started?
Nope, no need to worry. Plus, let’s be honest – the Termintor franchise has gotten so confusing and down right bad lately.
How is Lume protecting its clients and services?
Lume’s engineers and security experts are actively working with our partners and vendors to protect customer environments and our internal systems. OS vendors have, and are continuing to, develop and release patches for these vulnerabilities. Our team is testing and deploying these updates and taking additional steps to ensure all updates occur with minimal impact to our customers.
What patches are already available?
A list of vendor updates and advisories can be found here.
Leave a Comment