A coordinated disclosure overnight brought forth details of two large vulnerabilities affecting nearly all computer users worldwide. This comes after days of mounting speculation online following benchmarks of an unexplained bug fix reportedly causing performance losses of anywhere from 5 to 30% depending on the task at hand.
Discovered independently by separate teams of researchers from Google’s Project Zero, German security firm Cyberus Technology and several universities worldwide, these vulnerabilities been dubbed Meltdown and Spectre, in part owing to their severity and pervasiveness.
If you own a computer, mobile phone or any other device made in the last 20 years, this is likely to affect you. The good news is that updates to help mitigate the affects of these vulnerabilities are rolling out now and will continue to do so over the coming weeks. The bad news is that to a certain extent, these attacks exploit the fundamental architecture of modern processors and so are likely to require entirely new hardware to completely fix it.
Right now, the best thing you can do to help protect yourself is to install any updates for your operating system, web browsers and other critical pieces of software as soon as they become available. We should all be updating our software regularly anyway, but this is not always the case as we saw with the WannaCry ransomware attacks in 2017, an incident that could have been easily prevented by a Windows bug fix that had been available for nearly 2 months. Expect a similar story to play out again in the coming months as malicious actors take advantage of those who haven’t updated their systems.
I’ll include links in the footer to relevant updates and will endeavour to update this list as more information becomes available.
So having got that out of the way, what are these attacks exactly and how do they work?
At their core, Meltdown and Spectre allow an attacker to access computer memory that they ordinarily would not be able to. Additionally, the Meltdown vulnerability which specifically affects nearly all Intel processors, allows arbitrary access to ‘protected’ memory, an outcome that fundamentally breaks the security systems put in place in modern operating systems. Using this unrestricted memory access, an attacker can easily read passwords and other sensitive data that was previously assumed safe from prying eyes, even though it is kept “secure” by current best practices.
To do this, both Meltdown and Spectre take advantage of speculative execution, a feature introduced in the 90s and used by processors to speed up execution of programs. To try and explain how this works, imagine you and a friend are walking through the bush and you reach a fork in the trail. You’re not sure whether you need to go left or right, so your friend pulls out a map and tries to figure out where you are and which way you should go. Now, knowing your friend, this could take a while to get an answer, and the track you’ve been following requires you to clear branches out of the way as you go. Without speculative execution, you’d stay with your friend until you knew the correct way to go, but in your mind that’s just wasting time. Instead, as an impatient speculative executor, you decide that there’s a good chance the correct path is the one on the right and so while your friend is still busy at the fork, you’re marching ahead to clear the way. This could turn out to be the wrong path, in which case you’d be able to quickly run back along the cleared track to the fork and take the other path with your friend, clearing it as you went much like if you’d just waited. Or it could be the correct path, in which case you’ve saved time by clearing the track in advance and your friend quickly catches up to you.
A similar story is playing out in your computer with the processor or CPU. The processor reaches a fork that depends on some value. Accessing the RAM where this value is stored takes a (relatively) long time, so while that’s happening the processor takes a chance at one of the outcomes and carries on it’s way. If it was the right choice, life is good and your computer is faster as a result, but if not, the incorrect work is quickly thrown away and the correct path is taken. This sort of out of order execution is great in theory, as it allows the processor to be doing something at all times rather than sitting idle, but there are some subtle nuances with it’s implementation that are causing the issues we are now seeing.
Within your computer there are several different types of memory, each with a different order of magnitude of speed. As a general rule, the faster the memory is, the less you’ll have of it. One of the fastest types of memory in your computer is it’s cache, and it’s small — the fastest cache often only stores 32kb of data (a mere fraction of a photo from your phone for example). Now, your computer likes to be able to access the information it needs quickly and so it tries to keep useful data in this fast cache for quick access. Unfortunately what constitutes useful data is often hard to predict in advance, so most processors make the assumption that if a piece of data was recently used then it is more likely to be used again in the near future and will store it in the cache. Just like speculative execution before, this is a good thing for making your computer faster and in theory shouldn’t cause any trouble.
Now we get to combine our two favourite CPU optimisations. As a result of speculative execution, the processor reaches a fork and continues down one path in anticipation. Whilst doing so, it’s accessing more values from memory and some of these will end up stored in the much faster cache in order to speed up subsequent use. It may turn out that this was the wrong path, and the processor goes back and follows the correct one, discarding the incorrect work it did along the way. However, the values loaded into the cache are kept there because they might still be useful in the correct path, and because nothing else has yet been loaded that could replace it. This is where the fun begins.
What happens next is tricky for me to explain in detail, so I’ll do my best to convey the general idea in a somewhat accessible manner that’s hopefully still true to the underlying principles.
An attacker can construct a program that will try to access protected memory in a branch (our fork in the trail from earlier) that the processor speculatively executes. During ordinary, non speculative execution, the protective measures in place to stop such unauthorised memory access would prevent the data from being accessed and loaded into the cache. However, during speculative execution these measures are only applied once the branch has been verified as the correct one to follow. If the attacker ensures that the branch containing this protected memory access is not the correct branch, then these permissions are never checked, but the requested value is still loaded as mentioned earlier.
While direct access to the newly loaded data in the cache is not possible, it is possible for a cleverly constructed program to load different items into memory in a perfectly legal way based off the protected value. For example, during speculative execution I might load memory “box” 10 if the protected value is a 0, or load memory “box” 11 if it’s a 1 (for simplicity let’s say it can only be these two values for now). Once the processor has determined that it shouldn’t follow the branch and has continued normal execution, the attacker can measure the time taken to load memory “box” 10 and 11. Since only one of the boxes should have been loaded previously, one box should load significantly faster as it’s already in the cache where as the other is in a slower form of memory. Congratulations, you’ve managed to leak protected data despite the various measures typically employed in your computer to stop you from doing so. Rinse and repeat to potentially expose all the data in memory on your computer.
These sort of attacks are known as side-channel attacks, and rely upon physical phenomena to glean extra information out of a system. In this case, Meltdown and Spectre are timing based side-channel attacks, using the fundamental properties of different hierarchies of memory in a modern computer system. As mentioned earlier, this makes them especially hard to fix since they’re a property of a physical device rather than a logical error in a sequence of instructions for a piece of software.
The Intel specific Meltdown bug relating to highly privileged memory access is more easily fixed in software, and the fixes for this are currently being made available. You might see the names KPTI or KAISER thrown around in update descriptions. These relate to Meltdown so please install them as soon as possible.
Mitigations for Spectre are a more troubling situation. Not only does it potentially affect your computer, but also your phone and any other modern computing device regardless of the processor inside. Minimising it’s impact is going to take time and effort from software companies around the world. At high risk are web browsers like Chrome, Firefox and Safari, as code executed by a webpage can potentially trigger the vulnerability. Browser updates with various mitigations are due out in the next few weeks, but there are ways to enable some of these now. Details for these are in the footer and I will do my best to update them as required.
Long story short, there’s a couple of serious design flaws in almost all modern processors that allow arbitrary memory access, potentially revealing sensitive information like passwords and encryption keys to an attacker. It’s going to take a while to fix everything properly, so in the interim make sure you install any updates as soon as they become available. These attacks were first disclosed to relevant organisations like Intel as far back as 6 months ago. Given that multiple independent groups were part of the disclosure, there’s a chance that these vulnerabilities were also discovered by other groups and potentially weaponised to steal data already. As such, the usual security advice applies — avoid dodgy looking downloads and websites, keep an eye out for suspicious activity emails like password resets and ensure you’re using strong, unique passwords for each website. I’ve found password managers to be super helpful with this, and I’ll link my current choice down below.
I hope that this explainer has been useful in understanding what’s going on with these recent vulnerabilities. Whilst putting this together, I’ve been keeping an eye on the mainstream news here in Australia and this has barely registered. Meanwhile, the pace at which people around the world are playing with these exploits and sharing their findings is staggering and it won’t be long before some real damage takes place. I imagine we’ll be hearing a lot more about Meltdown and Spectre in the coming days and weeks, so update your devices, get those around you to do the same and then grab some popcorn.
I highly recommend the use of a password manager to keep track of strong, unique passwords for all your logins. My current password manager of choice is RememBear (https://www.remembear.com)
Updates you should apply:
Microsoft is in the process of rolling out an update via Windows Update and should be available around January 9 https://www.theverge.com/2018/1/3/16846784/microsoft-processor-bug-windows-10-fix
Apple issued a partial fix in MacOS 10.13.2 (check using the Apple icon > About This Mac). Further fixes are apparently coming with 10.13.3 in the near future.
Chrome 64, due on January 23, will contain mitigations. In the interim, the “Site Isolation” setting can be enabled by following the instructions at https://support.google.com/faqs/answer/7622138#chrome
Other pieces of software should be updated as required.