Everything is under Threat | What is Meltdown and Specter and How to Live with them?
By Prempal Singh
Everything is under Threat | What is Meltdown and Specter and How to Live with them?
They say that the new is a well-forgotten old. The beginning of the year fully confirmed the validity of folk wisdom but in the worst sense of the possible. In fact, more recently, it became known about the two most dangerous vulnerabilities of processors over the past twenty years. They will not be rescued by the antivirus, the attack can be carried out on the antediluvian, and on the most advanced hardware. “Hole” is safe in the vast majority of devices: from desktops and smartphones to ATMs and planes. How to live with it further?
Briefly about the main
Meet Meltdown (CVE-2017-5754). The attack, which completely ignores the protection mechanisms of the processor, exploits the control over the address spaces implemented by the MMU (Memory Management Unit). The brief essence of the MMU work: if at startup the OS allocated memory to this process, all attempts to get out of it will be stopped. So, simultaneously running processes (and, therefore, applications) work in parallel, without interfering with each other. Different parts of memory can have different levels of access. For example, the application will not gain access to the memory occupied by the kernel of the system, even if the corresponding addresses are technically accessible to it. Such a scheme was successfully applied not just for years, but for decades, and nothing foretold troubles. Until recently.
How it works
In the history of PC development there was an era when the CPU repeatedly outperformed other modules in performance, and to increase real productivity engineers invented the so-called “branch predictor”. Its main task is to analyze the already executed instructions and give suggestions, what calculations can be made without waiting for the moment when the conditions leading to the initialization of this branch of code will be met. If it turns out that the performed calculations are not necessary or incorrect – the processor will simply reset the already calculated data. In the case of a positive response, a lot of time is saved: the system can engage in useful calculations, rather than idle. As it turned out, the processor in the course of “predicted” is able to purposefully ignore the MMU. A specially prepared code exploits this feature to gain access to the results of these algorithms. Actually, and works Meltdown.
Scope of the problem
Not having access to protected areas of memory, the vulnerability attacks the CPU cache. It receives absolutely all the data that passed through the processor; In addition, it does not sort the code passing through it to validity. Data is received – the data has fallen into the cache, and then let the processor determine what to do with them. The hack is implemented in such a way that it can determine the reading of data at a given address, calculating whether the cache hit the cache by the access speed (RAM is much slower than the processor one). It remains to force the CPU using a special script that mimics requests to the right addresses, to reveal information about the contents of the cache. Having the correct data on hand, it will not be difficult to read the entire memory of the core of the system – and hence the entire physical memory of the device. Vulnerability affects computers running almost any Intel product (the entire line of Core and Xeon, as well as Celeron and Pentium on Core, Core 2, Pentium 4, 3 and even 2 series) New ARM processors on the core Cortex-A75 (Snapdragon 845, new Exynos and Kirin, high-performance models of MediaTek in 2018). The scale of the problem is difficult to overestimate.
Misfortune never comes alone
It would seem that the owners of AMD processors, on which Meltdown has not yet been reproduced, it is time to breathe a sigh of relief. However, the bad Santa clearly decided that this year no one will leave offended, and brought happiness to all and everyone under the name Specter (CVE-2017-5753 and CVE-2017-5715). Without going into the jungle of numbers and algorithms, the Specter is technically similar to the Meltdown attack – it also exploits the hardware level of the processors using indirect data leak channels.Being more difficult to implement, it is distributed (albeit with some reservations) to all modern processors, regardless of platform and family.
Doubly difficult and dangerous
Specter, unlike Meltdown, does not imply access to the memory of the attacked process (both the kernel of the system and the user program). They themselves issue all the information – it is enough “to ask competently”, but this is realized thanks to the block of “predictions” described earlier. By executing instructions similar to those created by the attacked program, the vulnerability allows you to calculate the instructions of the “victim” by comparing the speed of obtaining a variable from the cache and RAM. Technically, the method is quite complicated in execution, but the list of attached devices is impressive: these are all Intel processors, and 64-bit ARM, and almost the whole line of AMD. That is, in general, all CPUs that have an extraordinary start of instructions.
(Cyberops, Cyberops Infosec, VAPT, Cyber Security, Ethical Hacking, Secured Application Development)
What to do?
The solution to date is one: installing the current patch for the OS (Windows 10 users can finally be happy with the non-switchable update center – the hotfix will arrive automatically). Released patches transfer kernel memory to an isolated area, providing protection not only for privilege delineation but for access control over addresses. Do not lag behind and developers of browsers that issue fixes to prevent potential attacks on JS, which is a locally running code.
But antiviruses should not be hoped for. Being a hardware problem, Meltdown and Specter use the regular behavior of the system, rather than translating it into nonstandard or critical states. That is, the antivirus will constantly respond to any “Hindu code” if you try to configure it to capture the specific for these attacks, repeated cycles. A little comforting is the fact that the complexity of the vulnerability is unlikely to make it popular with virus writers.
is it true that the new patches slow down the processor?
Yes and no. For the average user, nothing terrible will happen. On the one hand, the isolation of the kernel memory really affects performance, and in some scenarios, the losses can reach the very 20-30% that panicky articles on the Internet are full of. On the other hand, most such scenarios are not used at home, but in games and popular user applications, the real loss of performance is at the level of error. It is better to sacrifice a couple of percent FPS than, in case of the onset of another hacker epidemic, to break up the foreheads in the backdrop.
And what about the non-bootable after-path systems based on AMD processors?
Let’s just say: if you are touched by this attack, you are already aware of what is happening. For everyone else – briefly about what happened. Some old AMD FX processors after receiving the above-mentioned hotfixes ceased to run correctly (due to the peculiarities of the kernel architecture and compatibility with previous generations of motherboards). But the problem is already solved – Microsoft temporarily suspended the update of problematic models. AMD is also aware of what is happening: the updated update will be released within the next week.
They say that under the impact were video cards?
Despite the messages spread over the Internet, NVIDIA does not recognize the Specter vulnerability in its GeForce, Quadro, NVS, Tesla, and GRID series products. The corresponding fix of the drivers, which appeared in the tenth of January, eliminates possible loopholes for launching the Specter of (!) The central processor of the computer. The PR department of the California company does not give any details. However, most users do not need to worry at all – the architecture of the video core is significantly different from the processor one. Even if there is a way to use a similar loophole, the maximum that it will be possible to extract from the video card is the hashes used in the calculations of crypto-currencies or arrays of data from scientific projects. In other cases, attacked computing units usually store graphics and shaders: what kind of hacker are they using?
What in the end?
Everything is not as bad as many people paint on the wave of the upraised HYIP. First, vulnerability, albeit belatedly, but found, studied and made public. So, even after a couple of generations of processors (in the future Zen + and Cannon Lake, there should not be any cardinal changes in architecture), but the industry will finally get rid of it and its similarities. Secondly, most people who do not use vulnerable scripts in their daily work (like the same virtualization) will not experience a loss of productivity. Finally, the complexity of the execution of the hacker attack and the measures taken against Meltdown and Specter will make it unattractive for intruders. The price of the attack will be so great that it is more suitable for hacking a large corporation than user devices. So just remember to update your OS and play peacefully.