The new year started with an announcement that has shaken the entire computer industry: Many modern processors found in servers, laptops and mobile devices are vulnerable to a new class of attacks that could expose sensitive information.
The vulnerabilities were discovered independently by multiple researchers and have been reported to CPU manufacturers and all major OS vendors over the past six months. Protecting devices against all variations the new attacks will require both firmware and OS-level patches, and the fixes will affect the performance of certain computer tasks.
The attacks take advantage of a feature in modern processors known as speculative execution, wherein the CPU attempts to guess the path code will take and execute instructions in advance to boost performance. If the speculation proves incorrect, the execution result is discarded, but until that happens an attacker can use the processor’s cache function to leak information, essentially using it as a cache timing side-channel.
There are different ways to attack this weakness with different results. Researchers have identified three variants—one dubbed Meltdown and tracked as CVE-2017-5754 and two known collectively as Spectre (CVE-2017-5753 and CVE-2017-5715).
Meltdown is the most serious vulnerability because it potentially allows a userspace application to read kernel memory, which contains sensitive information about the OS and other programs. This breaks the fundamental isolation between user applications and the kernel that sits at the core of operating system security.
Meltdown affects the majority of Intel CPUs, but also the ARM Cortex-A75. ARM has identified an additional variant that affects a few more of its processors, but the impact of that attack is lower. AMD noted Meltdown does not affect its CPUs due to architectural differences.
The Spectre variants, on the other hand, affect a much wider range of CPUs from all processor manufacturers, including Intel, ARM and AMD. They allow breaking the isolation layer between applications and can be used to trick programs into exposing their own secrets.
“While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs,” researchers said on a website dedicated to the attacks. “This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
“Meltdown and Spectre work on personal computers, mobile devices, and in the cloud,” the researchers continued. “Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.”
Mitigations in the form of a new feature called Kernel Page Table Isolation (KPTI)—previously known as KAISER—has been added to the latest version of the Linux kernel. The fix, which involves better isolating the kernel memory from userspace, will have a performance impact that differs by workload.
Tasks that require many system calls or interrupts will be affected the most, with performance loss estimated to be between 5 percent and 30 percent. However, it seems that for general computing, the impact will not be noticeable.
Microsoft also released an advisory with mitigation information for Windows clients and servers, Microsoft SQL Server and its Azure cloud customers. Google released patches for Android on Monday, but Apple so far has remained silent.
All major cloud providers—Amazon AWS, Google Cloud, Microsoft Azure, DigitalOcean—have put out advisories, as did Xen, VMware and Red Hat virtualization providers. For private clouds, users will have to deploy CPU microcode patches, host OS and hypervisor patches and then patches for each guest OS.
“As the Meltdown paper’s authors indicate, the deployment of KAISER at the OS level must be prioritized to prevent the leakage of kernel memory, as the best short-term solution,” said Nick Deshpande, vice president of product development at security firm Zenedge. “For Spectre, users can mitigate attacks—for now—by implementing serialization instructions to halt speculative execution paths on which processors normally rely. Over the coming months we expect to see OEM-specific patches released, but the efficacy of such patching, and the impact on performance remains to be seen.”