Meltdown and Spectre

What is it?

Meltdown and Spectre are two related vulnerabilities that were unofficially announced on January 3rd. I say “unofficially” because they were supposed to be revealed to the world on January 9th in a coordinated response agreed by all the major operating system and technology vendors. However, word of the vulnerabilities leaked early on the 3rd and as a result, the industry has been left in an awkward position for the past few days, knowing about this major issue and able to assess its impact, but without any practical way to mitigate its effects!

Why is it such a big deal?

Unusually, these are chip vulnerabilities, not software vulnerabilities. You can read a more detailed explanation of how Meltdown and Spectre work below, in the “Want to know more?” section, but essentially, Meltdown and Spectre take advantage of a design feature present in nearly every processor manufactured for the past decade, called Speculative Execution.

So in order to mitigate the effects of that hardware design flaw, we need a software solution. While these exist now, there is a potential performance hit, since we’re using software to workaround a hardware design feature.

What can we do?

Performance hit or not, the answer is still… patch! That performance hit is really only relevant under heavy load on servers, so it’s not an excuse to run an unpatched device!

Your iOS devices should be upgraded immediately to a minimum of 11.2.2. If you’re running an iPhone older than the 5s, you’re out of luck here and will need to either upgrade to a newer device, or live with the risk of this vulnerability affecting you. If you chose to do so, you can mitigate most of that risk by ensuring that you never “side-load” any apps – only use the AppStore to install apps.

If you’re an Android user on a Nexus or Pixel, you should be running the 5th January patches for 8.1.0 already. If you use another device, has a decent breakdown on whether you can expect a fix. Generally speaking, if your phone is less than two years old, you should expect an update that addresses the issue. If you can’t get the update, then, as with iOS above, it’s incredibly important to avoid “side-loading” apps. Make sure that you only download apps from Play and you’re much less likely to be affected.

If you run Windows, make sure you have automatic updates turned on. However, Microsoft’s taking an unusual position on their update to this vulnerability, refusing to automatically patch your machine unless your antivirus vendor sets a specific registry key on your computer first. This is because they have discovered that certain antivirus vendors have been somewhat abusing your computer by loading portions of themselves into restricted “kernel” memory. Because of the way Microsoft have to patch Meltdown, if you use one of these abusive vendors, the patch will cause your computer to repeatedly crash, rendering it unusable. Popular AV vendors appear to be okay, including Avast, AVG, Avira, Bitdefender, ESET, F-Secure, Kaspersky, Malwarebytes, Sophos, and Symantec. McAfee haven’t confirmed yet, but will do so imminently according their press releases on the subject. Oddly, while Trend have confirmed compatibility, they are refusing to set the registry key, demanding their users do so manually! ZDNET have a useful breakdown of the situation.

If you use a Mac, you have to be running the High Sierra operating system and you have to be running at least the 2017-002 update, or better still, the 8th January 10.13.2 supplemental update. Apple’s security update page has the necessary download links. There are currently no patches for earlier Apple operating systems, but rumours are circulating that patches will be made available eventually. Apple themselves have so far failed to confirm this though.

I suspect that few of you run a Linux distribution, at least not outside of a Raspberry Pi. Those of you that do, security updates are now available for Ubuntu (and its many various derivatives, such as Mint), Red Hat (and therefore Fedora), and SUSE. You should have automatic security updates turned on, but if not, run a manual update asap.

About that Raspberry Pi – it was one of the very few devices that didn’t implement Speculative Execution in the chips it chose for its devices (ARM1176, Cortex A7 and Cortex A53). It’s therefore immune to both Meltdown and Spectre!

Want to know more?

If you’re interested, here’s a more detailed, layman’s breakdown of how Spectre and Meltdown work. I don’t intend this to be perfectly accurate, due to some (okay, a lot of…) simplification, but hopefully it’ll give you the gist!

Both of these vulnerabilities use a feature of your computer’s CPU called Speculative Execution. The idea behind this is that a CPU is so incredibly fast at doing any given action, there’s a period of lag while it waits to be told what to do next. Chipmakers saw an opportunity in that tiny lag and Speculative Execution was born. Basically, while the CPU is idle, waiting to be told what to do next, it actually has a guess as to what that thing might be and then does it! If it guessed right, great! It’s already done that thing and it can start guessing what to do next, and so on. If it guessed wrong, it reverses (most of) what it did (which is usually trivially quick to do), and gets on with the new task, before starting Speculative Execution all over again.

The problem is that when it guesses wrong, although it’s trivial to reverse the results of what it did wrong, you have to remember that it did actually do that thing. So if that involved, say, reading some memory, then it did actually read that memory and it has the results of that memory read in a cache called a Translation Lookaside Buffer (TLB). Earlier I said that when it gets a guess wrong it reverses most of what it did. It doesn’t erase the TLB, because there’s not really any good reason to do so. That buffer will just get overwritten by the next cycle of Speculative Execution, so why bother erasing it?

The vulnerability here is that by manipulating how Speculative Execution makes its decisions, you can use it to read the entire memory of a computer – which will almost certainly include, for example, the passwords you use and the tokens that decrypt your sensitive information!

That, in essence is Spectre. Meltdown is the exact same method, but made worse by a design decision that Intel made back in the late 90’s. Effectively, they took Speculative Execution and made it even faster, by ignoring a crucial security aspect – they didn’t bother to check whether the CPU was allowed to do a given action. They simply told the CPU to go ahead and do it anyway! If it guessed right, then they checked the privileges. If it guessed wrong, no harm, no foul, they thought, because they just threw away the TLB and moved on. As a result, Meltdown is like Spectre on steroids – not only can it be manipulated to put things into the TLB, it can also be manipulated to perform actions that it shouldn’t have privilege to perform.

So in summary, Spectre affects nearly all chips, but is very hard to exploit, while Meltdown only affects Intel chips, but is radically easier to exploit. Indeed, several toolkits are already available on the internet showing proof of concept attacks which take advantage of Meltdown.

Worse, Spectre can’t really be “patched”, except by effectively bypassing or disabling the use of Speculative Execution entirely. So while there will be performance concerns around the patches for Meltdown, any such software-based patches for Spectre are likely to be pretty catastrophic. Realistically, new chips need to be designed that remove the Spectre vulnerability at the hardware level. Indeed, the vulnerability was named Spectre because it’s expected to haunt the industry for years to come.

In the meantime, Spectre “fixes” are partial at best. To really mitigate the problem, we’ll need a combination of a microcode update for the chip itself (not yet available), an updated Kernel with the relevant fixes and subsequent performance loss (now available from some vendors) AND applications have be recompiled to take advantage of the reworked situation (not yet available). Spectre is a much harder nut to crack.

Scaine has written 14 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>