Remember Spectre and Meltdown

Here is an overview of Spectre and Meltdown vulnerabilities that got a lot of publicity in January 2018. Meltdown and Spectre the two original transient execution CPU vulnerabilities. The Meltdown and Spectre vulnerabilities were considered “catastrophic” by security analysts. The vulnerabilities are so severe that security researchers initially believed the reports to be false.

In January 3, 2018 I saw first news on the new processor vulnerabilities. I kept researching on the topics, and write one of the early news article on those to Uusiteknologia.fi magazine Suorittimissa tietoturvaongelmia – myös ARM-suorittimissa that was published in early morning January 4, 2018 (to my knowledge the first news on those in Finnish language ). My research on the topic included international news and reading newest changes made to Linux Kernel source code.

Soon a web site https://meltdownattack.com/ was made to tell about those vulnerabilities (it was planned to be published later when all the fixes were out, but was publishes earlier than planned because information had leaked out). The two vulnerabilities were made public jointly, on 3 January 2018, several days ahead of the coordinated release date of 9 January 2018 as news sites started reporting about commits to the Linux kernel and mails to its mailing list.

meltdownspectre

Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754, also known as Rogue Data Cache Load (RDCL), in January 2018. The same research teams that discovered Meltdown also discovered Spectre. On 1 February 2017, the CVE numbers 2017-5715, 2017-5753 and 2017-5754 were assigned to Intel. Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 (bounds check bypass, Spectre-V1, Spectre 1.0) and CVE-2017-5715 (branch target injection, Spectre-V2), have been issued.

Meltdown relies on a CPU race condition that can arise between instruction execution and privilege checking. Meltdown affects a wide range of systems. At the time of disclosure (2018), this included all devices running any but the most recent and patched versions of iOS, Linux, macOS, or Windows. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM-based processors

The issued were much older. There had been already some some technical talks material “under the radar” information and that would indicate that Intel processors could have a serious vulnerability that waits to be fixed. On 27 December 2016, at 33C3, Clémentine Maurice and Moritz Lipp of TU Graz presented their talk “What could possibly go wrong with ? Side effects include side-channel attacks and bypassing kernel ASLR” which outlined already what was coming. On 27 February 2017, Bosman et al. of Vrije Universiteit Amsterdam published their findings of how address space layout randomization (ASLR) could be abused on cache-based architectures at the NDSS Symposium. On 27 March 2017, researchers at Graz University of Technology in Austria developed a proof-of-concept that could grab RSA keys from Intel SGX enclaves. In July 2017, research made public on the CyberWTF website by security researcher Anders Fogh outlined the use of a cache timing attack to read kernel space data by observing the results of speculative operations conditioned on data fetched with invalid privileges. In October 2017, Kernel ASLR support on amd64 was added to NetBSD-current, making NetBSD the first totally open-source BSD system to support kernel address space layout randomization (KASLR).

The affected hardware and software vendors had been made aware of the issue on 28 July 2017. The fixes were made and information was kept quite well secret until the beginning of 2018.

Links to sources and more material:

Spectre and Meltdown

Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors.

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)

https://www.cloudflare.com/learning/security/threats/meltdown-spectre/

https://www.epanorama.net/newepa/2018/01/03/kernel-memory-leaking-intel-processor-design-flaw/

https://www.uusiteknologia.fi/2018/01/04/suorittimissa-tietoturvaongelmia-myos-arm-suorittimissa/

11 Comments

  1. monkey mart says:

    This post is one that I find myself referring to very frequently, and it is only right that I acknowledge how much I value it. It is my firm belief that you will continue to provide products that are exceptional in comparison to the overall standard here.

    Reply
  2. Tomi Engdahl says:

    GhostRace CPU vulnerability threatens all major architectures — IBM and VU Amsterdam researchers detail new cross-platform speculative execution attack
    News
    By Christopher Harper published March 17, 2024
    Speculative execution exploits are used against modern CPUs to access passwords and other confidential data
    https://www.tomshardware.com/tech-industry/cyber-security/ghostrace-cpu-vulnerability-threatens-all-major-architectures-ibm-and-vu-amsterdam-researchers-detail-new-cross-platform-speculative-execution-attack

    On March 12, researchers from VUSec and IBM made a new form of speculative execution attack publicly known on Twitter, linking to a corresponding GhostRace disclosure paper hosted by VUSec. We’ll be discussing the full GhostRace disclosure document and its attached documentation in more detail below, but first, let’s take some time to clarify what a “speculative execution attack” even is.

    If you remember the scourge of Meltdown and Spectre, back in 2016, this is very much in the same category of major CPU security exploits. Spectre V1 was explicitly a speculative execution attack, even. Speculative execution in and of itself isn’t a bad thing— it’s actually a core function of modern CPUs, which allows CPU threads to more effectively share resources.

    The issue is, that speculative execution can also result in “race conditions”, where separate threads attempting to access shared resources create major security vulnerabilities by doing so in a poorly-synchronized matter. This exploit is focused on taking advantage of those scenarios, so it’s appropriately named GhostRace.

    Before making GhostRace public, the researchers informed major hardware vendors and the Linux kernel of the issue (in late 2023), since GhostRace applies to all major OSes and CPUs, even Arm. The notice given should hopefully have given vendors the time they needed to develop their fixes and workarounds, however, the researchers also included some tips for mitigating the issue in the public document. An early fix attempt by the Linux kernel seemed promising, but experiments done by the researchers proved the fix didn’t completely cover the vulnerability.

    For now, it seems Linux kernel devs are primarily concerned with performance, and don’t want to risk majorly crippling it with a rushed fix. We read that the proposed mitigation for Linux provided in the original documentation is tested as only having a roughly ~5% performance overhead in LMBench. No patching performance penalty is ever welcome, but perhaps a patiently developed fix can do better.

    No mitigations are provided in the document for other platforms. However, AMD points out that existing Spectre v1 mitigations should still apply to potential GhostRace exploits— and since vendors have already had to tackle that, it should only be a matter of time. AMD has acknowledged the issue, according to the public disclosure paper.

    Reply
  3. Tomi Engdahl says:

    New Spectre-Style ‘Pathfinder’ Attack Targets Intel CPU, Leak Encryption Keys and Data
    https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html

    Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm.

    The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google.

    “Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.

    “Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.

    Reply
  4. Tomi Engdahl says:

    Arm security defense shattered by speculative execution 95% of the time
    ‘TikTag’ security folks find anti-exploit mechanism rather fragile
    https://www.theregister.com/2024/06/18/arm_memory_tag_extensions_leak/?td=keepreading

    In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped.

    Implemented and supported last year in Google’s Pixel 8 and Pixel 8 Pro phones and previously in Linux, MTE aims to help detect memory safety violations, as well as hardening devices against attacks that attempt to exploit memory safety flaws.

    Memory safety bugs are said to be responsible for the majority of security vulnerabilities in large codebases. And for the past few years, there’s been a concerted effort in the public and private sector to reduce such flaws by promoting memory safe programming languages, software-based code hardening techniques, and hardware-specific options like SPARC ADI and Arm MTE.

    MTE works by tagging blocks of physical memory with metadata. This metadata serves as a key that permits access. When a pointer references data within a tagged block of memory, the hardware checks to make sure the pointer contains a key matching that of the memory block to gain access to the data. A mismatch throws out an error.

    Reply
  5. Tomi Engdahl says:

    Intel Says No New Mitigations Required for Indirector CPU Attack

    Researchers disclosed a new high-precision Branch Target Injection attack method named Indirector, but Intel says no new mitigations are needed.

    https://www.securityweek.com/intel-says-no-new-mitigations-required-for-indirector-cpu-attack/

    A team of researchers from the University of California San Diego has published a paper detailing a novel attack method targeting Intel CPUs, but the chip giant says no new mitigations are required to address it.

    The new attack, named Indirector, is similar to the well-known Spectre v2 or Spectre Branch Target Injection (BTI) attack.

    These methods typically allow an attacker who has access to the targeted system to obtain information, including sensitive data such as passwords or encryption keys, from memory.

    The researchers described Indirector as a high-precision BTI attack that exploits the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs such as Raptor Lake and Alder Lake.

    According to the researchers, previous BTI attacks overlooked IBP, which they describe as a “critical component of the branch prediction unit that predicts the target address of indirect branches”.

    https://indirector.cpusec.org/

    This paper introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake).

    Reply
  6. Tomi Engdahl says:

    Intel, AMD CPUs on Linux impacted by newly disclosed Spectre bypass
    https://www.bleepingcomputer.com/news/security/intel-amd-cpus-on-linux-impacted-by-newly-disclosed-spectre-bypass/

    The latest generations of Intel processors, including Xeon chips, and AMD’s older microarchitectures on Linux are vulnerable to new speculative execution attacks that bypass existing ‘Spectre’ mitigations.

    The vulnerabilities impact Intel’s 12th, 13th, and 14th chip generations for consumers and the 5th and 6th generation of Xeon processors for servers, along with AMD’s Zen 1, Zen 1+, and Zen 2 processors.

    The attacks undermine the Indirect Branch Predictor Barrier (IBPB) on x86 processors, a core defense mechanism against speculative execution attacks.

    Reply
  7. Tomi Engdahl says:

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
    Linus Torvalds explains why he’s “fed up with” Intel, AMD, Nvidia and their “buggy hardware”
    https://www.neowin.net/news/linus-torvalds-explains-why-hes-fed-up-with-intel-amd-nvidia-and-their-buggy-hardware/#google_vignette

    Linus Torvalds, the father of Linux, is a fairly expressive person and his takes are almost always very interesting.

    In a recent message on the Linux Kernel Mailing List (LKML) public inbox, Torvalds has been spotted showing his frustration about processor vulnerabilities as he said that he was “pretty damn fed up with buggy hardware and completely theoretical attacks” as he feels it is the job of the hardware vendors, the likes of Intel, AMD or Nvidia, to do better in finding theoretical attacks and vulnerabilities due to certain unaddressed and underlying hardware issues.

    “Honestly, I’m pretty damn fed up with buggy hardware and completely theoretical attacks that have never actually shown themselves to be used in practice.

    So I think this time we push back on the hardware people and tell them it’s *THEIR* damn problem, and if they can’t even be bothered to say yay-or-nay, we just sit tight.

    Because dammit, let’s put the onus on where the blame lies, and not just take any random shit from bad hardware and say “oh, but it *might* be a problem”.

    Linus”

    Intel introduced LAM or Liner Address Masking with its 12th Gen Sapphire Rapids chips to improve memory safety

    AMD’s Upper Address Ignore (UAI) also works in a similar fashion and was introduced with the Zen 4 architecture or Ryzen 7000 series.

    However, utilizing LAM makes a CPU vulnerable to speculation attacks also called SLAM (short for side-channel attacks via LAM)

    This is not the first time Linus Torvalds has complained against hardware companies over vulnerabilities. Back in 2023, the faulTPM CPU flaw on AMD Ryzen

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*