– Meltdown and Spectre: Bugs in modern computers leak passwords and sensitive data.
Exploiting Out of Order Execution on modern CPUs.
The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack
is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security assumptions given by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to
read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR  has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leak-
Full whitepaper about Meltdown is available HERE.
Exploiting Speculative Execution on modern CPUs.
Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value
that is in the process of being read, CPUs will try guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or
commits the speculative computation. Speculative logic is unfaithful in how it executes, can access to the victim’s memory and registers, and can perform operations with
measurable side effects.
Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks,
and return-oriented programming that can read arbitrary memory from the victim’s process. More broadly, the paper shows that speculative execution implementations
violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, static analysis, containerization,
just-in-time (JIT) compilation, and countermeasures to cache timing/side-channel attacks. These attacks represent a serious threat to actual systems, since vulnerable
speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices.
While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruc-
tion set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.
Full whitepaper about Spectre is available HERE.
Other interesting readings about these two major security breaches that affect all modern processors:
Looks like Intel is starting the new year on the wrong path: an hardware bug (due to a design flaw) is present in every modern Intel CPU (all Core / Xeon series from these last years). This CPU bug could allow users of a VM (virtual machine) to access data of another VM. Major cloud providers (Amazon, Google, Microsoft) as well as hosting services are directly affected by this CPU bug and have planned important updates of their servers in the upcoming days.
The CPU bug could let an attacker to access to the protected memory of the OS kernel. The security patch in development brings something called kernel page-table isolation or KPTI which involves a serious update of the operating system. The patch can lead to a performance drop up to 30%.
This bad news for Intel is a good news for AMD. According to Tom Lendacky, AMD CPUs are not affected by the types of attacks that the KPTI protects against:
AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.
Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
Disabling KPTI patch for AMD CPUs…
Here is a collection of links about this story:
- Kernel memory leaking’ Intel processor design flaw forces Linux, Windows redesign
- The mysterious case of the Linux Page Table Isolation patches
- Linux page table isolation is not needed on AMD processors
- Huge Flaw Found in Intel Processors; Patch Could Hit 5-30% CPU Performance
- AMD Struggles to Be Excluded from Unwarranted Intel VT Flaw Kernel Patches
- Intel Secretly Firefighting a Major CPU Bug Affecting Datacenters?
- Serious Intel CPU design flaw may require a Windows patch, but probably won’t affect gaming performance
- AMD Soars After Rival Intel Reveals Processor Flaw
- KPTI : des correctifs pourraient impacter lourdement les performances des processeurs Intel