Meltdown and Spectre are two of the most critical CPU bugs ever discovered by security researchers. Meltdown, a vulnerability that affects devices using Intel CPUs, was reported by Jann Horn of Google’s Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology and Daniel Gruss and his colleagues at Graz University of Technology. Spectre, on the other hand, affects almost all chipsets, and was independently reported by Jann Horn of Google’s Project Zero and Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom.
The two vulnerabilities, related in nature, were first privately disclosed to the concerned companies including chip makers, operating system developers and cloud computing service providers. The details related to the flaw were scheduled to be revealed to public this week, but The Register revealed the news last week forcing the companies to publicly disclose the information.
Intel was the first to confirm the Meltdown flaw affecting its CPUs designed over the past two decades. The Santa Clara-based chip manufacturer played down the risk by highlighting that software patches to mitigate the risk have been developed and will be rolled out across platforms in the coming weeks. However, it didn’t confirm whether the problem will be rectified at the chip level with future design.
What Meltdown and Spectre do?
To briefly recap, Meltdown and Spectre affect the chip-level architecture of chipsets from major semiconductor manufacturers including Intel, AMD and ARM Holdings. The flaw allows any attacker to access the low-level kernel memory that is normally protected from higher programs and user access. While there are no reports of any such attack, it is impossible to trace such an attack since they don’t leave a log of it.
Security researchers claim that Meltdown is the easiest of the two to exploit, and allows any user program to read normally protected data. Daniel Gruss hacked into his own computer to detect the flaw and even designed the procedure called KAISER or Kernel Address Isolation to have Side-channels Effectively Removed that is being used by companies to mitigate the vulnerability by defending the kernel memory from the side-channel attack.
Here is what tech companies are doing to keep you safe from these vulnerabilites.
Intel is at the center of this security flaw with Meltdown affecting all of its chipsets manufactured over the past twenty years. In its response, Intel confirmed that “these exploits do not have the potential to corrupt, modify, or delete data”, but it failed to offer explanation on what it means for existing chip design and the future generation of Intel CPUs.
The statement also does little to distinguish between Meltdown and Spectre with researchers stating that Meltdown is serious of the two, and has direct implications on Intel processors. Intel says Meltdown can be fixed with operating system level patch and confirmed working with Microsoft and Apple on the same.
For Spectre, Intel recommends inserting a serializing instruction in code between testing array bounds accessing the array. It doesn’t specify where these serializing instructions need to be added, but the addition means that test of the array bounds must be completed even before the array is accessed. This ensures that there is no speculative access to the array assuming that the test is successful. Intel’s suggestion to add a serializing instruction need to be supported and used by operating systems and must be separated from individual applications.
AMD researcher immediately confirmed that its chipsets are not affected by the Meltdown flaw. It also claimed that its chip architecture should not be affected by the branch prediction attack used by Spectre.
AMD is suggesting operating system patches for array bounds problem that Intel is mitigating with additional serializing instruction. AMD has been silent so far to share details on its approach to mitigate the issue, and how it plans to fix the issue with future chipsets.
Microsoft confirmed that it started patching its operating system against Meltdown vulnerability in November last year. It confirmed that Windows 10 is being mitigated against Meltdown with automatic updates, while other OS users will need to manually update their systems with latest security patch.
Microsoft is testing dual page table system with Insider builds of Windows 10, and will use hardware capabilities to reduce the performance impact caused by implementation of dual page tables. Microsoft says some third-party antivirus software break dual-page tables, and it will not implement it when a third-party anti-virus is detected. It also says that dual-page tables are not implemented with Windows Server.
Apple designs its own chipsets and operating system for mobile devices, and relies on chipset from Intel and AMD for its computing devices. The company has confirmed that it has patched iOS, macOS and tvOS against Meltdown with the latest update. It has also confirmed that Safari will get an update to prevent against the problem.
Apple, being Apple, is not offering too much of details as to how it plans to protect its products. It seems to be relying on the standard practice of making kernel memory separate from user memory.
Amazon has rolled out patches for its Amazon Web Services that protect shared systems against Meltdown attacks. Amazon says it hasn’t seen any impact on performance post the roll out of Meltdown patch.
Google is relying on Linux’s protection to safeguard Android and Chrome OS, which depend on Linux kernels. In order to mitigate, Linux developers have taken an approach by separating the kernel’s memory from user processes, and it has been detailed with the current state of kernel page-table isolation.