This article discusses the latest CPU vulnerabilities – Meltdown and Spectre – and the current solutions to fix them.
Google Project Zero and a number of researchers have discovered and made available details on two hardware flaws that affect the security of most desktop and mobile devices. Called Meltdown and Spectre, the vulnerabilities use the CPU “speculative execution” to make virtual memory available to unintended processes, possibly leading to data being read by processes not owning it. This is a low-level hardware issue affecting many models of Intel, AMD and ARM CPUs. The issue was reported by Google to the respective processor makers in June last year.
Meltdown enables one process to access some of the kernel memory of the operating system leaving sensitive data exposed. Spectre enables one process to access the memory space of another process, making data vulnerable to be read. Meltdown affects out-of-order execution Intel processors possibly going back to models from 1995. Researchers have executed test exploits on several Intel processors going back to models from 2011. Certain ARM processors are vulnerable to a variant of this flaw which leaves the content of certain CPU registries available to other processes. AMD processors do not seem to be affected by Meltdown. Spectre affects all major CPUs – AMD, ARM, and Intel. For detailed information on these vulnerabilities and what it takes to exploit them, we recommend reading this Google Project Zero post, the Meltdown (PDF) and Spectre (PDF) research papers.
These vulnerabilities are considered to be critical. Most operating systems in use are affected, including Linux, MacOS, and Windows. Android is also affected, as are Apple’s iOS and tvOS (though not watchOS). The real solution, as CERT mentions, is to replace the system’s CPU with one that does not show the vulnerability. As that is not practically possible, a software solution has been deployed or it is in the works. The problem is that these fixes seem to have a performance impact, some appreciating it up to 30%. Intel declared that performance degradations are “workload-dependent,” and “for the average computer user, should not be significant and will be mitigated over time.”
Intel also mentioned that it has provided software and firmware fixes to OS makers. AMD has posted a security bulletin outlining the vulnerabilities, which ones affect the systems with their processors, fixes to come through OS vendors, and that performance will notice a little impact. ARM has posted a bulletin of their own, presenting what processors are affected and instructions on dealing with the issue.
Microsoft will issue an update through the standard update mechanism next week. Linux has made available patches for their kernel (32-bit) while work on 64-bit/ARM is underway. In a statement, Apple has said that it has released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and that
Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.
For Spectre Apple states that
Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.
Regarding cloud vendors. Amazon declared that most instances running on their systems are protected, and some will be dealt with soon. Most customers on Azure are protected said Microsoft, and some have received notification that their instances will be rebooted on January 10. Google said that they patched their cloud systems, and only customers using their own images will have to update them. Xen has released some patches for their hypervisor. On the application level, Google advises users to use site isolation in Chrome, a feature also available in Firefox. Microsoft has issued a patch (KB4056890) that helps circumvent the vulnerability in Edge and IE 11. The Android Security Bulletin—January 2018 provides details on how Google intends to deal with this issue on their mobile OS. They say partners have been informed a month ago and AOSP will be patched these days.
Google mentioned that they were not aware of any related exploit being currently in use, but unverified code that does it is available.