‘Kernel memory leaking’ Intel processor design flaw


A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.

It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!

Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.

This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower! 

Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.


  1. Tomi Engdahl says:

    Finding a CPU Design Bug in the Xbox 360

    The recent reveal of Meltdown and Spectre reminded me of the time I found a related design bug in the Xbox 360 CPU – a newly added instruction whose mere existence was dangerous

  2. Tomi Engdahl says:

    Intel details performance hit for Meltdown fix on affected processors

    Intel’s Navin Shenoy released the results of several benchmarks done internally, and the performance hit from the deeply rooted processor problem disclosed by Google researchers is mercifully small for modern chips.

    The most recent Kaby Lake processors, introduced late last year, generally see less than 5 percent performance loss in SYSmark14SE, and often none at all.

    But the biggest hit for those CPUs, and in fact most of the others as well, is on “responsiveness,” which according to the benchmark app’s creators includes “application launches, file launches, web browsing with multiple tabs, multi-tasking, file copying, photo manipulation, file encryption + compression, and background application installation.” So, pretty much all the stuff most people need to do.

    Gaming performance seems mostly unaffected,

    It’s those with older processors that may see a real slowdown — for example, the sixth-gen Core i7 6700K released in mid-2015. Its performance losses tip toward the 10 percent level, with responsiveness dropping 31 percent on Windows 10.

    Older setups are possibly even more deeply affected, but we can wait for the results. The real risk with those chips is that they are in embedded or hard to reach systems that are difficult to patch, leaving them open to exploitation. So far there have been no reports of hackers taking advantage of any of these bugs, though — it’s not exactly script kiddie stuff.

    Intel Security Issue Update: Initial Performance Data Results for Client Systems

    Testing Intel Core Processor Platforms and a Variety of Workloads

  3. Tomi Engdahl says:

    Protect your Windows devices against Spectre and Meltdown

    Mitigating Meltdown and Spectre – Windows Server
    How do I mitigate Meltdown and Spectre vulnerabilities?

  4. Tomi Engdahl says:

    Meltdown Patch Broke Some Ubuntu Systems

    Canonical was forced to release a second round of Ubuntu updates that address the recently disclosed CPU vulnerabilities after some users complained that their systems no longer booted after installing the initial patches.

    On January 9, Canonical released Ubuntu updates designed to mitigate Spectre and Meltdown, two recently disclosed attack methods that work against processors from Intel, AMD, ARM, Qualcomm and IBM. The Linux kernel updates mitigate the vulnerabilities that allow the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) attacks.

    Shortly after the kernel was updated to version 4.4.0-108, some Ubuntu users started complaining that their systems had failed to boot. Restoring the system to an earlier version apparently resolved the problem.

    The updates released by Microsoft in response to the CPU flaws also caused problems, but only for users with some older AMD processors. The company has decided to no longer deliver the updates to AMD devices until compatibility issues are resolved. In the case of Ubuntu, however, the update has affected users with Intel processors.

  5. Tomi Engdahl says:

    AMD Working on Microcode Updates to Mitigate Spectre Attack

    AMD has informed customers that it will soon release processor microcode updates that should mitigate one of the recently disclosed Spectre vulnerabilities, and Microsoft has resumed delivering security updates to devices with AMD CPUs.

    Shortly after researchers revealed the Spectre and Meltdown attack methods, which allow malicious actors to bypass memory isolation mechanisms and access sensitive data, AMD announced that the risk of attacks against its products was “near zero.”

    The company has now provided additional information on the matter, but maintains that the risk of attacks is low.

    According to AMD, its processors are not vulnerable to Meltdown attacks thanks to their architecture. They are, however, vulnerable to Spectre attacks.

    Spectre attacks are made possible by two vulnerabilities: CVE-2017-5753 and CVE-2017-5715. The former does impact AMD processors, but the chipmaker is confident that operating system patches are sufficient to mitigate any potential attacks.

  6. Tomi Engdahl says:

    Spectre and Meltdown Attacks Against Microprocessors

    The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution — which of course is not a solution — is to throw them all away and buy new ones.

    This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer — maybe one running in a browser window from that sketchy site you’re visiting, or as a result of a phishing attack — can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Someone can run a process in the cloud and steal data from every other users on the same hardware.

    Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling. By now all the major cloud vendors have patched their systems against the vulnerabilities that can be patched against.

  7. Tomi Engdahl says:

    IBM Starts Patching Spectre, Meltdown Vulnerabilities

    IBM has started releasing firmware patches for its POWER processors to address the recently disclosed Meltdown and Spectre vulnerabilities. The company is also working on updates for its operating systems, but those are expected to become available only next month.

    On January 4, one day after researchers disclosed the Meltdown and Spectre attack methods against Intel, AMD and ARM processors, IBM informed customers that it had started analyzing impact on its own products. On Tuesday, the company revealed that its POWER processors are affected.

    IBM told customers that attacks against its Power Systems server line can be fully mitigated only by installing both firmware and operating system patches.

  8. Tomi Engdahl says:

    NVIDIA Updates GPU Drivers to Mitigate CPU Flaws

    NVIDIA has released updates for its GPU display drivers and other products in an effort to mitigate the recently disclosed attack methods dubbed Meltdown and Spectre.

    Shortly after researchers revealed the existence of the flaws that allow Meltdown and Spectre exploits, which can be leveraged to gain access to sensitive data stored in a device’s memory, NVIDIA announced that its GPU hardware is “immune,” but the company has promised to update its GPU drivers to help mitigate the CPU issues.

    The Meltdown and Spectre vulnerabilities affect processors from Intel, AMD and ARM. Similar to Qualcomm, some of NVIDIA’s system-on-chip (SoC) products rely on ARM CPUs and the company has promised to develop mitigations.

    On Tuesday, NVIDIA informed customers about the availability of GPU display driver updates that include mitigations for one of the Spectre vulnerabilities, specifically CVE-2017-5753. The company is still working on determining if the second Spectre flaw, CVE-2017-5715, affects its GPU drivers. On the other hand, there is no indication that the drivers are impacted by the Meltdown vulnerability (CVE-2017-5754).

  9. Tomi Engdahl says:

    Intel says some data center customers using Broadwell and Haswell processors are reporting more system reboots after applying patch for Meltdown and Spectre — (Reuters) – Intel Corp on Thursday said that recently issued patches for flaws in its chips could cause computers using its older Broadwell …

    Intel says patches can cause reboot problems in old chips

    Intel Corp on Thursday said that recently issued patches for flaws in its chips could cause computers using its older Broadwell and Haswell processors to reboot more often than normal and that Intel may need to issue updates to fix the buggy patches.

    Earlier on Thursday, the Wall Street Journal reported that Intel was asking cloud computing customers to hold off installing patches that address new security flaws that affect nearly all of its processors because the patches have bugs of their own.

  10. Tomi Engdahl says:

    AMD is releasing Spectre firmware updates to fix CPU vulnerabilities
    Zero risk, but not zero impact

    AMD’s initial response to the Meltdown and Spectre CPU flaws made it clear “there is a near zero risk to AMD processors.” That zero risk doesn’t mean zero impact, as we’re starting to discover today. “We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat,” says Mark Papermaster, AMD’s chief technology officer.

    AMD is making firmware updates available for Ryzen and EPYC owners this week, and the company is planning to update older processors “over the coming weeks.” Like Intel, these firmware updates will be provided to PC makers, and it will be up to suppliers to ensure customers receive these.

    AMD is also revealing that its Radeon GPU architecture isn’t impacted by Meltdown or Spectre, simply because those GPUs “do not use speculative execution and thus are not susceptible to these threats.”

  11. Tomi Engdahl says:

    Google claims its Spectre and Meltdown mitigation results in no performance degradation

    The company’s Project Zero team discovered the chip vulnerabilities last year as it outlined in a blog post last week. As Google explained it, there are three variants here. The first two are known as Spectre and the third as Meltdown. The spooky nicknames just add to the drama of this entire event.

    Every chip has a protected area which prevents one application from seeing what another is doing. This is by design to protect critical security information like usernames, passwords and encryption keys. These vulnerabilities have the potential to leave this information exposed if exploited correctly.

    As Google so aptly pointed out, these vulnerabilities have been in place inside modern chips for 20 years. It’s worth noting that there hasn’t been a documented case of anyone exploiting these issues

    With its head start on this issue — a luxury not every vendor had, by the way — the company was able to come up with solutions for Variants 1 and 3 as far back as September. With a large testbed of data, it reports neither customers nor internal users are experiencing any kind of perceptible performance degradation using Google’s platform or software services.

    “No GCP customer or internal team has reported any performance degradation.”

    Variant 2 proved to be much more challenging for the Google engineering team. For a time, the team believed the only way to protect against this exploit was to shut down speculative execution

    came up with a solution that came to be known as “Retpoline.”

    As Google describes this, “With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.”

    To its credit, the company has shared all of its research and solutions publicly

    Earlier today, Intel announced it discovered some performance hits after implementing its own mitigation solutions at the chip level.

    Protecting our Google Cloud customers from new vulnerabilities without impacting performance

    Modern CPUs and operating systems protect programs and users by putting a “wall” around them so that one application, or user, can’t read what’s stored in another application’s memory. These boundaries are enforced by the CPU.

    In September, we began deploying solutions for both Variants 1 and 3 to the production infrastructure that underpins all Google products—from Cloud services to Gmail, Search and Drive—and more-refined solutions in October. Thanks to extensive performance tuning work, these protections caused no perceptible impact in our cloud and required no customer downtime in part due to Google Cloud Platform’s Live Migration technology.

    it was clear from the outset that Variant 2 was going to be much harder to mitigate.

    With the performance characteristics uncertain, we started looking for a “moonshot”—a way to mitigate Variant 2 without hardware support. Finally, inspiration struck in the form of “Retpoline”—a novel software binary modification technique that prevents branch-target-injection

    With Retpoline, we didn’t need to disable speculative execution or other hardware features. Instead, this solution modifies programs to ensure that execution cannot be influenced by an attacker.

    With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications.

    We immediately began deploying this solution across our infrastructure. In addition to sharing the technique with industry partners upon its creation, we open-sourced our compiler implementation in the interest of protecting all users.

  12. Tomi Engdahl says:

    Retpoline: a software construct for preventing branch-target-injection

    Executive Summary
    “Retpoline” sequences are a software construct which allow indirect branches to be isolated from speculative execution. This may be applied to protect sensitive binaries (such as operating system or hypervisor implementations) from branch target injection attacks against their indirect branches.

    The name “retpoline” is a portmanteau of “return” and “trampoline.” It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will “bounce” endlessly.

    (If it brings you any amusement: imagine speculative execution as an overly energetic 7-year old that we must now build a warehouse of trampolines around.)

  13. Tomi Engdahl says:

    Intel tried desperately to change the subject from Spectre and Meltdown at CES

    It was so bad that the chip maker has to be thrilled to have CES, the massive consumer technology show going on this week in Las Vegas, as a way to change the subject and focus on the other work they are doing.

    For starters, CEO Brian Krzanich had to deal with the elephant in the room at the company keynote on Monday. Spectre and Meltdown patches were coming to 90 percent of the company’s affected chips by next week.

    …perhaps its biggest security scare in its history.”

    It didn’t help matters when Intel’s patch proved buggy and caused some systems to reboot.

    Mitigation efforts have been coming fast and furious from every corner: from chip vendors, from the OS vendors like Microsoft and Apple and from very nearly everyone else. There is concern that the mitigation solutions could in fact slow down computers substantially.

    The company began making a flurry of announcements, planned long before the chip flaws became public last week.

  14. Tomi Engdahl says:

    Intel is having reboot issues with its Spectre-Meltdown patches

    It hasn’t been a fun time to be Intel. Last week the company revealed two chip vulnerabilities that have come to be known as Spectre and Meltdown and have been rocking the entire chip industry ever since (not just Intel). This week the company issued some patches to rectify the problem. Today, word leaked that some companies were having a reboot issue after installing them. A bad week just got worse.

    “We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center,” Shenoy wrote.


  15. Tomi Engdahl says:

    Russell Brandom / The Verge:
    How the Meltdown and Spectre vulnerabilities stayed secret for 7 months but were eventually revealed after rumors and suspicious Linux kernel patches surfaced

    Keeping Spectre secret
    How an industry-breaking bug stayed secret for seven months — and then leaked out

    How do you keep a flaw this big a secret long enough for everyone involved to fix it?

    Disclosure is an old problem in the security world. Whenever a researcher finds a bug, the custom is to give vendors a few months to fix the problem before it goes public and bad guys have a chance to exploit it. But as those bugs affect more companies and more products, the dance becomes more complex. More people need to be told and kept in confidence as more software needs to be quietly developed and pushed out. With Meltdown and Spectre, that multi-party coordination broke down and the secret spilled out before anyone was ready.

    Disclosure is an old problem in the security world. Whenever a researcher finds a bug, the custom is to give vendors a few months to fix the problem before it goes public and bad guys have a chance to exploit it. But as those bugs affect more companies and more products, the dance becomes more complex. More people need to be told and kept in confidence as more software needs to be quietly developed and pushed out. With Meltdown and Spectre, that multi-party coordination broke down and the secret spilled out before anyone was ready.

    That early breakdown had consequences. After the release, basic questions of fact became muddled, like whether AMD chips are vulnerable to Spectre attacks (they are), or whether Meltdown is specific to Intel. (ARM chips are also affected.) Antivirus systems were caught off guard, unintentionally blocking many of the crucial patches from being deployed. Other patches had to be stopped mid-deployment after crashing machines. One of the best tools available for dealing with the vulnerability has been a tool called Retpoline, developed by Google’s incident response team

    But according to senior vulnerability analyst Will Dormann, CERT wasn’t aware of the issue until the Meltdown and Spectre websites went live, which led to even more chaos. The initial report recommended replacing the CPU as the only solution.

    For a processor design flaw, the advice was technically true, but only stoked panic as IT managers imagined prying out and replacing the central processor for every device in their care. A few days later, Dormann and his colleagues decided the advice wasn’t actionable and changed the recommendation to simply installing patches.

    “I would have liked to have known,” Dormann says. “If we’d known about it earlier, we would have been able to produce a more accurate document, and people would have been more educated right off the bat, as opposed to the current state, where we’ve been testing patches and updating the document for the past week.”

  16. Tomi Engdahl says:

    What are Meltdown and Spectre? Here’s what you need to know.

    Conventional industry wisdom was that whatever happened during the process of speculation (known as a “speculative execution window”) was either later confirmed and the results were used by the program, or it was not used and completely discarded. But it turns out that there are ways attackers can view what happened within the speculation window and manipulate the system as a result. An attacker can also steer the behavior of branch predictors to cause certain code sequences to run speculatively that should never normally have been executed.

    Meltdown (variant 3) which received a lot of attention because of its broad impact. In this form of attack, the chip is fooled into loading secured data during a speculation window in such a way that it can later be viewed by an unauthorized attacker. The attack relies upon a commonly-used, industry-wide practice that separates loading in-memory data from the process of checking permissions. Again, the industry’s conventional wisdom operated under the assumption that the entire speculative execution process was invisible

    Mitigating Meltdown involves changing how memory is managed between application software and the operating system. We introduce a new technology, known as KPTI (Kernel Page Table Isolation), which separates memory such that secure data cannot be loaded into the chip’s internal caches while running user code.

    The Spectre attack has two parts. The first (variant 1) has to do with “bounds check” violation.

    it is possible to arrange for code to execute speculatively and read data it should not into the system caches, from where it can be extracted using a side-channel attack

    Mitigating the first part of Spectre involves adding what we call “load fences” throughout the kernel.

    These require small, trivial, and not particularly performance-impacting changes throughout the kernel source.

    The second part of Spectre (variant 2) is in some ways the most interesting. It has to do with “training” the branch predictor hardware to favor speculatively executing pieces of code over those it should be executing.

    By carefully choosing a “gadget” (existing code in the kernel that has access to privileged data) the attacker can load sensitive data in the chip caches, where the same kind of side-channel attack once again serves to extract it.

    One of the biggest problems posed by this second part of Spectre is its potential to exploit the boundary between the operating system kernel and a hypervisor, or between different virtual machines running on the same underlying hardware.

    Mitigating this second part of Spectre requires that the operating system (selectively) disable branch prediction hardware whenever a program requests operating system (system call) or hypervisor services

    This approach works well, but it comes at a performance penalty that is not insignificant. Red Hat’s patches will default to implementing the security change and accepting the performance impact, but we’ve also added system administrators the ability to toggle this (and all the implemented settings) on or off.

    It’s important to bear in mind that these are early days following the discovery of an entirely new class of system security vulnerabilities, and, as a result, mitigations and associated best practice advice may change over time.

  17. Tomi Engdahl says:

    AMD chips exposed to both variants of Spectre security flaw

    (Reuters) – Advanced Micro Devices Inc said on Thursday its microprocessors are susceptible to both variants of the Spectre security flaw, days after saying its risk for one of them was “near zero”.

    In a subsequent statement Thursday, AMD said there was “no change” to its position on the susceptibility of its chips to Spectre, but shares fell as much as 4.0 percent after the first AMD announcement.

    AMD’s shares have gained nearly 20 percent since the flaws were made public on Jan. 3 as investors speculated that it could wrest market share from Intel, which is most exposed to the flaws because it is vulnerable to all three variants.

  18. Tomi Engdahl says:

    Oracle still silent on Meltdown, but lists patches for x86 servers among 233 new fixes

    Sun ZFS Storage Appliance users: brace for super-critical fix

    Oracle still has nothing to say about whether the Meltdown or Spectre vulnerabilities are a problem for its hardware.

    Big Red today offered The Register another “no comment”, making it a notable absentee from the Intel’s list of x86 vendors’ advisories on how to handle the twin problems.

  19. Tomi Engdahl says:

    Meltdown Patch Broke Some Ubuntu Systems

    Canonical was forced to release a second round of Ubuntu updates that address the recently disclosed CPU vulnerabilities after some users complained that their systems no longer booted after installing the initial patches.

    On January 9, Canonical released Ubuntu updates designed to mitigate Spectre and Meltdown, two recently disclosed attack methods that work against processors from Intel, AMD, ARM, Qualcomm and IBM. The Linux kernel updates mitigate the vulnerabilities that allow the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) attacks.

    Shortly after the kernel was updated to version 4.4.0-108, some Ubuntu users started complaining that their systems had failed to boot. Restoring the system to an earlier version apparently resolved the problem.

    The updates released by Microsoft in response to the CPU flaws also caused problems, but only for users with some older AMD processors. The company has decided to no longer deliver the updates to AMD devices until compatibility issues are resolved.

  20. Tomi Engdahl says:

    Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre
    Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
    Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown

  21. Tomi Engdahl says:

    What Spectre and Meltdown Mean For WebKit

    WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user’s processor. Spectre impacts WebKit directly. Meltdown impacts WebKit because WebKit’s security properties must first be bypassed (via Spectre) before WebKit can be used to mount a Meltdown attack.

    WebKit relies on branch instructions to enforce what untrusted JavaScript and WebAssembly code can do. Spectre means that an attacker can control branches, so branches alone are no longer adequate for enforcing security properties.
    Meltdown means that userland code, such as JavaScript running in a web browser, can read kernel memory. Not all CPUs are affected by Meltdown and Meltdown is being mitigated by operating system changes. Mounting a Meltdown attack via JavaScript running in WebKit requires first bypassing branch-based security checks, like in the case of a Spectre attack. Therefore, Spectre mitigations that fix the branch problem also prevent an attacker from using WebKit as the starting point for Meltdown.

    Spectre and Security Checks
    Spectre means that branches are no longer sufficient for enforcing the security properties of read operations in WebKit. The most impacted subsystem is JavaScriptCore (WebKit’s JavaScript engine). Almost all bounds checks can be bypassed to read arbitrarily out-of-bounds. This could allow an attacker to read arbitrary memory. All type checks are also vulnerable. For example, if some type contains an integer at offset 8 while another type contains a pointer at offset 8, then an attacker could use Spectre to bypass the type check that is supposed to ensure that you can’t use the integer to craft an arbitrary pointer.

    JavaScriptCore is meant to be a secure language virtual machine. It should be possible to load untrusted JavaScript or WebAssembly code into your process without the risk of your process’s memory being leaked to the JavaScript code except in cases where you explicitly export data to JavaScript via our C or Objective-C binding API. Spectre breaks this property of JavaScriptCore because untrusted JavaScript or WebAssembly now has a theoretical path to reading all of the host process’s address space.

    The CPU has the ability to initiate loads from main memory into L1 (the CPU’s level 1 memory cache, which is the fastest and smallest) while executing speculatively. As a performance optimization, the CPU does not undo fetches into L1 when rolling back speculative execution. This leads to a timing-based information leak

  22. Tomi Engdahl says:

    What VMware vSphere admins need to know about Meltdown and Spectre

  23. Tomi Engdahl says:

    Fake Meltdown/Spectre Patch Installs Malware

    Cybercriminals are already taking advantage of the massive attention the recently detailed Meltdown and Spectre CPU flaws have received, in an attempt to trick users into installing malware instead, Malwarebytes warns.

    Made public in early January, Meltdown and Spectre are two new side-channel attack methods against modern processors and are said to impact billions of devices. Based on vulnerabilities at the CPU level, the flaws allow malicious apps to access data as it is being processed, including passwords, photos, documents, emails, and the like.

    Chip makers and vendors were alerted on the bugs last year, and some started working on patches for their users several months ago, but waited for a coordinated public disclosure set for last week. Apple, Microsoft, Google, Canonical, and IBM are just a few of the vendors that have already deployed patches.

    Soon after the patches began rolling out, however, attacks taking advantage of the Meltdown/Spectre fever surfaced. One of them, Malwarebytes reports, is targeting German users with the SmokeLoader malware.

    The attack was spotted soon after the German authorities issued a warning on phishing emails trying to take advantage of infamous bugs started to appear.

  24. Tomi Engdahl says:

    Meltdown Code Proves Concept

    If you’ve read about Meltdown, you might have thought, “how likely is that to actually happen?” You can more easily judge for yourself by looking at the code available on GitHub. The Linux software is just proof of concept, but it both shows what could happen and — in a way — illustrates some of the difficulties in making this work. There are also two videos in the repository that show spying on password input and dumping physical memory.

    The interesting thing is that there are a lot of things that will stop the demos from working. For example a slow CPU, a CPU without out-of-order execution, or an imprecise high-resolution timer. This is apparently especially problematic in virtual machines.

    Because of the nature of the hack, it is possible to not read data correctly every time. One of the demos measures the reliability of reading using the Meltdown method. The example shows a 99.93% success rate.

    The real work is done in libkdump which is less than 500 lines of C code. Well — actually, it is a good bit of assembly embedded in the C file. There are a lot of things that will stop the code from working, but you can imagine that some of the code could be improved, too.


  25. Tomi Engdahl says:

    Google, Intel, Microsoft, Others Scramble to Fix Cybersecurity Vulnerabilities

    Big names in the electronics industry, including Google, Intel and Microsoft, are struggling to repair security holes brought about by recently revealed weakness in hardware.

    Hardware flaws may be the new big security gap in computers and phones. In the last few days, it has become apparent that Intel, Microsoft, and other leading electronics companies have been struggling for months to overcome security holes that affect billions of processors worldwide. Intel, Microsoft, and Google released statements assuring customers the fixes are complete or in process. Yet some experts warn that the fixes could hurt performance.

    Some Fixes Are Still on the Way

    The vulnerability apparently has the potential to let attackers through security barriers. “The flaw allows apps or hackers to bypass Kernel security systems and access cached sensitive information within the memory,” Marty P. Kamden, CMO of NordVPN told Design News. “This has led to the redesign of Windows and Linux Kernels. It seems that this particular bug has probably impacted most of the Intel processors manufactured in the past 10 years.”

    Some systems have already been updated with fixes, while other system repairs are still in the process of updating. “Apple and Linux developers have released patches that in one way or another are able to mitigate the possible damage which might emerge from this major flaw, while Windows users must still wait for an update,” said Kamden. “We recommend that people keep their devices updated regardless of the OS used. However, each person must assess their threat level individually until all security patches are completed and publicly released.”

  26. Tomi Engdahl says:

    Meltdown, Spectre Repeat Hard Security Lessons
    Speculative execution won’t go away

    Vendors are still issuing patches and starting to think about optimizations for them after last week’s disclosure of one of the largest security flaws ever to hit microprocessors. Meltdown and Spectre provided the latest painful lesson about the nature of what’s known in the security world as common vulnerabilities and exposures (CVEs).

    The U.S. maintains what aims to be an authoritative list of CVEs. As of this writing, it included a whopping 94,971 entries.

    Vendors typically assign teams to keep up with the flow of new hacks and patches for them. But few are as broad as Meltdown and Spectre that affect microprocessors that support speculative execution. The technique is used widely in high-end chips shipped over the last several years from companies including AMD, ARM, Apple, IBM, Intel, Oracle, and others.

    Reuters reported that about 5% of the 120 billion chips that ARM has shipped to date may be affected by Spectre, but fewer would be susceptible to Meltdown. Intel and AMD have not disclosed how many of their chips are affected

  27. Tomi Engdahl says:

    Cyber Attacks Continue to Succeed

    Spectre and Meltdown demonstrate weaknesses in current hardware cybersecurity that will force a huge paradigm shift within the semiconductor industry.

    Spectre and Meltdown, two methods of exploiting security vulnerabilities found in Intel, AMD and Arm processors, demonstrate weaknesses in current hardware cybersecurity that will force a huge paradigm shift within the semiconductor industry.

    Software-based cybersecurity, the go-to measure to ensure a system won’t be hacked, addresses software vulnerabilities but overlooks hardware design. That’s because more than $150 billion is spent a year on software-based cyber security tools, while relatively little is spent on hardware security tools, and there continues to be a stream of hacks and breaches.

  28. Tomi Engdahl says:

    This repository contains several applications, demonstrating the Meltdown bug.

  29. Tomi Engdahl says:

    Spectre and PowerPC Chips »
    Spectre’s impact on the G3, G4 and G5 families of processors has been documented.
    Spoiler alert: The G3 and early G4s are resistant to the exploit.

    Actual field testing of Spectre on various Power Macs (spoiler alert: G3 and 7400 survive!)

    Spectre example code – x86 / x86_64 and PowerPC

  30. Tomi Engdahl says:

    CPU Exploits Meltdown And Spectre Could Potentially Affect Nintendo Switch
    Nvidia “preparing appropriate mitigations”

  31. Tomi Engdahl says:

    Oracle Fixes Spectre, Meltdown Flaws With Critical Patch Update

    Oracle on Tuesday released its first Critical Patch Update for 2018 to deliver 237 new security fixes across its product portfolio. Over half of the addressed vulnerabilities could be remotely exploited without authentication.

    As part of the January 2018 Critical Patch Update, Oracle released fixes for the Critical processor vulnerabilities made public in the beginning of the year, namely Spectre and Meltdown. Impacting modern processors, the bugs put billions of devices at risk, and vendors have been working hard to address them over the past several weeks.

    “The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities,” Oracle notes in its advisory. Specific details, however, are included in a separate note, accessible only to its customers.

  32. Tomi Engdahl says:

    When Speculation Is Risky: Understanding Meltdown and Spectre
    Posted on:January 5, 2018 at 9:13 am
    Posted in:Vulnerabilities
    Author: Trend Micro
    By Vit Sembera

  33. Tomi Engdahl says:

    Spectre still unfixed, unlike what Intel says
    Last active Jan 15, 2018

    On January 4th, 3 separate vulnerabilities were released, the two first ones being named Spectre (Variant 1 and 2) and the third one being Meltdown (Variant 3).

    Intel CPUs are affected by all vulnerabilities, as are Apple A-series CPUs used on iOS devices, nVidia Tegra X2, the ARM Cortex-A75 and the Qualcomm Snapdragon 845 CPUs. CPUs with speculative execution from other manufacturers (other ARM “big” cores, AMD CPUs, PowerPC, …) are affected by Spectre but not Meltdown.

    In-order CPUs (such as ARM Cortex-A7 or ARM Cortex-A53, as are Atoms before 2013) are not affected by Meltdown and Spectre.

    Meltdown (Variant 3) : CVE-2017-5754

    Meltdown has been fixed on the Linux kernel through a patchset named KPTI, which affects performance differently depending on the workload. The effects are negligible for typical desktop usage, but some server workloads are heavily impacted.

    KPTI is only available for 64-bit operating systems. Some 32-bit operating systems such as Mac OS X are immune because they use separate memory maps for kernel and userspace, at does Linux with a 4GB/4GB memory split.

    Spectre (Variant 2) : CVE-2017-5715


    It’s fixed on Windows on Intel and AMD systems with a microcode update delivered by the OEM, using IBPB and IBRS when available. If no microcode update is done, LFENCE is implemented on Windows as a mitigation for the kernel.


    Spectre (Variant 2) is still unfixed on Linux at this time.

    It’ll be fixed with a mitigation called retpoline (with 5-10% performance impact in server use, should be negligible for customers) on Intel CPUs, which requires recompiling applications for full protection.

    On Skylake and later, retpoline is only “98%” effective, aka probably workaroundable in the future.

    Spectre (Variant 1) : CVE-2017-5753

    Spectre (Variant 1) is a bounds-checking exploit during branching. This issue is fixed with a kernel patch which isn’t mainlined yet in the Linux kernel according to Red Hat. The flaw shouldn’t exist on Windows, but can exist on third-party drivers used on the operating system. It’ll have to be fixed for JITs such as web browsers too, it allows reading all the data of the current process otherwise.

    Meltdown is currently patched for Linux & Windows. Spectre (Variant 2) is underway for Linux and not done yet for mainline.

    Spectre (Variant 1) isn’t currently patched on Linux, and the Windows kernel is immune unless one of the installed drivers is vulnerable. Applications interpreting/JITting untrusted code such as web browsers need updates regardless of OS updates for Spectre (Variant 1).


    On Windows, Spectre (Variant 2) is patched for user-mode applications if Intel or AMD microcode updates are applied via a BIOS/UEFI update, ask your OEM/PC manufacturer for an firmware update that adds December/January 2018 microcode. Otherwise, application-specific updates are required, and only the kernel is protected (an app can snoop on another application, or even a browser tab on your passwords and such in theory).

    Warning: For Windows systems, microcode updates have to be shipped via the BIOS/UEFI to protect against Spectre (Variant 2) across applications.

    Warning 2: 32-bit Windows does not have Meltdown patches. Beware.

    Warning 3: Windows XP/Vista and Windows Server 2003/2008 will never get Meltdown updates. Windows 8.0 is out of support, it’ll not get Meltdown updates too.


    Linux isn’t patched against Spectre. Vendor-specific kernels that have patches against those aren’t properly validated and can result in data corruption. Some of them might not even boot on some machines. They’re also not optimized and can cause large performance regressions.

    Application-specific updates will be required to mitigate against Spectre (Variant 2) when IBRS=1 without IBPB, LFENCE, or retpoline mitigations are used kernel-side. Retpoline isn’t fully effective for Skylake and later microarchitectures.

  34. Tomi Engdahl says:

    I don’t like how Meltdown and Spectre – releated bugs were handled

    Brief history

    Bugs related to the x86-64 architecture were found by 4 different people or teams, who were willing to disclose this information to Intel (and maybe AMD and ARM Holdings). There is supposedly no way of knowing for how long these – introduced around 2006 – bugs were in use*.
    Knowledge that something stinks around Intel has been made public – of all places – on Tumblr, 4chan and than reddit. Earlier there was the cyber.wtf post on possible issues with Speculative execution and Brian Krzanich – Intel’s CEO – selling as much Intel stock as possible (he is forced to still own some as per his agreement).

    As I have an opportunity to do so publicly – I would like to thank every person involved in discovering and disclosing these bugs to Intel. Your work is huge!

    How I see the timeline

    Meltdown, Spectre and BSD – the “pissed” part

    Part of my work is UNIX-like systems administration – including BSDs and Linuces. As much as I am happy with Linux changes already made, I am beyond pissed about how the BSDs were handled by Intel – because they were not.

    BSD user base too small?

    BSD user base is small in comparison to Linux. Seems that it’s too small for Intel. PlayStation4 consoles are FreeBSD-based (and use AMD CPUs) but I think it’s safe to say that gaming devices are not the most important systems to be fixed. Netflix serves their content off FreeBSD but the bugs are not remotely exploitable (possibly not including JavaScript, but it’s running someone’s code locally) so there’s probably not much harm to be done here either.
    However gamers and Netflix aren’t the only ones who use *BSD systems. I’d say that there is more than a few FreeBSD, NetBSD, OpenBSD and DragonFlyBSD servers on the internet.

    In March 2017, Intel promised “more timely support to FreeBSD”. They knew about flaws in their CPUs in June and decided that a timely manner is the end of December – short before the embargo was to be lifted.

    Secretive comments and publishing new Linux kernel code did not help. My wording may be strong, but I’m looking at Linux developers here as the people who leaked the information on the bugs. As it was embargo’ed – I see no real reason to publicly post the code that included speculative comments (pun intended) and macros for the whole world to see.

    Anyway, the embargo was to be lifted today (January 9; probably because it is the second Tuesday of the month and Windows patches were to be pushed today) and there are no fixes available yet for OpenBSD, NetBSD and FreeBSD.

    Intel and Google (probably Intel more): it was your job to pick the correct people to whom the bugs can be disclosed. In my humble opinion you chose poorly by disclosing these issues with ONLY Apple, Microsoft, and the Linux Foundation, of OS vendors. You did much harm to the BSD community.

  35. Tomi Engdahl says:

    Power Systems And The Spectre And Meltdown Threats

    Speculative execution is something that has been part of modern processors for well over a decade, and while it is hard to quantify how much of a performance benefit this collection of techniques have delivered, it is obviously significant enough that all CPUs, including IBM Power and System z chips, have them. And that, as the new Spectre and Meltdown security holes that were announced by Google on January 3 show, turns out to be a big problem.

    Without getting too deep into the technical details, there are many different ways to implement speculative execution, which is used to keep the many instruction pipelines and layers of cache in a processor busy doing what is hoped will be useful work.

    It is a pity then that the Spectre and Meltdown security vulnerabilities, which allows for user-level applications to see data they are not authorized to see in the privileged kernel memory space of operating systems, go right to the heart of modern processors. The fixes to these issues, which Google has documented here and which the search engine giant and the rest of the CPU and operating system industry has been working to try to solve since last June without any of us knowing about it, do not require turning off speculative execution. (We are pretty sure no one can do this, which is why these vulnerabilities are so insidious.) But the fixes do place some overhead on systems as user-level memory addresses are blocked off from kernel-level memory to keep the one from seeing the other.

    More details about mitigations for the CPU Speculative Execution issue

  36. Tomi Engdahl says:

    Why the Raspberry Pi’s immune to the Meltdown and Spectre bugs

    While the Meltdown and Spectre CPU flaws have caused widespread security issues for expensive, high-end computers using Intel, ARM and AMD chips, there’s one processor that remains blissfully unaffected – the humble Raspberry Pi.

    “Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly,” Raspberry Pi founder Eben Upton explained in a blog post, “while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve.”

    “Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality. The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort.”

    So while your top-of-the-range work device might be vulnerable to hackers, your garage Pi project remains happily safe from the threat.

  37. Tomi Engdahl says:

    Test program for Spectre vulnerabilities:
    Metioned at https://www.tivi.fi/Kaikki_uutiset/onko-tietokoneesi-altis-superhaavoittuvuuksille-nain-testaat-nopeasti-6697047

    Download from https://www.grc.com/inspectre.htm

    So we are hopeful that this SmartScreen false alarm will disappear soon.

    In the meantime, PLEASE do not get a copy of this program from any 3rd-party download site, since that one could actually be malicious.

  38. Tomi Engdahl says:

    Intel Forms New Security Group to Avoid Future Meltdowns

    Intel just moved some high level people around to form a dedicated security group.

    When news of Meltdown and Spectre broke, Intel’s public relations department applied maximum power to their damage control press release generators. The initial message was one of defiance, downplaying the impact and implying people are over reacting. This did not go over well. Since then, we’ve started seeing a trickle of information from engineering and even direct microcode updates for people who dare to live on the bleeding edge.

    All the technical work to put out the immediate fire is great, but for the sake of Intel’s future they need to figure out how to avoid future fires.

    Intel reorganizes amid tumult over computer chip flaw

    “Security is Job No. 1 for Intel and our industry,” Intel CEO Brian Krzanich said during his keynote address Monday night at the Consumer Electronics Show in Las Vegas.

  39. Tomi Engdahl says:

    “We do not have Meltdown trouble”

    The vulnerability discovered by Intel’s CPU manners last year, the 22-year-old Google security guard Jann Horn, is now known as Specter and Meltdown. Problems are far from disappearing, as new reports are being consulted all the time. Not all vulnerabilities apply.

    FPGA manufacturer Microsemi yesterday sent a bulletin saying that none of its products is susceptible to Spectre or Meltdown. The company’s products have embedded x86 and ARM processors, but an accurate and careful analysis has revealed that vulnerabilities do not affect its products.

    Intel, for its part, now reports that it has upgraded 90 percent of the processors introduced in the last five years. According to the company’s latest data, patches are likely to protect against vulnerabilities, but users in particular in data centers have reported increased system crashes.

    Intel has identified problems with the Ivy Bridge, Snady Bridge, Skylake and Kaby Lake series processors, and is currently working on patching

    Source: http://etn.fi/index.php?option=com_content&view=article&id=7417&via=n&datum=2018-01-18_15:13:40&mottagare=31202

  40. Tomi Engdahl says:

    Mariella Moon / Engadget:
    Intel admits Spectre and Meltdown patches also affect newer Skylake and Kaby Lake chips, with performance impact between 2% and 25%, promises fix next week — Intel has revealed that even its newer CPUs are affected by the frequent reboot problems brought about by the Spectre/Meltdown patches.

    Intel admits Spectre patch problems also affect newer Core chips
    The chipmaker said it’s working on a fix for its buggy Spectre/Meltdown patches.

    Intel has revealed that even its newer CPUs are affected by the frequent reboot problems brought about by the Spectre/Meltdown patches. The chipmaker previously said that the reboot issue affects systems running Broadwell and Haswell. Now that it has managed to reproduce the problem internally in an effort to fix it, the company found that a similar behavior can occur in platforms powered by Skylake and Kaby Lake, which are newer than Haswell and Broadwell. Ivy Bridge- and Sandy Bridge-based systems, both older cores, are also susceptible to the bug. Thankfully, Intel VP Navin Shenoy said that they’re close to identifying the problem’s root issue. “In parallel,” he added, “we will be providing beta microcode to vendors for validation by next week.”

    Shenoy also discussed how the Spectre and Meltdown fixes will affect servers, staying true to Intel’s promise to be more transparent. He revealed the initial data the company got from benchmarking server platforms using two-socket Intel Xeon Scalable — its latest microarchitecture — systems. It found that the fixes don’t affect servers’ energy efficiency and it didn’t detect a slowdown when running Java business applications. However, it detected minimal impact of around 2 to 4 percent in some cases and saw significant slowdowns when it ran tests simulating different types of input/output (I/O) loads.

  41. Tomi Engdahl says:

    Intel Tests Performance Impact of CPU Patches on Data Centers

    Intel Patches for Meltdown and Spectre Cause More Frequent Reboots

    Intel on Wednesday shared information on the performance impact of the Meltdown and Spectre patches on data centers, and the company told customers that systems with several types of processors may experience more frequent reboots after firmware updates are installed.

    Performance impact on data centers

    Roughly one week ago, Intel informed customers that the mitigations for the recently disclosed CPU flaws should have a negligible performance impact for operations typically conducted on home and business PCs. The company reported seeing performance penalties ranging from 2-14% on these types of systems.

    Intel has also conducted some performance tests on data centers and the initial results show that, as expected, impact depends on the type of workload and the configuration of the system.


  42. Tomi Engdahl says:

    AMD, Apple Sued Over CPU Vulnerabilities

    Apple and Advanced Micro Devices (AMD) are also facing class action lawsuits following the disclosure of critical CPU vulnerabilities that affect billions of devices.

    The Meltdown and Spectre attack methods, which rely on vulnerabilities that have been around for roughly two decades, allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive data. Attacks can be launched against systems using processors from Intel, AMD, ARM, and others.

    Intel was hit the hardest – a majority of its processors are affected and they are the most likely to be targeted in attacks – so it came as no surprise when several class action lawsuits were filed against the company. However, lawsuits were also filed recently against AMD and Apple.

    In the case of AMD, the lawsuits focus on the fact that, shortly after the existence of Meltdown and Spectre came to light, the company claimed that the risk of attacks against its customers was “near zero” due to the architecture of its processors. The company later admitted that the two vulnerabilities that allow Spectre attacks do affect its CPUs.

    The value of AMD shares went up after the company claimed that its products were not affected, but fell by $0.12, or nearly 1%, after the company confirmed on January 11 that its CPUs are in fact vulnerable to Spectre attacks.

  43. Tomi Engdahl says:

    Skyfall and Solace Attacks On CPUs. Because Meltdown and Spectre vulnerabilities were not enough for us ;) Seriously exploits these days come with so much string attached and branding too. As usual big boys/Tire I will be first to fix it. Not sure if is hoax or real stuff. Secrecy around the bug(s) is suspicious for sure. I wonder how many CPU exploits exist in wild that nobody knows about it.

    Skyfall and Solace
    More vulnerabilities in modern computers.

    Skyfall and Solace are two speculative attacks based on the work highlighted by Meltdown and Spectre.

    Full details are still under embargo

  44. Tomi Engdahl says:

    U.S. lawmaker asks Intel, others for briefing on chip flaws

    A Democratic U.S. lawmaker asked Intel Corp and two other microchip makers on Tuesday to provide a briefing on the recently detected Spectre and Meltdown security flaws that could allow hackers to steal information from most computers and devices.

    “I am looking to better understand the nature of these critical vulnerabilities, the danger they pose to consumers, and what steps your companies plan to take to protect consumers,” California Representative Jerry McNerney wrote to the chief executives of Intel, Softbank-owned Arm Holdings and Advanced Micro Devices.

    McNerney, a member of the House Energy and Commerce Committee, asked the companies to explain the scope of Spectre and Meltdown, their timeframe for understanding the vulnerabilities, how consumers are affected and whether the flaws have been exploited, among other questions.


Leave a Comment

Your email address will not be published. Required fields are marked *