Remember Spectre and Meltdown

Here is an overview of Spectre and Meltdown vulnerabilities that got a lot of publicity in January 2018. Meltdown and Spectre the two original transient execution CPU vulnerabilities. The Meltdown and Spectre vulnerabilities were considered “catastrophic” by security analysts. The vulnerabilities are so severe that security researchers initially believed the reports to be false.

In January 3, 2018 I saw first news on the new processor vulnerabilities. I kept researching on the topics, and write one of the early news article on those to Uusiteknologia.fi magazine Suorittimissa tietoturvaongelmia – myös ARM-suorittimissa that was published in early morning January 4, 2018 (to my knowledge the first news on those in Finnish language ). My research on the topic included international news and reading newest changes made to Linux Kernel source code.

Soon a web site https://meltdownattack.com/ was made to tell about those vulnerabilities (it was planned to be published later when all the fixes were out, but was publishes earlier than planned because information had leaked out). The two vulnerabilities were made public jointly, on 3 January 2018, several days ahead of the coordinated release date of 9 January 2018 as news sites started reporting about commits to the Linux kernel and mails to its mailing list.

meltdownspectre

Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754, also known as Rogue Data Cache Load (RDCL), in January 2018. The same research teams that discovered Meltdown also discovered Spectre. On 1 February 2017, the CVE numbers 2017-5715, 2017-5753 and 2017-5754 were assigned to Intel. Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 (bounds check bypass, Spectre-V1, Spectre 1.0) and CVE-2017-5715 (branch target injection, Spectre-V2), have been issued.

Meltdown relies on a CPU race condition that can arise between instruction execution and privilege checking. Meltdown affects a wide range of systems. At the time of disclosure (2018), this included all devices running any but the most recent and patched versions of iOS, Linux, macOS, or Windows. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM-based processors

The issued were much older. There had been already some some technical talks material “under the radar” information and that would indicate that Intel processors could have a serious vulnerability that waits to be fixed. On 27 December 2016, at 33C3, Clémentine Maurice and Moritz Lipp of TU Graz presented their talk “What could possibly go wrong with ? Side effects include side-channel attacks and bypassing kernel ASLR” which outlined already what was coming. On 27 February 2017, Bosman et al. of Vrije Universiteit Amsterdam published their findings of how address space layout randomization (ASLR) could be abused on cache-based architectures at the NDSS Symposium. On 27 March 2017, researchers at Graz University of Technology in Austria developed a proof-of-concept that could grab RSA keys from Intel SGX enclaves. In July 2017, research made public on the CyberWTF website by security researcher Anders Fogh outlined the use of a cache timing attack to read kernel space data by observing the results of speculative operations conditioned on data fetched with invalid privileges. In October 2017, Kernel ASLR support on amd64 was added to NetBSD-current, making NetBSD the first totally open-source BSD system to support kernel address space layout randomization (KASLR).

The affected hardware and software vendors had been made aware of the issue on 28 July 2017. The fixes were made and information was kept quite well secret until the beginning of 2018.

Links to sources and more material:

Spectre and Meltdown

Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors.

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)

https://www.cloudflare.com/learning/security/threats/meltdown-spectre/

https://www.epanorama.net/newepa/2018/01/03/kernel-memory-leaking-intel-processor-design-flaw/

https://www.uusiteknologia.fi/2018/01/04/suorittimissa-tietoturvaongelmia-myos-arm-suorittimissa/

7 Comments

  1. monkey mart says:

    This post is one that I find myself referring to very frequently, and it is only right that I acknowledge how much I value it. It is my firm belief that you will continue to provide products that are exceptional in comparison to the overall standard here.

    Reply
  2. Tomi Engdahl says:

    GhostRace CPU vulnerability threatens all major architectures — IBM and VU Amsterdam researchers detail new cross-platform speculative execution attack
    News
    By Christopher Harper published March 17, 2024
    Speculative execution exploits are used against modern CPUs to access passwords and other confidential data
    https://www.tomshardware.com/tech-industry/cyber-security/ghostrace-cpu-vulnerability-threatens-all-major-architectures-ibm-and-vu-amsterdam-researchers-detail-new-cross-platform-speculative-execution-attack

    On March 12, researchers from VUSec and IBM made a new form of speculative execution attack publicly known on Twitter, linking to a corresponding GhostRace disclosure paper hosted by VUSec. We’ll be discussing the full GhostRace disclosure document and its attached documentation in more detail below, but first, let’s take some time to clarify what a “speculative execution attack” even is.

    If you remember the scourge of Meltdown and Spectre, back in 2016, this is very much in the same category of major CPU security exploits. Spectre V1 was explicitly a speculative execution attack, even. Speculative execution in and of itself isn’t a bad thing— it’s actually a core function of modern CPUs, which allows CPU threads to more effectively share resources.

    The issue is, that speculative execution can also result in “race conditions”, where separate threads attempting to access shared resources create major security vulnerabilities by doing so in a poorly-synchronized matter. This exploit is focused on taking advantage of those scenarios, so it’s appropriately named GhostRace.

    Before making GhostRace public, the researchers informed major hardware vendors and the Linux kernel of the issue (in late 2023), since GhostRace applies to all major OSes and CPUs, even Arm. The notice given should hopefully have given vendors the time they needed to develop their fixes and workarounds, however, the researchers also included some tips for mitigating the issue in the public document. An early fix attempt by the Linux kernel seemed promising, but experiments done by the researchers proved the fix didn’t completely cover the vulnerability.

    For now, it seems Linux kernel devs are primarily concerned with performance, and don’t want to risk majorly crippling it with a rushed fix. We read that the proposed mitigation for Linux provided in the original documentation is tested as only having a roughly ~5% performance overhead in LMBench. No patching performance penalty is ever welcome, but perhaps a patiently developed fix can do better.

    No mitigations are provided in the document for other platforms. However, AMD points out that existing Spectre v1 mitigations should still apply to potential GhostRace exploits— and since vendors have already had to tackle that, it should only be a matter of time. AMD has acknowledged the issue, according to the public disclosure paper.

    Reply
  3. Tomi Engdahl says:

    New Spectre-Style ‘Pathfinder’ Attack Targets Intel CPU, Leak Encryption Keys and Data
    https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html

    Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm.

    The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google.

    “Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.

    “Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*