Intel Serious CPU Bug Revealed, Security Patch Could Lead to Performance Drop (*** Update: Meltdown and Spectre Attacks Detailed ***)

Intel CPU: Core i7 7700K

Update (2018.01.04)

Meltdown and Spectre: Bugs in modern computers leak passwords and sensitive data.


Exploiting Out of Order Execution on modern CPUs.

Meltdown attack

The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack
is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security assumptions given by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to
read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR [8] has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leak-

Full whitepaper about Meltdown is available HERE.


Exploiting Speculative Execution on modern CPUs.

Spectre attack

Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value
that is in the process of being read, CPUs will try guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or
commits the speculative computation. Speculative logic is unfaithful in how it executes, can access to the victim’s memory and registers, and can perform operations with
measurable side effects.

Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks,
and return-oriented programming that can read arbitrary memory from the victim’s process. More broadly, the paper shows that speculative execution implementations
violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, static analysis, containerization,
just-in-time (JIT) compilation, and countermeasures to cache timing/side-channel attacks. These attacks represent a serious threat to actual systems, since vulnerable
speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices.

While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruc-
tion set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.

Full whitepaper about Spectre is available HERE.

Other interesting readings about these two major security breaches that affect all modern processors:

Intel Responds to Security Research Findings

Today’s CPU vulnerability: what you need to know

Reading privileged memory with a side-channel

An Update on AMD Processor Security

Researchers Discover Two Major Flaws in the World’s Computers

Avoid speculative indirect calls in Linux kernel -
 Linus reply

Looks like Intel is starting the new year on the wrong path: an hardware bug (due to a design flaw) is present in every modern Intel CPU (all Core / Xeon series from these last years). This CPU bug could allow users of a VM (virtual machine) to access data of another VM. Major cloud providers (Amazon, Google, Microsoft) as well as hosting services are directly affected by this CPU bug and have planned important updates of their servers in the upcoming days.

The CPU bug could let an attacker to access to the protected memory of the OS kernel. The security patch in development brings something called kernel page-table isolation or KPTI which involves a serious update of the operating system. The patch can lead to a performance drop up to 30%.

This bad news for Intel is a good news for AMD. According to Tom Lendacky, AMD CPUs are not affected by the types of attacks that the KPTI protects against:

AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.

Disabling KPTI patch for AMD CPUsDisabling KPTI patch for AMD CPUs…

Here is a collection of links about this story:

And to end up the news, this link: Intel’s CEO Just Sold a Lot of Stock (via). I don’t know if it’s related, but it’s a nice coincidence…