Meltdown and Spectre Leave Every CPU Vulnerable to Attack

2017 was a bad year for online security. The rise of ransomware dominated the early part of the year, while data breaches (including the infamous Equifax hack) continued unabated.

Toward the tail end of the year, rumors started spreading of a huge security flaw with Intel CPUs. Just as the sun rose on 2018, researchers unleashed a flood of information on two new exploits: Meltdown and Spectre. Both affect the CPU.

Meltdown primarily affects Intel processors and is (relatively) easy to patch. To add fuel to the fire, Intel's response to the flaw has drawn sharp criticism from the security industry. Spectre has the potential to affect almost every modern processor across all manufacturers and will be the more challenging of the two exploits in the long term. However, to get a sense of how severe these two flaws are, and how they affect you, we first need to take a look at how a CPU works.

Inside the CPU

The Core Processing Unit (CPU) is one of the most critical parts of your computer and is often referred to as the brain of the operation. The CPU takes instructions from your RAM, decodes them, and then finally performs the requested action. This is known as the Fetch-Decode-Execute cycle, and is the backbone of all CPUs.

In theory, this operation is always predictable with the RAM passing all instructions in sequence to the CPU for execution. However, real-world CPUs are more complex than this, often processing multiple instructions simultaneously. As CPUs have got faster, the main bottleneck is the data transfer speed between the RAM and CPU.

In order to boost performance, many CPUs will perform out-of-order execution when an instruction hasn't yet been loaded from the RAM. If the code branches though, the CPU has to make a best guess as to which branch to follow, which is known as branch prediction. The CPU can then take this one step further and begin speculatively executing the predicted code.

Once the missing instructions are loaded, the CPU can unwind any predictive or speculative action as if it had never happened. However, both Meltdown and Spectre use these mechanisms in order expose sensitive data.

Intel's Meltdown

Meltdown is currently the more contentious of the two exploits, and affects only Intel processors (although some reports suggest AMD processors may also be vulnerable). The kernel is the core of your computer's operating system and has complete control over the system. As it has such comprehensive control, access to your system's kernel is limited.

However, Intel's implementation of speculative execution allows for preemptive access to the kernel, before performing an access check. Once the check is complete, the speculative access is blocked, but this brief period is enough to reveal data mapped in the kernel. This data could range from application data to passwords and encryption keys. The exploit is applicable to almost every Intel processor on nearly all operating systems including Linux, macOS, Windows, virtualization environments like VMware, and even cloud computing servers like Windows Azure and Amazon Web Services (AWS).

The exploit was initially found by Google's Project Zero in mid-2017 and independently reported by another two research groups. All had disclosed the vulnerability to the relevant developers and hardware manufacturers, prior to its publication. This meant that by the time the exploit became public knowledge AWS, Windows, macOS, and Linux had all received updates to prevent this attack.

Prevention is by implementing "kernel page table isolation" which makes it harder to access the kernel. However, this also means that operations will be slower and early reports suggest there may be between a decrease in performance of between 5 and 30 percent following the updates.

Inside Spectre

Most of the media attention has focused on the performance impacts resulting from patching Meltdown. However, Spectre is arguably the more damaging of the two exploits.

Spectre doesn't just affect Intel CPUs -- it affects almost every processor from Intel, AMD, and ARM in every type of device. Where Meltdown requires a rogue application to read the kernel memory, Spectre abuses speculative execution to force other applications to leak their protected data. The researchers were able to perform the attack both with native code and Javascript. The Javascript approach means that browser sandboxing can be bypassed, allowing Spectre to be launched directly from your browser.

This attack is harder to pull off, but is also harder to protect against. The researchers even named the exploit Spectre "as it is not easy to fix, [and] it will haunt us for quite some time." Software patches will be able to mitigate some variations of Spectre, but it primarily a hardware related issue. The U.S.-based CERT division of the Software Engineering Institute (SEI) even issued a Vulnerability Note, stating that the solution is to "replace vulnerable CPU hardware."

The Aftermath

Barely a day goes by without a new security flaw, bug, or data breach being unearthed. Some are undoubtedly more critical than others, and Meltdown and Spectre fall into that category. The impact of these exploits is widespread, but the likelihood of experiencing one of these attacks is fairly remote. This is especially true as no one has been able to find evidence that these they have been used before.

What has made these two exploits so widely reported is the vendor's response to them -- Intel in particular. While Microsoft, Amazon, and the Linux community were frantically creating patches to mitigate the exploits, Intel went on the defensive.

Their initial statement in response to Meltdown and Spectre downplayed their severity and attempted to absolve the company of any responsibility. To the ire of many, they said the "exploits do not have the potential to corrupt, modify or delete data" as if the ability to read sensitive data was not of any importance. After their substantial data breach, Equifax took a similar image-defending position. This ultimately resulted in them appearing in front of Congress.

Intel was similarly punished for their approach, with their stock dropping 3.5 percent. Intel's chief executive Brian Krzanich may also have taken another leaf from Equifax's book. He reportedly sold $25 million worth of Intel stock after learning of the exploits in November 2017.

Most of the attention has been focused on Intel, but other chip makers have made their positions known too. AMD claims that their processors are not affected by either exploit. Meanwhile ARM took a mixed approach, suggesting that most of their processors were not affected, but providing a detailed list of those that are.

Much Ado About Nothing?

If these exploits were found to be used by malicious parties then the damage would be severe. Fortunately, just like Heartbleed before, these potentially dangerous attacks haven't been seen in the wild. They also require malicious software to be installed on your computer in order to execute the attacks. So unless you have a very specific set of circumstances, as a home user, you are unlikely to be affected. However, it's not worth taking the risk.

As vendors, manufacturers, and developers push out updates to mitigate the exploits, you should install them. It wouldn't hurt to maintain good cyber hygiene either.

Cloud providers are the most vulnerable to attack, because the potential payoff is far greater. With so much data stored on the cloud, attackers have an incentive to attempt these exploits on cloud servers. It's a positive sign that some of the major providers have already issued patches.

However, it does make you wonder just how secure cloud computing really is. While Intel's response to the exploits is disappointing, the complexity of the patches and speed at which they were deployed by multiple vendors is commendable and reassuring.

Are you worried by Meltdown and Spectre? Do you think the trade-off between speed and security is acceptable? Who do you think is responsible for the fixes? Let us known in the comments!