contact us see demo

The Kernel Page Tables Have Turned: Newly Discovered Hardware Vulnerability in Most CPUs: Spectre and Meltdown

by | Jan 5, 2018

The Kernel Page Tables Have Turned: Newly Discovered Hardware Vulnerability in Most CPUs: Spectre and Meltdown

Spectres of the Past and Future

Various researchers and Google’s Project Zero have discovered improved methods of side-channel cache timing attacks on processors that use speculative execution. Speculative execution is a performance optimization that occurs when a processor attempts to predict, sometimes inaccurately, which code paths should be run next. Most side effects of an incorrect prediction are properly cleaned up, with the exception of memory cache lines, which have now been proven can be manipulated to leak sensitive and privileged information. Based off of work originally presented at Blackhat 2016 by Anders Fogh and Daniel Gruss, cache based side-channel timing attacks have been known about for at least a year [1]. The introduction of these vulnerabilities creates an entirely new attack class, taking advantage of artifacts left behind after speculative execution.

Speculative Attack Vectors

As a result of highly detailed white papers and source code detailing these vulnerabilities, exploitation will not be restricted to a small subset of vulnerable targets. The sheer number of potentially vulnerable systems will make this a bug that will be seen in the wild for years. It is also cumbersome to protect against Meltdown, requiring kernel updates to implement a complex mitigation called Kernel Page Table Isolation, KPTI (based on KAISER) [2] for Windows, Mac OS X, and Linux. The related Spectre vulnerability is much harder to defend against, and has a limited number of mitigations, not robust fixes, so far. The only problem for attackers is that all initial attack vectors would require code execution of some type.

Figure 1: Proof of concept code is already becoming available. Demonstrating an arbitrary read from a protected memory region using Spectre.

A quick and easy way to get code running on someone else’s computer is via JavaScript. Spectre breaks the sandbox that web browsers normally run all sorts of untrusted, third party code in. It should be assumed this will be the hardest hit area for criminals looking to profit from these bugs. Malvertising works perfectly with this attack, as the author can choose to which sites he wishes to get credentials or credit cards. There are also known JavaScript proof of concepts for Rowhammer, a different hardware bug affecting certain types of memory, and it’s now feasible to look for good targets to bit flip.

Some stop-gap mitigations can be used for Firefox and Chrome in the meantime. In Chrome, you can enable per-tab process isolation, and in Firefox, you can disable high precision timers. This will mitigate the vulnerability until updates can be rolled out. The most complete solution will likely be hardware/firmware based and should be applied as soon as they are available.

The nature of this attack will also focus on targets with shared resources and multiple users, as they give the attacker a way to run code legitimately and contain target processes that might have secrets to spill on the same hardware. In particular, cloud based deployments like AWS and Microsoft Azure are environments that would be highly susceptible to this type of attack. Luckily, rolling updates for these services have already begun, making this vector less viable for larger cloud providers.

Conceivably, a review of older exploits that resulted in code execution can be revisited to see if it is possible to use Meltdown to expose kernel memory and/or bypass KASLR that could further the attacks. A few older exploits which were unable to bypass some of these kernel protections may be revisited in the near future. A bit of a moot point since the machines that have these older exploits are generally not maintained, but for an attacker, one shell is better than none.

To check the patch status of Windows hosts, use the official Microsoft tool found here.

This story is ongoing. Please check back for additional revelations and insights.

References:
[1]: http://www.cs.ucr.edu/~nael/pubs/micro16.pdf
[2]: https://gruss.cc/files/kaiser.pdf

Risksense Careers

Looking for a new opportunity in the growing field of Cyber Risk Management?

View Now >

Prioritize Your Remediation Across a Growing Attack Surface

RiskSense

contact us at +1 505.217.9422

  • follow us