VP, Research and Development
Michael Belton is the vice president of research and development for Optiv's advisory services team.
Regarding Spectre and Meltdown
On January 3, 2018, the Graz University of Technology released their papers on identified vulnerabilities dubbed “Meltdown” and “Spectre” via the website https://meltdownattack.com. Within the papers, they went over these critical vulnerabilities that could be exploited in modern processors from hardware bugs that would allow programs to steal data that is currently being processed on the computer. These exploits affect desktop, laptop, cloud computing and smartphone platforms.
At Optiv I am asked to offer strategies across a wide range of security challenges. The following are my responses to the most common questions I’ve received from clients regarding the Spectre and Meltdown exploits. Of note, perhaps the best technical analysis of the core issues was written by Google’s Project Zero team. The answers below are intended as part of a more general discussion.
1. Can the Spectre and Meltdown flaws be fixed/repaired via vendor patches?
In a word, no. The issue presented in the technical whitepapers involves the way an affected microprocessor operates. At its core, the security issue is the discovery that the affected processors do not enforce isolation between user applications and the operating system. For software that performs security functions, the flaws can be exploited to leak sensitive data processed by the operating system's kernel.
To better understand the issue, it is helpful to discuss some essential concepts related to microprocessor and operating system design. A microprocessor implements a computer as an instruction set. The instruction set defines the computer and how it will process data sent to it by software. Spectre and Meltdown demonstrate security issues in the way an affected processor handles data related to conditional statements in the software. A conditional statement with two branches would be, “If this is true do x, otherwise do y.”
In an effort to make processors more efficient and decrease the amount of time required to process a conditional statement, many processors implement ‘speculative execution.’ In practice, speculative execution allows a processor to predict the outcome of any conditional statement based on previous outcomes. To do this, the processor uses a cache and a Branch History Buffer (BHB). If the processor is correct, the block of code will have already been executed. If the processor is wrong, it rolls back execution and follows the correct branch. The rollback process does not include the cache and the BHB. Spectre and Meltdown abuse these mechanisms.
Since the Spectre and Meltdown issues are related to the instruction set implemented in hardware, ‘patching’ them is not possible in the strictest sense. This is why certain entities have declared that the only solution is to remove the affected chip. That said, operating systems can mitigate risk related to these issues in their kernels. From the perspective of an end user running applications, the kernel has the highest level of security privilege. The kernel can act as a type of gatekeeper between applications and the processor. In this sense, a kernel can be patched to limit interactions with the processor. Depending on the patch, the processor might not be able to perform speculative execution. This is why there are warnings about performance degradation after patching.
2. Is a successful patch for Spectre any harder or easier than Meltdown? Why?
At a very high level, the Spectre attack whitepaper identifies two exploits. The Meltdown paper identifies one. In practical terms, this means Spectre is harder to patch than Meltdown. Additionally, if an appropriate mitigation can be found for the Spectre exploits, that solution will mitigate risk related to the Meltdown exploit. Finally, the complexity of the Spectre attacks increases the difficulty of any patching effort.
3. Why might a patch for either Spectre or Meltdown be incomplete?
The core mechanisms being exploited exist in silicon and is many layers away from the operating system’s kernel. An adversary with physical access to the affected target will be able to exploit these issues. Likewise, there are likely undiscovered or undisclosed exploits related to the flaws in the affected processors.
Understanding the problem is a critical step towards understanding the impact these vulnerabilities pose to your business. While it is true that the problems exist in the processor hardware, many vendors have created patches that mitigate risk in a majority of the threat scenarios. Security researchers have identified exploitable conditions in common CPUs before, and this won’t be the last. As with any other vulnerability, Optiv recommends that organizations implement a robust vulnerability management program that includes some type a threat intelligence component. An awareness and response capability that is both predictable and repeatable greatly increases an organization’s confidence and security over a long period of time.