Research teams at Google and other Universities have finally exposed the two hardware bugs in modern CPUs which they discovered last year. According to the findings, these bugs can allow malicious programs to steal passwords and sensitive data from the device’s protected memory. Since this affects Desktops, Laptops, Cloud Servers, and even Smartphones, your exposure is certain. Let’s find out which one specifically affects you and how to fix it.
This bug literally ‘Melts Down’ the security boundaries enforced at hardware level between user applications and the operating system. Malicious programs use Meltdown attack to defeat memory isolation and access system(kernel) memory. As of now only Intel processors which uses dynamic execution are potentially affected by this bug. This includes every processor since 1995 (except Intel Itanium and Intel Atom before 2013).
So if your device is powered by a vulnerable processor with an unpatched OS, it is not safer to work with sensitive data. However, software patches called Kernel Page-Table Isolation(KPTI)/KAISER are now available as short-term relief for this bug. Visit the software/hardware vendor website for more information.
This bug exploits the processors which use Branch Prediction and “Speculative Execution” for maximizing performance. The Spectre induces the victim processor to speculatively perform operations that would not occur during correct program execution. This way, a process can access the arbitrary memory and registers of another process carried out by the victim. Even software level isolations will fail due to the speculative execution and stop-gap countermeasures will only provide short-term relief.
As of now almost every system which uses Intel, AMD, and ARM processors are affected. Rework needs to be done at hardware and instruction set architecture which will take years to accomplish. Fortunately, the Spectre is hard to execute and needs a higher level of knowledge regarding the target processor.
Google has classified the two bugs into three variants, where 1 and 2 are Spectre and 3 is Meltdown. Even though, Google published the exploits they aren’t sure whether these have been already used in the wild.
- Variant 1: bounds check bypass (CVE-2017-5753), Variant 2: branch target injection (CVE-2017-5715)
- Variant 3: rogue data cache load (CVE-2017-5754)
Updates & Performance Degradation
The patches or fixes for Meltdown has already been deployed by various vendors. However, these updates are predicted to degrade the performance of affected processors to some extent. Some vendors have even claimed that they can fix both bugs permanently with microcode updates. There was reportedly no performance degradation in a desktop environment, but enterprise level application suffered some damage. But there have been no reports of user backlash due to the fixes applied to cloud infrastructure by Google and Microsoft. Updates are also being provided for web browsers viz Chrome, Firefox, Microsoft Edge, and Safari since attackers can exploit the flaws through them.
We have tried to explain the bugs in our own words and hence the details are excluded from this article. You can read more about the research findings at Project Zero and Google Security Blog. Here are the responses from various vendors Intel, AMD, ARM, Nvidia, Microsoft, and Apple. Hope the article was informative, Peace!