Full threat of Intel / AMD / ARM vulnerabilities coming clear
This is not a drill. The sky isn't falling yet, but two new attack vectors have been been found and almost every processor made since 1995 is affected.
The Intel vulnerability reported yesterday has now grown ARMs and legs – as one method dubbed Spectre is claimed to affect almost all devices made in the last two decades. That includes desktops, laptops, smartphones and cloud computing environments – essentially where 99% of the world’s data is stored. It joins its fellow companion Meltdown – an easier to exploit attack which at the moment only appears to affect most Intel devices.
— Michael Schwarz (@misc0110) 4 January 2018
A 23 year old problem
To make processors faster – almost all designs today use something called speculative execution. This is something which first emerged in the Pentium series devices back in 1995.
Speculative execution counters the affect of having to pull instructions from external memory whilst the processor is just idling. External memory accesses can take 200 CPU cycles whilst a fetch from the cache could be just one cycle. Instead of waiting, the processor ‘guesses’ what the next instruction might be, tries running it – and then when the real instruction comes along decides whether to keep the information it’s just created (the correct instruction was guessed) or throw it away if it got the answer wrong.
Meltdown and Spectre are two subtly different exploits which trick this speculative execution process. Very broadly:
Meltdown relates to a bug in the way Intel processors don’t enforce memory protection for guessed instructions i.e. checking to see if the guessed instruction is even allowed to run until after it has run. Although the faulting instruction is eventually detected and the results cleared, it is still possible to leak the information gained away through a side channel.
Spectre is different type of exploit – and potentially impacts every performance processor built in the last couple of decades. It differs from Meltdown as it about influencing the processor to incorrectly guess a sequence of instructions that would not otherwise be executed – execute these, and then again capture the results through a side channel.
Side channels explained
Side channels are often used in cyber attacks. When you can’t see what’s going on behind the scenes, or directly read the outcome of your actions – it is often possible to deduce this outcome from secondary effects. Measuring a subtle change in power usage or noise level might tell you something. We once emptied an entire database of its credit card numbers in a blind SQL attack – encoding them as ones and zeroes returned as HTTP 200 OK / or HTTP 500 Server Error status codes.
In the case of Meltdown and Spectre, measuring the time the instructions take to read data (i.e. whether the data is there in the cache for not) will tell you something about what the CPU did with the information even though it never actually returned a result.
New attacks, new possibilities
Both attack vectors bring whole new possibilities to maliciously exploiting computer hardware. Hardware, we might add, that cannot be easily changed as there is no software update for what is physical silicon. The fix for Meltdown is in the works for most operating systems – but may come with a big performance caveat.
Spectre is a whole different kettle of fish and we may be on the tip of the proverbial iceberg with this one.