Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Says Almost All CPUs Since 1995 Vulnerable To 'Meltdown' And 'Spectre' Flaws (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Catalin Cimpanu, reporting for BleepingComputer: Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect "every processor [released] since 1995." Google says the two bugs can be exploited to "to steal data which is currently processed on the computer," which includes "your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents." Furthermore, Google says that tests on virtual machines used in cloud computing environments extracted data from other customers using the same server. The bugs were discovered by Jann Horn, a security researcher with Google Project Zero, Google's elite security team. These are the same bugs that have been reported earlier this week as affecting Intel CPUs. Google was planning to release details about Meltdown and Spectre next week but decided to publish the reports today "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."

10 of 269 comments (clear)

  1. Re:Almost All processors by Lothsahn · · Score: 5, Informative

    No. Spectre affects AMD and ARM as well (and likely other architectures too).

    Best I can tell, the only CPUs guaranteed not affected by both are in-order architectures, which many older ARM (and extremely old x86) chips are.

    These attacks are a sort of new category of security analysis--realizing that out of order execution can have side effects, and that programs can check for those side effects to leak program state and system memory.

    --
    -=Lothsahn=-
  2. Better link and description than story by xxxJonBoyxxx · · Score: 5, Informative

    https://meltdownattack.com/

    Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.

    Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

  3. Re:Almost All processors by Excelcia · · Score: 5, Informative

    I just read the papers and it's actually a fascinating, and deceptively simple method. Out-of-order execution and execution prefetching causes a CPU to pre-execute instructions that are later on in the chain. If my program performs a divide-by-zero, which will cause an error when it happens, instruction pre-fetching and out of order execution has already in whole or part executed the instructions that happen after the error. So, you write your program to do this:

    Something legal
    Fork
    Child:
    Divide by Zero
    Read of illegal memory

    Parent:
    Wait for child to crash
    Read the prefetch cache to see what the out-of-order execution put in the cache when it read the illegal memory

    In case that's not clear, a program forks. The child process induces an error, but after the error it has an instruction which would not normally be allowed, such as reading a portion of memory it wouldn't normally be able to. Out of order execution will already have begun performing the instruction, and because it doesn't have as rigorous controls on it, it actually reads the memory into the cache. This wouldn't be an issue, except there are ways to determine what a prefetch instruction resulted in. So the parent process waits for the child to crash and then it uses those instructions to determine the results of the prefetch which means you have just bypassed memory protection.

  4. Re:Almost All processors by Excelcia · · Score: 5, Informative

    Please read the article. From it:

    Google says that they've tested and verified Spectre against Intel, AMD, and ARM processors, and the attack affects desktops, laptops, cloud servers, and smartphones. The attack is also believed to affect almost all CPUs released in recent years.

    Meltdown uses out-of-order execution and a side channel attack that is unique to Intel. Spectre uses speculative execution and is more generalized, with tested proof-of-concept attack code on AMD and ARM.

  5. Re:Almost All processors by AHuxley · · Score: 4, Insightful

    Re but one should at least entertain the possibility that it was.
    A hardware version of PRISM? https://en.wikipedia.org/wiki/...
    Room 641A Inside https://en.wikipedia.org/wiki/... most computers?
    It was interesting how much of the NSA ANT catalog https://en.wikipedia.org/wiki/... connected to a computer rather than was able to work internally on a CPU as shipped?
    Is the world missing the other part of the CPU catalog thats still doing collect it all missions?

    --
    Domestic spying is now "Benign Information Gathering"
  6. Re:Almost All processors by ilguido · · Score: 5, Interesting

    Meltdown is the real problem here and that affects only all Intel CPUs since 1995 (except for Itanium and pre-2013 Atom) and one [sic!] ARM chip (I think Cortex-A75).

    Spectre is linked to two vulnerabilities: the first one is difficult to exploit and solvable via software, the second one is very difficult to exploit. Spectre allows to read memory from the same process, so it is an issue only for JIT and VM code. Meltdown allows to read memory everywhere.

  7. Vulnerability comes down to race condition by JoeyRox · · Score: 4, Informative
    I read through Google's Meltdown paper (https://meltdownattack.com/meltdown.pdf). While there are several cumulative vulnerabilities that make this exploit possible, the most important of which is kernel address-space discovery via speculative data accesses which leave DCACHE lines in their wake, the root vulnerability of actually being able to read the contents of data comes down to an exception race condition. From the document:

    1 ; rcx = kernel address
    2 ; rbx = probe array
    3 retry:
    4 mov al, byte [rcx]
    5 shl rax, 0xc
    6 jz retry
    7 mov rbx, qword [rbx + rax]

    Listing 2: The core instruction sequence of Meltdown. An inaccessible kernel address is moved to a register, raising an exception. The subsequent instructions are already executed out of order before the exception is raised, leaking the content of the kernel address through the indirect memory access.
    ...
    When the uOPs finish their execution, they retire inorder, and, thus, their results are committed to the architectural state. During the retirement, any interrupts and exception that occurred during the execution of the instruction are handled. Thus, if the MOV instruction that loads the kernel address is retired, the exception is registered
    and the pipeline is flushed to eliminate all results of subsequent instructions which were executed out of order. However, there is a race condition between raising this exception and our attack step 2 which we describe below.

    And why AMD and ARM may not be vulnerable to Meltdown:

    6.4 Limitations on ARM and AMD
    We also tried to reproduce the Meltdown bug on several ARM and AMD CPUs. However, we did not manage to successfully leak kernel memory with the attack described in Section 5, neither on ARM nor on AMD. The reasons for this can be manifold. First of all, our implementation might simply be too slow and a more optimized version might succeed. For instance, a more shallow out-of-order execution pipeline could tip the race condition towards against the data leakage. Similarly, if the processor lacks certain features, e.g., no re-order buffer, our current implementation might not be able tol leak data. However, for both ARM and AMD, the toy example as described in Section 3 works reliably, indicating that out-of-order execution generally occurs and instructions past illegal memory accesses are also performed.

  8. Re:Almost All processors by blind+biker · · Score: 4, Interesting

    No. Spectre affects AMD and ARM as well (and likely other architectures too).

    Best I can tell, the only CPUs guaranteed not affected by both are in-order architectures, which many older ARM (and extremely old x86) chips are.

    These attacks are a sort of new category of security analysis--realizing that out of order execution can have side effects, and that programs can check for those side effects to leak program state and system memory.

    Spectre is a red herring - there is no known way it can be exploited. Meltdown is far more dangerous and it can be exploited RIGHT NOW with a simple Javascript executed in a browser. Researchers demonstrated a Javascript exploit that uses Meltdown - and there is no telling who has already been compromised. But one thing is sure: non-Intel users have not been compromised.

    Frankly, this whole hoopla about Spectre seems like a well orchestrated deflection stunt by Intel PR operations. And your posts smells a bit of sockpuppetry.

    --
    "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
  9. Re:Almost All processors by sl3xd · · Score: 5, Informative

    Frankly, this whole hoopla about Spectre seems like a well orchestrated deflection stunt by Intel PR operations.

    I'd caution against a false sense of security, based on one's choice of processor for your personal desktop.

    There's no disagreement that "Meltdown" is the greater problem, and affects pretty much any Intel chip still functioning. It's important to remember that it's virtually guaranteed that connect to many servers that uses an affected processor every day. Those of us who maintain cloud infrastructures are particularly unhappy with the situation.

    The fact that Meltdown is worse shouldn't distract from the fact that Spectre is bad.

    The paper on Spectre is written by a number of people working for a number of organizations, but Intel isn't one of them. It has the following statement:

    We have also verified the attack’s applicability to AMD Ryzen CPUs. Finally, we have also successfully mounted Spectre attacks on several Samsung and Qualcomm processors (which use an ARM architecture) found in popular mobile phones

    They go on to state they've verified the weakness on x86 using C and JavaScript (+ Google V8 JIT) bytecode.

    Much like JavaScript cryptocurrency mining , the fact that something is hard doesn't mean it's not worth doing to those interested, and having browser-based JavaScript exposing data isn't a good thing.

    Meltdown can be fixed fairly easily (AMD certainly shows it's possible to avoid the problem). Spectre, however, will be with us for a long time.

    --
    -- Sometimes you have to turn the lights off in order to see.
  10. Re:Almost All processors by silverdirk · · Score: 4, Informative

    The attack checks which rows of cache got evicted by reading across a large array, requesting behavior by another process, and then re-reading the array timing how long each read takes. Each iteration of the attack reveals a byte of memory by identifying which cache row it affected.

    --
    Mark of the Coder fades from you. You perform Opening on World of Warcraft. Warcraft crits GPA for 4. GPA dies.