Y2K of Recent Times – Meltdown and Spectre Vulnerabilities Revisited

by | Dec 21, 2018

User security is of paramount importance in this era of cyber connectivity.

We are all used to these machines connected to each other via the invisible web called internet, through which we exchange files, carry out financial transactions, share personal memories and such.

Having someone taking advantage of a loophole in this system of interconnected devices does sound scary.

It means we can no longer trust the establishment called world wide web and this can cause serious implications to our day to day life.

Security vulnerabilities have been there in the past, will continue to haunt us in the future as well with the advent of more and more sophisticated technologies.

We have many good samaritans around us trying to keep the internet secure by identifying and weeding out these bugs on a day to day basis.

In this article, we’d like to share you with an interesting large-scale vulnerability which took the world last year by surprise, namely the Meltdown and Spectre.

Detailing these security vulnerabilities in layman’s terms is a herculean task as we have to deal with a lot of intricate low-level details about how computer processors work.

We at Bettershark, hope to make our readers feel at home with easy to understand narrations of these otherwise complicated subject.

Rest assured, this topic will be very interesting for those who wonder about computers and its working.

We ourselves enjoyed researching on this topic extensively and learned a lot from the process, which we are happy to share with you guys.

Grab a cup of coffee, relax and read through the article to get first-hand knowledge about one of the biggest vulnerabilities, the modern day IT infrastructure has ever faced.

History

The research on microprocessor architecture started as early as the introduction of the same into the commercial market.

The first vulnerability research paper on Intel 8086 series architecture was presented way back in 1995 at an IEEE symposium.

Long before that, NSA, the United State’s national security agency had started work along the same line under its TPEP (Trusted Products Evaluation Program).

The efforts continued with the research on upcoming processor models and there were many vulnerabilities traced and fixed over time.

Years later, in 2017, a group of independent researchers including those from the Google project zero members discovered the meltdown vulnerability.

Upon further probing, they found out another variation of the same and named it as spectre.

This was a pretty big news as it had the potential to affect almost all computing systems on this planet, as it was a fundamental flaw in the architecture of the single most important component of a computer – the processor.

Background study

Meltdown and Spectre are the two hardware-based vulnerabilities affecting microprocessors, taking advantage of a performance enhancement measures that were implemented on these chips.

Being vulnerabilities based on processors, which is the single most important component in a computing system, mitigation was so hard and is still unpatched at large, making it one of the biggest worries in the modern day computing history after Y2K.

Both of these vulnerabilities basically steals data from the computers that shouldn’t be available for the outside world in the normal case.

These data can be passwords, credit card details and even personal photos.

Since it’s a vulnerability arising due to the underlying fundamental processor architecture, meltdown and spectre affects devices of all sizes and shapes, including but not limited to computers, laptops and smartphones.

The scary part of this security loophole is that even the cloud architecture isn’t spared.

This means a remote attacker can use specially crafted scripts to execute such attacks and steal data of millions and billions of users hosted in those virtual servers.

Security exceptions arising from hardware vulnerabilities such as meltdown and spectre isn’t dependent on the operating system that runs on the particular hardware, thus making it a universal security problem across multiple platforms.

Meltdown and Spectre vulnerability in a nutshell

Before getting into the details of how these things work, let’s relax a bit with the simple explanation of what these vulnerabilities in reality are.

Meltdown and Spectre are the variations of the same attack vector affecting microprocessors in general.

meltdown and spectre

Meltdown and Spectre Vulnerabilities Revisited

Meltdown allows a hacker to pull secretive data from the operating system by manipulating a program running on the same.

Spectre, in comparison, tricks a program to pull secretive data from another program running on the same operating system simultaneously.

Now let’s go a bit in depth to understand how these things work on the bit level. Fret not, this is just going to be fine!

Memory Isolation

Memory isolation is one of the most fundamental aspects of the security of a computer program or an operating system.

There are two types of process spaces within the operating system – a user space and a kernel space.

User space access is universal and all the apps that you run on the computer can access the data on the user space without any inhibitions.

The user space contains the basic set of informations necessary for the program to run as advertised.

Kernel space is a bit more obscure and deals with highly sensitive data which isn’t and shouldn’t be accessed by an application.

Only apps with trusted privileges such as administrative rights have access to the kernel space and even then, it’s somewhat restricted.

All the sensitive data lies within the kernel space and isn’t visible to the apps running on the operating system by any means.

A single supervisor bit on the microprocessor defines the access to this kernel space.

In simple terms, when a program requests access to the data from kernel space, the microprocessor looks up to this bit to confirm whether the request is to be granted or not.

Out of order execution

Out of order execution is, in reality, a very helpful process that helps in improving the performance of the processor.

Ironic enough, this out of order execution can be termed as the single most significant reason for the meltdown and spectre vulnerability.

So what is this out of order execution?

The memory fetch units on the microprocessor while running an application waits for data from memory to reach it, which is then fed into the processor to take appropriate steps afterwards.

Certain programs run multiple process branches since it might have to do different functions at once.

While running such programs, the processors featuring multiple cores doesn’t sit idle.

Instead, it predicts and schedules the actions to be performed by the program in advance so that once the data reaches the fetch unit, it can start working on that instantaneously.

While doing so, the processor kind of forgets to look up the supervisor bit to check the user privileges whether the program has the clearance for accessing the kernel space data.

99% of the time, these programs runs legit without bothering to access the kernel data, everything runs as normal.

But with certain modifications, a hacker can modify the program to access the kernel space and extract the information, before the actual data reaches the memory fetch units, leading to a security breakage in the process.

Speculative allocation

Speculative allocation is a byproduct of the out of order execution algorithm.

The preset logic that forces the microprocessor to speculate the upcoming processes of a program makes it run the program even before the actual data arrives, enabling those programs with restricted access to the kernel space find a way through it.

 Address space

Address space is a set of pages with a specific memory location tag that can be identified by a program or by the operating system itself.

The data stored in these pages can be accessed or called by a program by knowing the particular address of this space.

Address spaces are mapped to the physical memory by a tool called translation table. It is this translation table which maps protection properties for privilege checks.

The data in these address spaces might be of both user and kernel type. In order to prevent hackers from guessing the address spaces for a particular set of data, ASLR (Address Space Layout Randomization) is being used.

This technique ensures that the translation tables reset after each instance of application usage and never looks the same, twice.

Cache

Cache is an SRAM (Static Random Access Memory) which acts as a secondary memory allocation for storing frequently used set of instructions by the processor, to access faster than from the RAM.

The translation tables that we earlier discussed are stored in the cache for faster and easy retrieval by the processor.

By running a specialized set of instructions, this cache can be flushed out, revealing the memory address spaces for kernel data, which can then be used by malicious hackers for exploiting the meltdown and spectre vulnerabilities.

Controversies related to Meltdown and Spectre

There were certain rumours about Intel processors being more susceptible to these vulnerabilities than AMD chips.

Intel countered the argument by confirming that every chip manufacturer in the world does indeed face the threat caused by meltdown and spectre including but not limited to AMD and ARM.

AMD denied this and said that their chips are relatively safe due to the different paging architecture followed by the company in the design of its microprocessors.

How dangerous are these vulnerabilities?

It will be hard to digest knowing that spectre vulnerability can be triggered by a javascript code embedded on a webpage to trick the browser to reveal the sensitive information like usernames and passwords.

Meltdown can be used to extract data from even cloud-hosted servers online.

And, the meanest part is that if unpatched, these vulnerabilities affect almost all the computers on this planet.

Remedies and security patches

Meltdown can be patched with software updates and most of the major chip manufacturers have already pushed software updates to the same.

Spectre on the other end remains unpatched and the only bit of relief that we can have is that as hard as it is to mitigate, it is hard to exploit as well.

After the remedial patches are applied, the computers and other devices are seen performing 5-10% slower than before.

This is because as a part of remedial measures, companies have removed out of order execution process, that slows down the processor from executing programs faster.

What next?

Security vulnerabilities like Spectre and Meltdown can be exploited by black hat hackers and the chip manufacturers need to find an immediate solution.

We should expect these attacks in the coming future and hope we are well prepared to mitigate the problems as fast as we can.

Conclusion

That’s Spectre and Meltdown vulnerabilities detailed to you in its core essence. We hope you got a rough idea about this topic and if not, we wish we had.

If you liked the article and want to see more such explainer topics on our website, do let us know in the comment section below. Wherever you are, whatever you do, have a blast and thanks for your time!

Featured image courtesy: CT Networks Blog