Advertisements

Archive

Archive for the ‘Security’ Category

Meltdown and Spectre vulnerability, all about, and references for patching Windows OS & SQL Server

February 23, 2018 Leave a comment

Meltdown and Spectre are hardware vulnerabilities in modern computers which leak passwords and sensitive data by affecting nearly all modern operating systems (Windows, Linux, etc) and processors (includes Intel, AMD, ARM, etc). These hardware vulnerabilities allow programs to steal data which is currently processed on the computer, data like passwords, personal photos, emails, instant messages and even business-critical documents.
 

–> On 4th January 2018 three vulnerabilities affecting many modern processors were publicly disclosed by Google’s Project Zero:

1. CVE-2017-5715 (Spectre, branch target injection) – Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

2. CVE-2017-5753 (Spectre, bounds check bypass) – Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

3. CVE-2017-5754 (Meltdown, rogue data cache load) – Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
 

Tech giants such as Apple, Alphabet, and Intel identified these vulnerabilities. Apple kept mum for a while and Intel decided not to inform the US-CERT (United States Computer Emergency Readiness Team), upon learning about Meltdown and Spectre as hackers had not taken advantage of the flaws. It was only Google who disclosed the information to Intel, AMD and ARM Holdings back in June of 2017.


 

What’s the vulnerability all about?

Most of the chip manufacturers around the world add some flaws to their hardware to help them running faster. The two main techniques used to speed up them are Caching and Speculative Execution. If exploited, these could give hackers and malicious/rouge programs access to the data which was considered totally protected. Both of these techniques are dubbed as Meltdown & Spectre respectively and are explained below.

 

What is Meltdown?

The vulnerability basically melts security boundaries which are normally enforced by the hardware. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory or cache.

Meltdown is a novel attack that allows overcoming memory isolation completely by providing a simple way for any user process to read the entire kernel memory of the machine it executes on, including all physical memory mapped in the kernel region. Meltdown does not exploit any software vulnerability, i.e., it works on all major operating systems. Instead, Meltdown exploits side-channel information available on most modern processors, e.g., modern Intel micro architectures since 2010 and potentially on other CPUs of other vendors.

It is a software based side-channel attack exploiting out-of-order execution on modern processors to read arbitrary kernel- and physical-memory locations from an unprivileged user space program. Without requiring any software vulnerability and independent of the operating system, Meltdown enables an adversary to read sensitive data of other processes or virtual machines in the cloud with up to 503 KB/s, affecting millions of devices.
 

What is Spectre?

This vulnerability is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time. Spectre tricks other applications into accessing arbitrary locations in their memory.

Speculative execution is a technique used by high speed processors in order to increase performance by guessing likely future execution paths and prematurely executing the instructions in them. For example when the program’s control flow depends on an uncached value located in the physical memory, it may take several hundred clock cycles before the value becomes known. Rather than wasting these cycles by idling, the processor guesses the direction of control flow, saves a checkpoint of its register state, and proceeds to speculatively execute the program on the guessed path. When the value eventually arrives from memory the processor checks the correctness of its initial guess. If the guess was wrong, the processor discards the (incorrect) speculative execution by reverting the register state back to the stored checkpoint, resulting in performance comparable to idling. In case the guess was correct, however, the speculative execution results are committed, yielding a significant performance gain.


 

Guidance for Windows OS: [Server link], [Client link]

Guidance for SQL Server: [link]

Guidance for Azure: [link]

Guidance for Oracle: [link]

Guidance for AWS: [link]


 

–> Meltdown demos (video):


 

References:
Google Project Zero
meltdownattack.com (Meltdown PDF)
spectreattack.com (Spectre PDF)
Good read on Meltdown and Spectre (csoonline.com)
Google Retpoline (Jump Over ASLR)
Microsoft Cloud blog
stratechery.com
blog.bitnami.com


Advertisements