Meltdown & Spectre

I have no doubt that by now word has reached you regarding the major cyber security vulnerabilities christened ‘Meltdown’ and ‘Spectre’, officially publicly disclosed (although previously leaked) on the 17th of this month and called ‘catastrophic’ by security analysts. Both Meltdown and Spectre were independently discovered and reported by different teams globally. Meltdown was discovered by security researchers Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz from the Technical University of Graz in Austria, Werner Haas and Thomas Prescher from German security firm Cyberus Technology and Jann Horn at Google's Project Zero. Spectre was also discovered by Jann Horn at Project Zero and independent researcher Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom. These discoveries led to the mass scramble of software developers to fix the deficiencies which affect millions if not billions of devices running on all but the most recent versions of the iOS, Linux, macOS, and Windows operating systems. 

Pretty much every computer built in the past 15-20 years relies on an Intel chip, an ARM-based microprocessor, or the processors of Intel’s major competitor AMD. The central processing unit (CPU) of a computer is the internal component of electronic circuitry  responsible for interpreting and executing commands from the computer's other hardware and software. Essentially the ‘Brains’ of a device, all sorts of technology uses a CPU, including desktops, laptops, tablets, Smartphones and televisions. There are multiple ways to optimise its performance. For example a processor may have more than one core, allowing it to simultaneously manage twice the instructions every second. Alternatively it may run two threads on one physical core, meaning that a CPU with only four cores can function as if it has eight. In the past few weeks it has been brought to the world’s attention that basic processor structures existing in all computers of the last two decades - facilitating the baseline speed and functional quality we have grown so accustomed to - allows for the attacks of Meltdown or Spectre, or both. Read on to find out about these weaknesses and how malicious programs can manipulate them.  

Branch prediction is a feature of almost all processors for highly effective performance. If you picture the data processing algorithm of a computer as a kind of digital flowchart you get a picture as to how it works. Imagine a conditional instruction at each stage of the flowchart (‘if x then go to y’) which leads to the next instruction. Progression will either be directed down linear path or jump to a different place in memory where a successive code is stored to continue the branch. Progression is executed once the instruction has been processed, however branch prediction attempts to pre-emptively guess the result of input conditional instructions before those condition have actually been processed. Prediction works by accessing a computers data cache – a hardware or software component storing a record of regular branch patterns – which has been built up since the very first instruction. Upon this history, guesses may be made as to whether a conditional jump will be taken or not, speeding up performance as the processor does not have to wait until the previous instruction has been executed before the next one can be fetched. The most probable next code is fetched and speculatively executed, however if it prevails following execution of the previous code that the prediction was false, the partially executed instructions are discarded and the data cache updated. 

The cornerstone of computer security fundamentally relies on memory isolation. Operating systems are designed to block one application from accessing memory being used by another unless they have been given specific permission to do so. This allows multiple applications to run simultaneously without those applications being able to access each other’s data. In order to access protected data, a process needs to undergo a privilege check. Spectre however, exploits speculative execution to bypass privilege checking and memory isolation. Speculative execution means that while a CPU is waiting to find out if the application passes the privilege check, the CPU starts working with the privileged data being requested even before it receives permission to do so. If the process does not pass the privileged check the data is discarded, however this means being stored in the CPU cache to assist future prediction, initiating a change to the processors lowest level architectural features. The resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data.

Meltdown abuses a similar outcome in another performance increasing method called ‘out-of-order execution’.  A processor that executes the instructions in order uses resources inefficiently, so modern processors execute instructions in the order data is available. This avoids instruction waits when the data needed to perform an operation is unavailable or time consuming. However, if an unprivileged program is requesting access to privileged memory, one of the operations will be a time consuming privilege check while another operation will be the speculative execution to load virtual memory addresses which are usually only available to the kernel and privileged programs. When the malware is denied, results from the unprivileged out-of-order instruction are discarded; however the data-cache is changed. Consequently a process running in user space can view contents of kernel memory through the data cache. 

What do Meltdown and Spectre mean for cyber-security? Widespread damage control seems to be the best short term plan, and multiple software patches are already available. However implementing them has a significant effect on performance, with some reports claiming a decrease in speed of up to 30%. Meltdown and Spectre have highlighted fundamental flaws in the structure of the world’s processors, but also our demand for and dependence upon speed and performance. As recent reports show this potentially comes with costs and consequences if hardware is not rigorously scrutinized. Will other vulnerabilities be discovered in the methods of our corner-cutting processors?

Long term solutions will likely include radical processor redesign, or at least the development of new, thoroughly examined performance optimizers. While the dangers of relying on digital for security have been displayed, it is extremely unrealistic that society will return to a time where sensitive data is not stored on computational devices. Modern technology has become an integral part of daily existence. What is of no doubt is that an amount equal to the investment put into developing tech should be put into cyber-security, if not more. Hardware must be developed in tandem with the highest quality security, so we are not left in a position where researchers are rushing fix problems latent in devices we have been using for two decades.