The Spectre of Chips on Meltdown

January 05, 2018, Victor Teissler, Security Associate, Coalfire

The news is rife with emerging details of Intel and other chip vulnerabilities and the hardware bugs that can potentially exploit them. While details are still developing and will likely continue to be uncovered in the days, weeks, and even months ahead, we will explore what is known to date.

Spectre and Meltdown: What Do We Know?

Spectre and Meltdown are hardware bugs with significant security implications: The two bugs share a common attribute of enabling malicious code to break through memory isolation, an important security property of modern processors. The impact, as indicated by published research, is that attackers can read memory they otherwise would not be able to. One could liken this to Heartbleed with nuances that make exploitation more varied and difficult.

Software that stores sensitive data in memory will be the targets of these attacks. The sought-after data depends on the application—cryptographic keys, Bitcoin wallet passwords, access credentials, Personally Identifiable information (PII), and session tokens are just a few examples.

Among affected devices are desktops, servers, virtualization hosts, cellphones, and other embedded systems. The umbrella of embedded systems may very well include countless IoT devices that have proliferated globally. While the researchers behind the findings have proven the efficacy of their exploits, attacks in the wild have not yet been observed.

Spectre differs from Meltdown in one significant way: Meltdown is presently known to be exploitable only against Intel chips. Spectre, on the other hand, affects a broader range of chip manufacturers including Intel, AMD, and ARM, and is considerably harder to exploit—it is also harder to protect against. One could potentially speculate that Spectre may be a new memory-disclosing software attack vector; however, this is an area upon which further research may provide more illumination.

What can I do to protect myself?

Both Meltdown and Spectre target vulnerabilities inherent in the chips already installed in systems. Patching (or replacing CPUs entirely) will be the only way to address these vulnerabilities. Meltdown can be mitigated at the Operating System (OS) level; as long as you have a policy of timely OS patching, your computers and servers are likely already protected from Meltdown. Cellphone manufacturers are beginning to release patches; other classes of devices will begin to receive patches of their own. However, there is a performance cost associated with patching against Meltdown. The cost varies depending on the nature of the running code and could be in the range of 5-30%.

Spectre, on the other hand, is both harder to exploit and harder to protect against. Ideally, a microcode update will be provided by affected chip manufacturers (Intel, AMD, and ARM). Unless and until that happens, individual pieces of software will need to be patched. At the moment, the LLVM compiler project has a preliminary patch to this effect, but it is up to software vendors to recompile their products with the patched compiler.

Guidance for Individuals

  • Ensure you are up to date on all patches issued by your technology vendors.
  • Check your networking appliances and ensure that patches are applied as they are issued by vendors.
  • Check your mobile device to ensure it has either been updated or has a pending update to install. Make sure to apply patches as soon as possible.
  • Ensure that your home devices are up to date as well, and don't neglect your Internet of Things (IoT) devices. Cameras, TVs, thermostats, and other home devices generally use various builds of Linux to power their functionality. They could be affected too, so be sure to check with your vendor frequently over the coming days and weeks for any relevant updates.

Guidance for Organizations

  • Ensure that your security team has a timely and effective patch management process—and where possible, is leveraging an automated patch management solution.
  • Continually reinforce good security hygiene with staff and instill a security-conscious environment.

The bottom line is, patch early, patch often—Spectre will haunt us for years to come.

Update (1/9/2018):

Browsers are one of the most prolific vectors for Spectre and Meltdown attacks, and are the topic of this update.

Browsers have addressed the Spectre and Meltdown vulnerabilities by reducing the precision of time sources in their javascript engines. Specifically, the common strategy employed by all major browsers is to disable SharedArrayBuffer and to reduce the accuracy of the function. 

By reducing the precision of time measurements, it becomes theoretically infeasible to exploit the side-channel accurately—effectively mitigating the issue. The desktop browser updates have reportedly been released according to the following schedule.

Webkit / Apple - January 8, 2018
Firefox - January 4, 2018
Internet Explorer - January 4, 2018
Google Chrome - January 5th, 2018

Although the current mitigation strategy is effective, additional mitigations are planned to further harden browsers against the vulnerability.

Victor Teissler


Victor Teissler — Security Associate, Coalfire

Recent Posts

Post Topics