Wednesday, January 10, 2018

The Spectre of Intel’s (Past) Meltdown

The Internet is abuzz with reports of two major vulnerabilities codenamed “Meltdown” & “Spectre”. These vulnerabilities were independently reported by security researchers at Cyberus Technology, Google, and the Graz University of Technology. 



Thousands of articles have already been written over this. So what’s new in this blog post? I did read a lot of this information available on the internet before writing this article and found this:

a)Some of the articles contain highly technical information and jargon which doesn’t make sense for the common man.
b)Most of the articles do not explain what the real deal is and just touch upon the basics of good information security practices.
c)Leading press houses have taken this opportunity to thrash the tech companies on such vulnerabilities.

So if you just want to understand as to what “Meltdown” & “Spectre” mean in extremely simple terms … read on to find out.

The Speculation Problem

Do you have a favorite restaurant where you go or have been going for years? If yes, you would have appreciated the fact that the waiter knows “What’s your favorite?” 
Or, Imagine the coffee shop where you step in every morning and the lady on the other side has your cappuccino ready with “Just the way you like it John” statement.
In both these scenarios, the waiter and the waitress have assumed or rather speculated as to what are you going to order basis your history. 

Now let’s say that the coffee shop makes the coffee extra special for you by putting your name tag on the cup. Every day, you see your name on it and love it. 

But one fine day, when you step into the shop, you order an expresso rather than a cappuccino. The shopkeeper is taken aback as he has the order ready, remember, with your name on it and just the way you like it. Now since you changed the order, he throws that cup in the dustbin and gives you an expresso.

Well, so far, so good. Are you wondering as to did I forget that this article is about “Meltdown” and not about coffee. Hey, hold your horses, the story is about to get better and I did not forget about “Meltdown”. When the shopkeeper throws the cup away the garbage collector is able to get your name off the cup even though if it’s just for a moment.

Still wondering as to how “Meltdown” fits in this story? Read on. Our computers work in a similar fashion. They use a technique known as “speculative execution” to perform certain processing operations before it is known for certain that those operations will be required, on the premise that these guesses often turn out to save time.

So when you give an instruction to open say MS Word, the computer speculates that you may click on “File” as your next step based on usage pattern. So based on this speculation, it sends this information to the processor for processing to save time. Modern computer chips have sophisticated “branch predictors” that use fancy algorithms to determine what your next step would be and they are correct 99% of the times.

Now when you open MS Word, instead of clicking on “File”, you decide to close the program altogether. However, the computer had speculated that you would click on “File”. Now basis this new instruction, it throws away the previous instruction.

This information which is thrown away can be hacked or spied upon by the hackers and this weakness which can be exploited is dubbed as "Meltdown" and "Spectre". They differ in the way this is done.

I want to meet the Kernel


There is a new villain in town and yes, it wants to meet the Kernel. Let’s understand as to who “Kernel” is.
He is the boss and only he decides as to who can meet him and others in the town. In computer terms, it is the core of a computer's operating system, with complete control over everything in the system. There are only a few processes who can speak directly with the kernel. 

Now, let’s say, that this villain knows a secret about the kernel called the “Side- Channel”. To understand this “Side-channel” attack, consider that I follow you every day without even connecting with you. Basis this spy work, I am able to gather a lot of information about you and your habits.

“Meltdown” & “Spectre” are the villains in this case who know about the “Kernel” and his deeds. His deed being doing speculative execution of instructions and throwing away the “Unused” instruction in an unprotected space. This is what the security researchers have targeted. When Intel processors (affected by Meltdown) perform speculative execution, they don't fully segregate processes that are low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution. 

Let’s Call the Patch Guy


Well, can you change the “Kernel”? Unfortunately, the answer is NO. We need to understand that both “Meltdown” and “Spectre” are hardware bugs and not software bugs. It’s the way, modern processors were built.
Imagine that you built your house years back. Now you discover that there was an issue with the design of the house and that could allow a thief to enter into your house from the back door. Can you change the house design now? No. You need to redesign the house. In a similar fashion, the tech companies have to redesign the processors, Mr. Kernel, and the instruction processing.

Are you wondering as to what happened to the patches that were issued by the tech companies? Well, to understand it, let’s go back to the coffee analogy. Now since the shopkeeper knows that you have changed your behavior, what would he do? He asks his waiter to wait until you give the order.
In a similar fashion, the patches deployed by most of the companies have in a way “suspended” or “try to suspend” this speculation. The patch makes it difficult for the villain to “spy” as to what Mr. Kernel is doing.

Now since the speculation has been made to suspend, it becomes obvious that the coffee which you may now order will take more time to be ready, which gives us the reason as to why the patch will make your systems either slow or unbootable. Also, Read https://gadgets.ndtv.com/laptops/news/microsoft-suspends-amd-spectre-and-meltdown-patch-rollout-after-complaints-of-unbootable-pcs-1797953.

Just tell me what to do

I wish I had the answer to this question. We are dependent on Intel or AMD and the tech companies to issue us new patches which may temporarily fix the problem. But is it really that bad? Trust me, it’s not. While the threat is real, it will take a lot of time and effort for the bad guys to use it in the real sense. Remote code execution will not work for these vulnerabilities and it is not cost effective for the bad guys to spend so much time and energy on the personal computers.
Well, for nation-states and national security, it’s a different game altogether. Until that time, we can just keep our systems updated with the latest patches and implement best information security practices. Don’t look at me like this …yeah I mentioned it too.

In case you wanna know more about advisories issued, Meltdownattack.com has a full list of vendor advisories. The academic paper on Meltdown is here (PDF); the paper for Spectre can be found at this link (PDF).  Cyberus Technology has their own blog post about the threats.

Do share your comments and feedback in the comments section below.

No comments: