Stories‎ > ‎

Meltdown and Spectre: Analyzing the Lasting Costs

posted Jan 19, 2018, 1:33 PM by James Caroland   [ updated Jan 19, 2018, 1:39 PM ]
By James Loving

Introduction

Earlier this month, researchers with Google’s vulnerability research group Project Zero released a pair of exploits, Meltdown and Spectre, that threaten nearly every workstation and server on the Internet. These kernel attacks exploit performance features to violate process isolation measures, allowing an adversary to read private information, such as passwords. Patches are being rapidly developed and distributed, but the mitigations typically result in performance hits ranging up to 20%. Because of the long-term performance impact, these vulnerabilities may become the most financially costly in recent memory, despite the rapid patching preventing significant harm to systems’ security.

Overview of Vulnerabilities

Meltdown (CVE-2017-5754)

The Meltdown attack exploits speculative exhaustion, which is a performance feature where a CPU will begin simultaneous execution of multiple instructions, so that when an instruction is reached, execution has already begun, increasing apparent performance. Specifically, the CPU will begin execution of multiple lines of code, assuming that any out-of-order instructions can be undone. Unfortunately, these out-of-order instructions are able to avoid the measures that prevent code from accessing kernel memory, because these privilege checks have a significant impact on performance and are thus executed only on the “correct” path of code execution.

This vulnerability primarily affects Intel processors. While the Meltdown paper presents some evidence that the out-of-order exploitation of speculative execution is possible on AMD and ARM chipsets, the researchers were unable to produce a proof-of-concept password leaker for these architectures. ARM has confirmed that this vulnerability impacts only their Cortex-A75 line; their other processors are not vulnerable.This processor is used by some Snapdragon chipsets, which are common in mobile devices.

For more information on Meltdown, I recommend this developer’s analysis, the researchers’ original blog post, and their paper.

Spectre


Project Zero’s original blog post outlined two variants on the Spectre attack; the Spectre paper lumps both variants together and provides five additional variants. This article discusses only the two primary variants included in the blog post; for details on the additional variants, consult pages 10-12 of the paper.

Variant 1 (CVE-2017-5753)

Spectre variant 1 also exploits speculative execution, but it relies on branch prediction, wherein the CPU will begin execution of multiple branches of a conditional statement, concurrent to the condition being evaluated. Therefore, when the condition is evaluated and the branch-to-be-executed has been determined, execution is already in progress. The CPU assumes that any instructions from unchosen branches can be undone; the Spectre attack exploits this assumption. To execute the attack, the adversary chooses a “gadget,” an instruction from the victim’s address space, which is then speculatively executed. When the CPU attempts to undo the effects of this unchosen branch, changes to the memory cache are not undone. Thus, the adversary can force leakage of sensitive data in other processes’ memory.

Below is pseudocode example of the Spectre variant 1 vulnerability.  Due to compiler optimizations, this snippet does not present a real-life instance of speculative execution.

This vulnerability has a much wider impact than Meltdown; it affects Intel, AMD, and ARM architectures. All three manufacturers have acknowledged the vulnerability and are working with OS developers to provide mitigation instructions and patches for their hardware. Snapdragon has not commented on this variant’s impact to its chipsets, but both Android and Apple iOS have acknowledged their vulnerability and issued patches.

Variant 2 (CVE-2017-5715)

Like variant 1, Spectre variant 2 exploits branch prediction speculative execution, but variant 2 has an adversary process influencing the branch prediction of a victim process and redirecting it, thus forcing the victim process to speculatively execute a “gadget” - code located elsewhere in memory that can be used to leak sensitive information. This variant affects the same platforms as variant 1, although it may be more difficult to execute against certain chipsets.



Impact

Because of the unprecedented range of vulnerable devices, the Spectre and Meltdown attacks have a significant impact. Cloud vendors, and organizations that rely on cloud services, are likely to bear the majority of the cost. However, due to the pace at which cloud services are patching their servers, they are likely to face a primarily monetary cost as a result of these vulnerabilities, instead of a legitimate cybersecurity threat. In comparison, the Internet of Things (IoT) is likely to face legitimate cybersecurity challenges due to these vulnerabilities, as IoT devices are notoriously difficult to patch and/or infeasible to replace.

Users

Compared to other groups, individual computer users are likely the least affected. The industry has responded quickly to the attacks. Microsoft, Apple, and Red Hat have published patches addressing the vulnerabilities, and Ubuntu and FreeBSD are currently developing patches, as of the writing of this article. While these patches generally have significant performance hits, most user tasks, such as Internet browsing, word processing, video streaming, etc., are not computationally intensive; the noticed impact of the patch-reduced performance should be little.

The Cloud

Because most cloud services run on virtual servers (versus bare metal), Meltdown and Spectre have massive potential impact. A particular customer/server can take all necessary precautions and still be victimized by another, insecure customer/server, as the exploited server and the victim server may exist on the same hardware, thus allowing for memory access between servers. Fortunately, the industry responded quickly: Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and other companies have already begun patching their systems.

While the majority of press surrounding the impact on the cloud of Meltdown and Spectre has centered around these cybersecurity issues, I believe the long term performance reduction is a greater impact. Unlike users, who often have computer resources to spare, modern cloud systems are designed to run at extremely high loads. The customer is typically paying for the infrastructure, and therefore wants to get their money’s worth. Because of the reduced performance resulting from the necessary patches, these customers may find their cloud-associated costs rising to compensate for the reduced performance: each server being, e.g., 10% less effective means that 11% more servers are necessary for equivalent computational capability.

The Internet of Things

However, the largest impact of Meltdown and Spectre may be to the security of the Internet of Things. IoT devices are often deployed and not administered again, so many such devices will likely never receive the patches necessary to protect against Meltdown/Spectre. In the long term, this vulnerability may persist, as traditional devices - servers, workstations - are replaced with new hardware, which will hopefully be resistant to Meltdown/Spectre, and the IoT devices remain in place.

Fortunately, I have little reason to believe that these exploits will be readily weaponized for the Internet of Things. All current proofs of concept are used for information theft; they execute fragments of code already present on the victim device to leak memory, thus accessing private information. I have not seen an example of remote code execution, which would be necessary for the majority of malicious activity in the IoT. While an adversary may be able to, for example, use Spectre on an ARM-based smart light bulb to steal a WiFi password, they should be unable to use these exploits to create a botnet.

Conclusions

The Meltdown and Spectre attacks may, in the long term, be extremely costly: they could increase the costs of cloud computing by up to 20%. However, due to the rapidity with which patches are being developed and deployed, combined with the narrow use of the exploits - leaking private information while already on a device - they do not appear to pose a significant threat to the security of the Internet or its users.



About the Author

James Loving is a security engineer, research affiliate with the Massachusetts Institute of Technology (MIT) Internet Policy Research Initiative, and copy editor of Cyber magazine. His research interests include security and privacy in the Internet of Things and the intersection of Internet and international security. He holds BS degrees from Florida State University in Computer Criminology and International Affairs and MS degrees from MIT in Computer Science and the Technology and Policy Program. He currently serves as an officer in the Massachusetts Army National Guard.

-------------
Image credits:  all images from meltdownattack.com