Security

Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

AMD, Arm also affected by data-leak design blunders, Chipzilla hit hardest

By Chris Williams, Editor in Chief

252 SHARE

Summary The severe design flaw in Intel microprocessors that allows sensitive data, such as passwords and crypto-keys, to be stolen from memory is real – and its details have been revealed.

On Tuesday, we warned that a blueprint blunder in Intel's CPUs could allow applications, malware, and JavaScript running in web browsers, to obtain information they should not be allowed to access: the contents of the operating system kernel's private memory areas. These zones often contain files cached from disk, a view onto the machine's entire physical memory, and other secrets. This should be invisible to normal programs.

Thanks to Intel's cockup – now codenamed Meltdown – that data is potentially accessible, meaning bad websites and malware can attempt to rifle through the computer's memory looking for credentials, RNG seeds, personal information, and more.

Here's a video demonstrating a Meltdown attack:

On a shared system, such as a public cloud server, it is possible, depending on the configuration, for software in a guest virtual machine to drill down into the host machine's physical memory and steal data from other customers' virtual machines. See below for details on Xen and VMware hypervisor updates.

Intel is not the only one affected. Arm and AMD processors are as well – to varying degrees. AMD insisted there is a "near-zero" risk its chips can be attacked in some scenarios, but its CPUs are vulnerable in others. The chip designer has put up a basic page that attempts to play down the impact of the bugs on its hardware.

Arm has produced a list of its affected cores, which are typically found in smartphones, tablets and similar handheld gadgets. That list also links to workaround patches for Linux-based systems. Nothing useful from Intel so far.

This is, essentially, a mega-gaffe by the semiconductor industry. As they souped up their CPUs to race them against each other, they left behind one thing in the dust. Security.

We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare

READ MORE

One way rival processors differentiate themselves, and perform faster than their competitors, is to rely on speculative execution. In order to keep their internal pipelines primed with computer code to obey, they do their best to guess which instructions will be executed next, fetch those from memory, and carry them out. If the CPU guesses wrong, it has to undo the speculatively executed code, and run the actual stuff required.

Unfortunately, the chips in our desktop PCs, laptops, phones, fondleslabs, and backend servers do not completely walk back every step taken when they realize they've gone down the wrong path of code. That means remnants of data they shouldn't have been allowed to fetch remain in their temporary caches, and can be accessed later.

The trick is to line up instructions in a normal user process that cause the processor to speculatively fetch data from protected kernel memory before performing any security checks. The crucial Meltdown-exploiting x86-64 code can be as simple as...

; rcx = kernel address
; rbx = probe array
retry:
  mov al, byte [rcx]
  shl rax, 0xc
  jz retry
  mov rbx, qword [rbx + rax]

Trying to fetch a byte from the kernel address as a user process triggers an exception – but the subsequent instructions have already been speculatively executed out of order, and touch a cache line based on the content of that fetched byte.

An exception is raised, and handled non-fatally elsewhere, while the out-of-order instructions have already acted on the content of the byte. Doing some Flush+Reload magic on the cache reveals which cache line was touched and thus the content of the kernel memory byte. Repeat this over and over, and eventually you dump the contents of kernel memory.

On Wednesday, following research by a sizable collection of boffins, details of three closely related vulnerabilities involving the abuse of speculative execution in modern CPUs were made public:

These have been helpfully grouped into two logo'd and branded vulnerabilities: Meltdown (Variant 3), and Spectre (Variants 1 and 2). Both links go to a website with the full technical papers detailing the attacks if you want to see in gory detail how they work.

There is also a Google Project Zero blog post going over the finer points. Finally, here's some proof-of-concept exploit code that runs on Windows.

Here's a summary of the two branded bugs:

We're told Intel, AMD and Arm were warned of these security holes back in June last year. Our advice is to sit tight, install OS and firmware security updates as soon as you can, don't run untrusted code, and consider turning on site isolation in Chrome to thwart malicious webpages trying to leverage these design flaws to steal session cookies from the browser process (Firefox has its own mitigations.)

If you are using the Xen hypervisor, you should grab security patches when they become available. Intel and AMD processors are affected, and they're still checking whether Arm is.

"Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests," due to these processor security holes, according to the hypervisor project team. If you've experienced a mass reboot – or are scheduled for one – by your public cloud provider, this may be why.

Meanwhile, VMware's ESXi, Workstation and Fusion hypervisors need patching to counteract the underlying hardware design flaws.

Finally, if you are of the opinion that us media types are being hysterical about this design blunder, check this out: CERT recommends throwing away your CPU and buying an non-vulnerable one to truly fix the issue. ®

Updated to add

CERT has downgraded its advice from "replace CPU" to "apply updates."

Sign up to our NewsletterGet IT in your inbox daily

252 Comments

More from The Register

Hmm, there's something fishy about this graph charting AMD's push into Intel's server turf

Epyc chips nibble bits off Xeon's x86 revenue share

Monday: Intel touts 28-core desktop CPU. Tuesday: AMD turns Threadripper up to 32

It's crazy how a little competition can cause that

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Wave the CPU trust flag if you're feeling safe enough

Cheap-ish. Not Intel. Nice graphics. Pick, er, 3: AMD touts Ryzen Pro processors for business

Quickly follows 2018's Pro Mobile parts

A bit of intel on AMD's embedded Epyc and Ryzen processors

Dips Zen toes into embedded world with hot new SoCs

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

FYI: Processor bugs are everywhere – just ask Intel and AMD

More chip flaws await

SHL just got real-mode: US lawmakers demand answers on Meltdown, Spectre handling from Intel, Microsoft and pals

Pact of silence questioned

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Cray snuggles up with AMD: Clustered super CS500 lets in Epyc chip

Oh dear, Intel... look who's getting cosy with Cray