How the Meltdown and Spectre vulnerabilities impact security

Meltdown and Spectre

Many times, information security is very focused on operating systems, applications and users, while physical and hardware security is often ignored. Physical security is often outside the scope of information security teams, who rarely deal with hardware security. There may be some things information security teams can do to address hardware security problems, but without hardware security at the base, it may be difficult to adequately secure a system.

Hardware security features are critical for process isolation to provide privilege separation and prevent a regular user from running code as a privileged user or from gaining unauthorized access to shared resources, like a shared cache. Furthermore, hardware security may be most prevalent when updating the BIOS of a system.

The Meltdown and Spectre vulnerabilities were publicly disclosed in January, but were privately disclosed to the relevant parties in June 2016 for a coordinated response. Meltdown is a vulnerability in isolation between user applications and operating systems on Intel-based systems where an unprivileged process can bypass memory protections to gain unauthorized access to system memory.

Meanwhile, Spectre is a vulnerability in speculative execution in the CPU that enables an attacker to trick an application into leaking its secrets in memory. Speculative execution is used to maximize the performance of the CPU.

The attacks target CPUs from Intel, AMD and ARM, which represent an extremely large percentage of devices. Both attacks use side-channels attacks to read data from the targeted memory location and can access sensitive data in memory, such as passwords or encryption keys stored in secure enclaves. They also both require codes to run on the local system and are essentially privilege escalation vulnerabilities.

For cloud systems, virtual hosting systems and servers, these privilege escalation vulnerabilities have a significant impact, but there could be less of an impact on endpoints, where many users still have administrative or privileged access. Endpoints may have many different privilege escalation vulnerabilities in the OS and within applications, so these new vulnerabilities would be among those present.

To attack these vulnerabilities, untrusted code must be executed on the local system. Web browsers have been identified as vulnerable, as an attacker can use a JavaScript side-channel attack to read data from the browser. Some researchers even developed proof-of-concept code for a Spectre exploit in JavaScript for a web browser.

Enterprise defenses against Meltdown and Spectre vulnerabilities

Even though enterprise defenses for hardware vulnerabilities can be more complicated than typical software patches, having a plan to respond to hardware vulnerabilities and to assess the risk they pose to your enterprise can help determine the appropriate response.

Many times, hardware vulnerabilities have software patches to address them, and there are multiple patches, BIOS updates and firmware updates available for Meltdown and Spectre. The impact of patching these vulnerabilities seems to vary based on the system, CPU and workload.

However, there have been some reports of significant slowdowns caused by the patches, as some of them were broken and have even been removed and replaced. Microsoft also offers patches, but has reported issues with antivirus software compatibility, so you should test the patches before deploying them in production.

The researchers who discovered the vulnerabilities say attacks based on these flaws are extremely hard to detect, especially the JavaScript browser exploit.

Depending on the application you use, such as a web browser, there may be application-level patches. Addressing these vulnerabilities will require that you pay attention to the OS and application stack until the CPUs are redesigned and replaced.

The researchers who discovered the vulnerabilities say attacks based on these flaws are extremely hard to detect, especially the JavaScript browser exploit. Because most exploits require that you run code on the endpoint, logging executables can enable you to detect suspicious processes.

Detecting malicious JavaScript can be done using endpoint security tools and several antimalware programs. It may be possible to monitor CPU utilization or hardware performance to identify spikes in activity that can be investigated, but that could result in a significant number of false positives. There are tools that can be used on Linux -- which could be ported to Windows -- for enterprises concerned about targeted attacks using these vulnerabilities.

The Meltdown and Spectre vulnerabilities affect traditional desktop and laptop systems. These systems, along with IoT systems, embedded systems, supervisory control and data acquisition systems, and industrial control systems, will need to be patched, but the latter may be more difficult to secure.

Conclusion

There is no questioning the impact that the Meltdown and Spectre vulnerabilities have on cloud systems and shared hosting environments, and both required careful coordination with immediate action. Endpoints are vulnerable, and may be as difficult to patch as servers; however, the impact of a privilege escalation vulnerability is limited to a specific endpoint, which may lessen the impact.

Because these vulnerabilities are present in many different architectures, it will take additional analysis and time for the vulnerabilities to be fully explored by researchers and addressed by manufacturers.

Researchers may continue to find new variants that require updated patches when CPU designs are updated and rolled into service. As a result, hardware vendors will continue to update their responses and mitigation steps.