Analysis of techniques for Meltdown and Spectre Vulnerabilities

By 0
144
Analysis of techniques for Meltdown and Spectre Vulnerabilities

The Google Project Zero security team disclosed the vulnerability for the CPU speculative execution which was discovered on January 3. The impact was mainly over Intel products and small impact was over AMD products (according to the official news). The affected OSs include Windows, Linux, macOS, Android , etc. The affected Cloud Service includes Amazon AWS, Microsoft Azure, Google Cloud, Tencent Cloud, Alibaba Cloud and other private cloud environments such as VMWare, etc. which all need to be checked for security.

Final solution: US-CERT had provided the most reliable answer: CPU replacement may be the optimal solution, but during the current stage it is very difficult for the government or enterprises to replace CPUs in large quantity. Replacement of CPUs did not solve the problem and this may involve consolidated replacement of motherboards and memories, which will incur huge expenditures. It can be trusted that the CPU manufacturer, OS provider, cloud vendor and browser software developer would fix the problem with full efforts. Currently, the meltdown vulnerability can be solved by patching and the efficiency can be reduced by a small extent to achieve the defense that is supposed to be achieved. However, temporarily there is no solution for the Spectre vulnerability. Nevertheless, the difficulty in the intrusion is high and stealing by intrusion via JavaScript is uneasy.

Meltdown: CVE numbers are CVE-2017-5753 and CVE-2017-5715. Spectre: CVE number is CVE-2017-5754. These two attacks allowed the program to access memories and sensitive information (such as account numbers and passwords) in various applications and OSs would be eavesdropped. Meltdown accesses memories at the high right user or system administrator level by leveraging the application that a user with a low right can access to cause data breach or theft.

In the meltdown attack, information contents originally encrypted or protected are extracted by means of plaintext in the Dump manner. In terms of defense, it is impossible to disable the browser or shut down the operating system. Therefore, recent revision was focused on the revision of OS and browser. Technically, each Intel processor which can implement out-of-order execution was affected, which means that processors after 1995, excluding the Itanium and Atom series, were affected.

The Spectre attack destructed the isolation among different applications. The risk lied in speculative execution and the CPU treated speculative execution as useful data and executed the same. Such eavesdropping technique cannot be executed until it is in the pre-prepared state. Simply speaking, the Intel CPU was not very secure and it did not use process and access core memories with low right in a split manner, which means that the attacker could obtain isolated sensitive data via a malicious application.

Taking Google Chrome as an example, parameters under some Flags were disabled or Google Chrome was upgraded to the latest version. Both Chrome and Firefox were revised. Data security technicians already published relevant POC programs (relevant POC programs were currently run via Apple Mac and may be revised onto the Windows platform and should be re-verified. Website address: https://github.com/gkaindl/meltdown-poc). The POC program leveraging the vulnerability should be checked. The memory Dump mainly affecting the meltdown should be verified. Additionally, the eavesdropping technique leveraging meltdown was also disclosed. Researchers already conducted sufficient analysis and you can refer to (https://meltdownattack.com/).

I paid attention to the cloud service which is most commonly used virtualization technique by the government and civil entities as another high risk breach point. The KVM Guest OS established by using the account of VM administrator is executed with the highest right and it can read the core memory of the main system at a speed of 1500Bps. It can be predicted that the malicious program on the website or APT malicious program can have an opportunity to leverage this vulnerability. From a point of view of technical extension, actually there is an opportunity to apply many IDE reverse engineering techniques and this is worth being concerned. This may be treated as that someone leverages the program on the CPU core to find the method for the analysis of the information rather than treating this as a vulnerability. The problem cannot be solved until he CPU manufacturer complexly revised the underlying layer.

Leave a reply

Your email address will not be published. Required fields are marked *

Your Name:*

Your Website

Your Comment