Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

AMD, Arm also affected by data-leak design blunders, Chipzilla hit hardest

Chris Williams, Editor in Chief Thu 4 Jan 2018 // 07:29 UTC

Summary The severe design flaw in Intel microprocessors that allows sensitive data, such as passwords and crypto-keys, to be stolen from memory is real – and its details have been revealed.

On Tuesday, we warned that a blueprint blunder in Intel's CPUs could allow applications, malware, and JavaScript running in web browsers, to obtain information they should not be allowed to access: the contents of the operating system kernel's private memory areas. These zones often contain files cached from disk, a view onto the machine's entire physical memory, and other secrets. This should be invisible to normal programs.

Thanks to Intel's cockup – now codenamed Meltdown – that data is potentially accessible, meaning bad websites and malware can attempt to rifle through the computer's memory looking for credentials, RNG seeds, personal information, and more.

Here's a video demonstrating a Meltdown attack:

On a shared system, such as a public cloud server, it is possible, depending on the configuration, for software in a guest virtual machine to drill down into the host machine's physical memory and steal data from other customers' virtual machines. See below for details on Xen and VMware hypervisor updates.

Intel is not the only one affected. Arm and AMD processors are as well – to varying degrees. AMD insisted there is a "near-zero" risk its chips can be attacked in some scenarios, but its CPUs are vulnerable in others. The chip designer has put up a basic page that attempts to play down the impact of the bugs on its hardware.

Arm has produced a list of its affected cores, which are typically found in smartphones, tablets and similar handheld gadgets. That list also links to workaround patches for Linux-based systems. Nothing useful from Intel so far.

This is, essentially, a mega-gaffe by the semiconductor industry. As they souped up their CPUs to race them against each other, they left behind one thing in the dust. Security.

We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare

READ MORE

One way rival processors differentiate themselves, and perform faster than their competitors, is to rely on speculative execution. In order to keep their internal pipelines primed with computer code to obey, they do their best to guess which instructions will be executed next, fetch those from memory, and carry them out. If the CPU guesses wrong, it has to undo the speculatively executed code, and run the actual stuff required.

Unfortunately, the chips in our desktop PCs, laptops, phones, fondleslabs, and backend servers do not completely walk back every step taken when they realize they've gone down the wrong path of code. That means remnants of data they shouldn't have been allowed to fetch remain in their temporary caches, and can be accessed later.

The trick is to line up instructions in a normal user process that cause the processor to speculatively fetch data from protected kernel memory before performing any security checks. The crucial Meltdown-exploiting x86-64 code can be as simple as...

; rcx = kernel address
; rbx = probe array
retry:
  mov al, byte [rcx]
  shl rax, 0xc
  jz retry
  mov rbx, qword [rbx + rax]

Trying to fetch a byte from the kernel address as a user process triggers an exception – but the subsequent instructions have already been speculatively executed out of order, and touch a cache line based on the content of that fetched byte.

An exception is raised, and handled non-fatally elsewhere, while the out-of-order instructions have already acted on the content of the byte. Doing some Flush+Reload magic on the cache reveals which cache line was touched and thus the content of the kernel memory byte. Repeat this over and over, and eventually you dump the contents of kernel memory.

On Wednesday, following research by a sizable collection of boffins, details of three closely related vulnerabilities involving the abuse of speculative execution in modern CPUs were made public:

  • CVE-2017-5753: Known as Variant 1, a bounds check bypass
  • CVE-2017-5715: Known as Variant 2, branch target injection
  • CVE-2017-5754: Known as Variant 3, rogue data cache load

These have been helpfully grouped into two logo'd and branded vulnerabilities: Meltdown (Variant 3), and Spectre (Variants 1 and 2). Both links go to a website with the full technical papers detailing the attacks if you want to see in gory detail how they work.

There is also a Google Project Zero blog post going over the finer points. Finally, here's some proof-of-concept exploit code that runs on Windows.

Here's a summary of the two branded bugs:

  • Meltdown
    • This is the big bug reported on Tuesday.
    • It can be exploited by normal programs to read the contents of private kernel memory.
    • It affects potentially all out-of-order execution Intel processors since 1995, except Itanium and pre-2013 Atoms. It definitely affects out-of-order x86-64 Intel CPUs since 2011. There are workaround patches to kill off this vulnerability available now for Windows, and for Linux. Apple's operating systems have also been patched. Installing and enabling the latest updates for your OS should bring in the fixes. You should go for it. If you're a Windows Insider user, you're likely already patched. Windows Server admins must enable the kernel-user space splitting feature once it is installed; it's not on by default.
    • Amazon has updated its AWS Linux guest kernels to protect customers against Meltdown. Google recommends its cloud users apply necessary patches and reboot their virtual machines. Microsoft is deploying fixes to Azure. If you're using a public cloud provider, check them out for security updates.
    • The workarounds move the operating system kernel into a separate virtual memory space. On Linux, this is known as Kernel Page Table Isolation, or KPTI, and it can be enabled or disabled during boot up. You may experience a performance hit, depending on your processor model and the type of software you are running. If you are a casual desktop user or gamer, you shouldn't really notice. If you are hitting storage, slamming the network, or just making a lot of rapid-fire kernel system calls, you will notice a slowdown. Your mileage may vary.
    • It also affects Arm Cortex-A75 cores, which aren't available yet. Qualcomm's upcoming Snapdragon 845 is an example part that uses the A75. There are Linux kernel KPTI patches available to mitigate this. The performance hit isn't known, but expected to be minimal.
    • Additionally, Cortex-A15, Cortex-A57 and Cortex-A72 cores suffer from a variant of Meltdown: protected system registers can be accessed, rather than kernel memory, by user processes. Arm has a detailed white paper and product table, here, describing all its vulnerable cores, the risks, and mitigations.
    • Meltdown does not affect any AMD processors.
    • Googlers confirmed an Intel Haswell Xeon CPU would allow a normal user program to read kernel memory.
    • It was discovered and reported by three independent teams: Jann Horn (Google Project Zero); Werner Haas, Thomas Prescher (Cyberus Technology); and Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology).
  • Spectre
    • Spectre allows, among other things, user-mode applications to extract information from other processes running on the same system. Alternatively, it can be used by code to extract information from its own process. Imagine malicious JavaScript in a webpage churning away using Spectre bugs to extract login cookies for other sites from the browser's memory.
    • It is a very messy vulnerability that is hard to patch, but is also tricky to exploit. It's hard to patch because just installing the aforementioned KPTI features is pointless on most platforms – you must recompile your software with countermeasures to avoid it being attacked by other programs, or wait for a chipset microcode upgrade. There are no solid Spectre fixes available yet for Intel and AMD parts.
    • In terms of Intel, Googlers have found that Haswell Xeon CPUs allow user processes to access arbitrary memory; the proof-of-concept worked just within one process, though. More importantly, the Haswell Xeon also allowed a user-mode program to read kernel memory within a 4GB range on a standard Linux install.
    • This is where it gets really icky. It is possible for an administrative user within a guest virtual machine on KVM to read the host server's kernel memory in certain conditions. According to Google:

      When running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian's distro kernel running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM.

    • AMD insists its processors are practically immune to Variant 2 Spectre attacks, which siphon data from the kernel. As for Variant 1, you'll have to wait for microcode updates or recompile your software with forthcoming countermeasures described in the technical paper on the Spectre website.
    • The researchers say AMD's Ryzen family is affected by Spectre. Googlers have confirmed AMD FX and AMD Pro cores can allow arbitrary data to be obtained by a user process; the proof-of-concept worked just within one process, though. An AMD Pro running Linux in a non-default configuration – the BPF JIT is enabled – also lets a normal user process read from 4GB of kernel virtual memory.
    • For Arm, Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75 cores are affected by Spectre. Bear in mind Cortex-R series cores are for very specific and tightly controlled embedded environments, and are super unlikely to run untrusted code. To patch for Arm, apply the aforementioned KPTI fixes to your kernel, and/or recompile your code with new defenses described in the above-linked white paper.
    • Googlers were able to test that an Arm Cortex-A57 was able to be exploited to read arbitrary data from memory via cache sniffing; the proof-of-concept worked just within one process, though. Google is confident ARM-powered Android devices running the latest security updates are protected due to measures to thwart exploitation attempts – specifically, access to high-precision timers needed in attacks is restricted. Further security patches, mitigations and updates for Google's products – including Chrome and ChromeOS – are listed here.
    • Discovered and reported by these separate teams: Jann Horn (Google Project Zero); and Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61).

We're told Intel, AMD and Arm were warned of these security holes back in June last year. Our advice is to sit tight, install OS and firmware security updates as soon as you can, don't run untrusted code, and consider turning on site isolation in Chrome to thwart malicious webpages trying to leverage these design flaws to steal session cookies from the browser process (Firefox has its own mitigations.)

If you are using the Xen hypervisor, you should grab security patches when they become available. Intel and AMD processors are affected, and they're still checking whether Arm is.

"Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests," due to these processor security holes, according to the hypervisor project team. If you've experienced a mass reboot – or are scheduled for one – by your public cloud provider, this may be why.

Meanwhile, VMware's ESXi, Workstation and Fusion hypervisors need patching to counteract the underlying hardware design flaws.

Finally, if you are of the opinion that us media types are being hysterical about this design blunder, check this out: CERT recommends throwing away your CPU and buying an non-vulnerable one to truly fix the issue. ®

Updated to add

CERT has downgraded its advice from "replace CPU" to "apply updates."

252 Comments

Scientists stumped by strange X-rays from Uranus

UCL astronomer tells us: 'We were surprised by our discovery'
Katyanna Quach Fri 2 Apr 2021 // 06:01 UTC

Astronomers have detected X-rays emanating from Uranus for the first time, according to the latest observations made using NASA’s Chandra X-ray Observatory.

It may not seem so surprising at first since Jupiter, Saturn, and Neptune have been found to scatter X-rays from the Sun. But the data suggests that there is an additional source of unknown radiation being generated by Uranus itself.

“Planets with lots of hydrogen in their atmosphere scatter X-rays in the same way that we think Uranus is [doing],” Affelia Wibisono, co-author of the Uranus X-ray study published in the Journal of Geophysical Research: Space Physics, and a PhD student at University College London, explained to The Register.

Continue reading

Indian business tech spending dips in 2020’s final quarter, lockdown workers helped boost router sales

Good times for NVMe-based flash arrays and Cisco
Laura Dobberstein Fri 2 Apr 2021 // 00:56 UTC

India’s overall network and storage market both showed declines in the final quarter of 2020 due to lingering work and school from home measures and banking organizations spending less on storage.

India’s overall networking market declined 4.2 per cent year-on-year in Q4 2020 while the external storage market declined 15.6 per cent by vendor revenue, said IDC in quarterly trackers released this week.

When it came to the networking market, COVID slowed down campus investments in enterprise WLAN (-26.3 per cent) while the expanded work-and-learn from home market for consumer gateway routers soared a whopping 57.8 per cent.

Continue reading

If you can't log into Azure, Teams or Xbox Live right now: Microsoft cloud services in worldwide outage

It's not DNS. There's no way it can be DNS... It was DNS
Team Register Thu 1 Apr 2021 // 22:58 UTC

Updated Unlucky netizens are right now unable to log into Microsoft's online services, including Azure, Teams, Dynamics, and Xbox Live, due to an ongoing global outage.

The IT breakdown is blamed on a DNS issue, and started an hour and a half ago at time of writing. According to the Windows giant's status page:

Continue reading

In a devastating blow to all eight of you, Microsoft pulls the plug on Cortana's Android, iOS apps

Chatty digital assistant can still be found on Outlook, Teams, Windows
Katyanna Quach Thu 1 Apr 2021 // 22:22 UTC

It's the end of the line for the Android and iOS incarnations of Microsoft's AI assistant Cortana.

“After March 31, 2021, the Cortana mobile app on your phone will no longer be supported,” the Windows giant warned on Wednesday.

"The Cortana content you created – such as reminders and lists – will no longer function in the Cortana mobile app, but can still be accessed through Cortana in Windows. Also, Cortana reminders, lists, and tasks are automatically synced to the Microsoft To Do app, which you can download to your phone for free."

Continue reading

Turns out humans are leading AI systems astray because we can't agree on labeling

Is it a bird? Is it a plane? Asking for a friend's machine-learning code
Katyanna Quach Thu 1 Apr 2021 // 21:04 UTC

Top datasets used to train AI models and benchmark how the technology has progressed over time are riddled with labeling errors, a study shows.

Data is a vital resource in teaching machines how to complete specific tasks, whether that's identifying different species of plants or automatically generating captions. Most neural networks are spoon-fed lots and lots of annotated samples before they can learn common patterns in data.

But these labels aren’t always correct; training machines using error-prone datasets can decrease their performance or accuracy. In the aforementioned study, led by MIT, analysts combed through ten popular datasets that have been cited more than 100,000 times in academic papers and found that on average 3.4 per cent of the samples are wrongly labelled.

Continue reading

FCC acting commissioner proposes dedicated spectrum for private space launches

'The regulatory frameworks we rely on to support these efforts are dated'
Matthew Hughes Thu 1 Apr 2021 // 19:58 UTC

FCC acting commissh Jessica Rosenworcel has proposed giving the US commercial space industry a dedicated block of spectrum in order to support future rocket launches.

The measure would allow a secondary allocation to the 2200-2290-MHZ band to be used by private space travel and satellite companies during the pre-launch testing and launch phases. At present, this wavelength is only available to federal agencies and approved foreign partners [PDF] and is limited to a handful of specific use-cases: tracking, telemetry, and control data communications.

Although private operators can access dedicated spectrum, this is only available on an ad-hoc basis, with independent commercial space firms forced to apply for Special Temporary Authority (STA) in advance.

Continue reading

Micron chief warns 'severe shortage' of DRAM expected to continue this year

And drought in Taiwan threatens supply. Good news for firm's wallet, not so much for chip buyers
Matthew Hughes Thu 1 Apr 2021 // 19:05 UTC

Micron CEO Sanjay Mehrotra has warned about a "severe shortage" of supply in the DRAM memory market, with the situation expected to worsen as the year progresses.

Speaking at an earnings conference call talking investors through the company's Q2 results, Mehrotra said: "As a result of the strong demand and limited supply, the DRAM market is currently facing a severe undersupply, which is causing DRAM prices to increase rapidly. We see the DRAM market tightening further through the year."

Micron's chief financial officer, David Zisner, added: "While demand is strong across both the DRAM and NAND markets, our supply is now constrained as our inventories are very lean, particularly in DRAM."

Continue reading

It's been a long time coming but AWS has at last enabled an interactive serial console for de-borking VMs

Handy in an emergency, but only for Nitro instances and requires work in advance
Tim Anderson Thu 1 Apr 2021 // 18:05 UTC

AWS has introduced the "interactive EC2 Serial Console", enabling troubleshooting of virtual machines when normal SSH access is not working, with one user gushing: "I have been waiting 10 years for this moment."

The purpose of serial console access is to enable troubleshooting when an SSH connection is impossible, for example, because of an out-of-memory condition. "It provides a one-click, text-based access to an instances' serial port as though a monitor and keyboard were attached to it," said the AWS post. Previously, admins could see serial console logs, using the command get-console-output, but not enter any commands.

Back in January 2011, a user reported on the AWS forum (login required) about a case where the console output was "Continue to wait; or Press S to skip mounting or M for manual recovery."

Continue reading

Dutch watchdog fines Booking.com €475k after it kept customer data thefts quiet for more than 3 weeks

Thousands of people's personal information purloined after UAE hotels compromised
Jude Karabus Thu 1 Apr 2021 // 16:12 UTC

The Netherlands Data Protection Authority has fined Booking.com €475,000 for notifying it too late that criminals had accessed the data of 4,109 people who booked a hotel room via the website.

The Autoriteit Persoonsgegevens (AP) said criminals managed to extract the login credentials to their Booking.com accounts from employees of 40 hotels in the United Arab Emirates using social engineering techniques.

They then gained access to data including users' names, addresses, telephone numbers, and details about their booking. It added (translated from the Dutch):

Continue reading

Microsoft welcomes 'raddest' and most 'feature-dense' Kubernetes release to AKS, shows 1.17 the door

Mere months to go before 1.21 arrives
Richard Speed Thu 1 Apr 2021 // 15:18 UTC

Kubernetes 1.20 has finally put in an appearance on Microsoft's Azure Kubernetes Service (AKS), just squeaking into March and a good few months since the upstream release.

The release also means the end of life for 1.17, which went to GA in AKS in July 2020 after its upstream release in December 2019.

The support for each version by the Kubernetes community was recently upped from nine to 12 months. As far as Microsoft is concerned, AKS supports the latest GA minor version along with two previous latest minor versions.

Continue reading

While truly self-driving cars are surely just around the corner, for now here's an AI early-warning system for your semi-autonomous ride

Hey, we heard you like machine learning. So we put a machine-learning system in your machine-learning system
Katyanna Quach Thu 1 Apr 2021 // 14:21 UTC

Self-driving cars could be equipped with a trained early-warning system that alerts the person behind the wheel whenever it realizes it's entering a situation where a human driver has had to take over before.

Today's systems, like Tesla’s inappropriately named Autopilot with “full self-driving capability," rely on software to identify objects and structures in real-time to perform specific driving functions, such as changing lanes or stopping at traffic lights.

It's not a completely autonomous affair, though: drivers have to take control of the car when the software is unable to deal with a situation developing around it. This breakdown in ability is typically because the code controlling the vehicle encounters a scenario it is unfamiliar with or finds confusing. The faster things go south, the faster the human has to react and take over.

Continue reading

Biting the hand that feeds IT © 1998–2021

Cookies Privacy Ts&Cs