Boffins split on whether Spectre fix needs tweaked hardware

It's not like a recall is possible, says chip security expert

Analysis Processor security experts – including one cited in the Meltdown paper – are split on whether the resolution of the Spectre vulnerability may need to involve hardware modifications or the software defences being rolled out are adequate.

The Meltdown vulnerability, which by contrast is already comprehensively defended against, could become the focus of malware attacking the operations of processors on unpatched systems, experts warn.

"The theory behind Spectre and Meltdown is hard to understand," according to Anders Fogh, a security researcher at G-Data and expert in processor security. "If it was used in the past it was only in advanced attacks. Now that research has been released, Meltdown is likely to be abused by commodity malware relatively quickly."

Meltdown – like Spectre – is an information disclosure flaw that isn't by itself suited to remote code execution, so the concern is that it might be combined as part of other attacks and used to lift secrets such as passwords and cryptographic credentials from unpatched systems.

Meltdown is easy to exploit but relatively easy to patch. Spectre is tougher in both respects. Daniel Genkin, a postdoctoral researcher at the University of Pennsylvania and the University of Maryland, previously told El Reg that a lasting fix against Spectre would require a hardware redesign.

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years


Fogh disputed this during a phone interview with El Reg, adding that mitigations already in place are increasing the difficulty of mounting an attack. "A processor recall is not possible anyway," he said. "The next step is getting customers to adopt patches."

Werner Haas, CTO at Cyberus Technology and a member of one of the three teams that independently discovered and reported Meltdown, told El Reg that achieving comprehensive protection against Spectre is far from straightforward and likely to involve an "ongoing process" involving a combination of software fixes and hardware modifications.

"The [Spectre] attack scenario is not as simple as user code reading kernel data, as it is conceivable to have cross-application attacks without OS involvement," Haas said. "On the other hand, branch prediction or speculation is such an integral part of high-performance CPUs that I lack the fantasy for a straightforward micro-architectural fix.

"So a generic solution as with Meltdown (either fix protection information processing in the pipeline, or change virtual memory handling in the OS) seems unlikely. As a consequence, I expect combined hardware/software mitigations with the caveat that plugging Spectre holes might become an ongoing process."

Defending against Spectre will involve trade-offs beyond the already widely reported processor performance hits, Haas added.

"I suspect we will see a compromise between legacy software support, energy efficiency goals, and security requirements. The three new capabilities (= MSRs) announced by Intel smell like testability features that help address some of the issues immediately. As such they are probably not ideally suited to counter Spectre attacks. Longer term, I wish there was a broader discussion on what kind of Branch Prediction Unit control would be useful."

Haas laments that security in processor design was not baked in from the beginning – expressing nostalgia for the days of RISC processor development.

"Generally speaking, I am a bit worried that security has been an afterthought with current designs. It might be top priority now but originally, security was more like nice-to-have. I dream (and made suggestions) of an architecture with security in its genes and thus closely follow the RISC-V development."

Chip vendor response scorecard

Anders Fogh was among the first to probe the security issues involved in speculative execution by modern processors and is an expert in the area even though he didn't directly contribute to either the Meltdown or Spectre research papers. He praised the response by vendors as "heroic".

"The response has been amazing both in terms of handling the complexity of the disclosure process and in getting patches out in time," Fogh told El Reg.

Vendor security staff as well as researchers deserve to be considered "heroes" who worked over many months since last June, skipping holidays in the process, to get mitigations out early in the new year. Many are now "all too understandably tired", Fogh reports.

Haas said the disclosure process had been less than ideal but praised Intel and ARM's overall response.

"Complaints about keeping the issues secret for too long do not take into account that the Meltdown patches were finalised only recently so we would have had tons of computers without protection for an extended period of time.

"I disapprove the secrecy with respect to implementation details, though. I know that there are trade secrets involved but on the other hand, at Cyberus Technology, we are forced to spend considerable resources on reverse engineering where we would prefer focusing on the solution space. There has to be a way to work jointly together instead of the one-way flow of information we experienced in our interaction with Intel."

Intel, Microsoft confess: Meltdown, Spectre may slow your servers


Haas is far more critical of AMD's handling of the problem.

"AMD's reaction has been a complete disappointment. I still have not figured out whether I should feel insulted by their claim about 'a highly knowledgeable team with detailed, non-public information about the processors targeted'.

"Well, of course we feel flattered by the first part, but I strongly reject the notion that we at Cyberus used any kind of internal details from our previous jobs at Intel! And calling 'Information Security is a Priority' while discounting the research findings three sentences later does not quite match in my eyes."

The Cyberus team's Meltdown discovery started as a hobby project at the security startup. Haas predicts Meltdown may inspire others to look for processor security flaws while noting that this work was already under way before the Meltdown/Spectre revelations.

"I would argue that it does not require Meltdown to motivate looking into low-level attacks," Haas said. "Just look at recent attacks against Intel's Management Engine or AMD's Platform Security Processor. But I do expect additional interest in exploring the corners of x86 execution. Successful research, however, likely requires more insight into the inner workings of a CPU than many security people have." ®

Similar topics

Broader topics

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022