How to protect against the Meltdown and Spectre vulnerabilities
Meltdown and Spectre are two different (but related) vulnerabilities found in almost all modern processors, affecting mobile devices, desktop and laptops, and servers. They are the result of hardware architectures that allow user-space programs to read in-memory data that they wouldn’t normally be allowed to read. For instance, one user’s application could potentially access passwords or encryption keys from another running process.
For more discussion on Spectre and Meltdown, click on the link below to hear Gene Geddes and Ian Evans on this episode of WWT's TEC17 podcast series.
The vulnerabilities affect desktops and laptops, tablets, mobile phones, servers and cloud server instances — pretty much everything. Of particular concern are multi-tenant or shared environments such as public/private clouds where sensitive user/company/state data could potentially be accessed by bad actors.
Initially, researchers believed the only solution would be to physically replace all affected processors – an impractical solution in the short term. Instead, researchers, processor manufacturers, and leading industry software vendors agreed that operating system and application code would be patched to provide near term protection against exploits.
How do they affect me?
The not so bad news:
- There are no known exploits in the wild at the time of this writing. While the vulnerabilities are based on an old set of design decisions, it doesn’t appear any bad actors have been exploiting the issue.
- The attacks are read-only and do not allow exploits to directly modify the contents of memory.
- The whole industry has been working on this for a while, with patches either on their way or already out.
- Both attacks are highly complex and difficult to make work in a real-world environment. They are reading from a rapidly changing portion of memory, so for most data center systems, there will be an enormous amount of noise in the data.
The really bad news:
- Everything is going to have to be patched, and there are different patches for Meltdown and Spectre with differing levels of complexity.
- The plan was to announce the issues publicly on 1/9/2018 with coordinated patch releases across the major industry players, but news of the vulnerabilities leaked early, leading to confusion and a perceived delay in patch releases.
- Given the nature of the patches, there is potential for degradation of application performance after applying the patches. The severity of this degradation is dependent upon the make/model of processor (especially in regards to PCID availability), the specifics of the OS or application patches, and the type of workload in question. Performance degradation could range from 5 to 40 percent.
Meltdown and Spectre – similar, but not the same
As mentioned above, Meltdown and Spectre are related side-channel vulnerabilities but differ greatly in their scope and impact. It is important to understand their operational similarities and differences.
- Affects most Intel processors released since 1995. Some ARM processors are affected. AMD processors do not appear to be affected at this time
- Meltdown can be patched by vendor-provided operating system patches.
- Leaks kernel and user memory
- Affects almost all modern processors, including GPUs, are affected
- There is no simple patch for Spectre as it results from a core computational architecture design issue. Patching Spectre in the long term may require a core redesign of existing computational architectures. In the short term, it will require the combined patching of the following: CPU microcode, OS kernels, drivers, libraries, compilers, and applications.
- Leaks only user memory (not kernel memory)
ARM: Security Update
Android: Security Bulletin
Apple: Apple Support
Lenovo: Security Advisory
Huawei: Security Notice
Synology: Security Advisory
Cisco: Security Advisory
Mozilla: Security Blog
Debian: Security Tracker
Ubuntu: Knowledge Base
SUSE: Vulnerability Response
Fedora: Kernel update
CERT: Vulnerability Note
This section has been updated to reflect our most recent findings. (2/16/18)
Microsoft has been very active in releasing several patches for Spectre over the past two weeks and has also released a number of free tools and monitoring options. For more on this, check out: https://blogs.windows.com/business/2018/02/13/windows-analytics-now-helps-assess-meltdown-and-spectre-protections/
One of the more interesting approaches to fighting Spectre is an effort by Microsoft to address variant #1 (bounds checking) by having its C++ compiler insert a special instruction in front of any code segment that accesses an array to prevent invalid access during speculative execution. Check out this excellent summary in Ars Techica. Unfortunately, Paul Kocher, one of the original discoverers of the Spectre vulnerability, has already tested the fix and believes it falls short of adequately blocking most Spectre-based attacks. Nevertheless, this effort is a great example of the sort of innovative research happening now that will be needed to counter Meltdown and Spectre in the long term.
Many cyber security OEMs also continue to offer their help in this battle, just two examples being Qualys and Palo Alto with new firewall signatures to detect attacks based on publicly available research code.
How can WWT help?
There are two areas of risk most organizations have regarding Meltdown and Spectre: the security risk itself, and the operational risks of patching and post-patch affects.
WWT is focusing on both and is here to help enterprise organizations make the best of a bad situation.
- Our security team is actively researching the vulnerabilities to better understand scope and scale. Some of our engineers/architects/analysts have deep knowledge of similar side-channel attacks, so we have the right people in place to assist. We plan to share any additional insight/updates via WWT Blog posts.
- Our Advanced Technology Center (ATC) and global engineering teams are building out test environments in the WWT ATC to perform before and after performance testing for common scenarios and workloads. From this we hope to be able to provide real-world baseline performance guidance that organizations can leverage to make better decisions about which systems to patch, performance expectations after patching, and how to quickly and efficiently resolve compute capacity shortages post-patch.
- For vendors and enterprise organizations that have specific applications or system builds they need to test, WWT’s ATC is an ideal place to get this done quickly and safely. Vulnerability testing, patch testing, patch procedure testing, and performance testing can all be achieved in the ATC.