Spectre and Meltdown Create a Deep Threat

Spectre and Meltdown Create a Deep Threat

March 9th, 2018

By Lynnette Reese, Editor-in-Chief, Embedded Systems Engineering

What you need to know about security flaws Spectre and Meltdown. Neither Spectre nor Meltdown are viruses, but rather exploit speculative execution techniques as vulnerabilities in the way hardware works with an OS. Although recently uncovered, both have existed for years.

Since at least 2010, commercial CPU architectures have used predictive actions to speed up processor pipelines. Speculative execution is just another technique used to improve processor performance. There’s still a need for speed, and the door is closing on Moore’s Law. Improvements in performance while reducing cost and increasing power efficiency aren’t coming as quickly as chip designers butt up against the laws of physics. Speculative, or out-of-order execution, reduces latency by operating on more than one instruction at a time, sometimes in a different order than what entered the processor pipeline.

Figure 1: Simplified drawing of a single core of Intel’s Skylake microarchitecture. Instructions are converted to microoperations (µOps) and executed out of order by individual execution units within the execution engine of the core. (Source: Lipp, Moritz, et al. “Meltdown.”)

Out-of-order execution can happen when a processor reaches for the next instruction while waiting for data to be fetched from memory for the current instruction. The processor might make a decision that depends on the state of the as-yet-unknown value of the data being fetched, yet begin to work on one or more potential outcomes in anticipation of a branch taken. If the processor finds that it went down the wrong path, it discards calculations and begins work on the correct branch or path. However, the processor often guesses correctly and has completed work on an anticipated outcome, saving time. This predictive behavior has been in use for roughly two decades and has recently come to light as an open door to circumvent security, with a large number of servers, personal computers, smartphones, tablets, and nearly every modern processor vulnerable to malware that exploits these speculative tactics. Worse yet, cloud servers are a growing service for big data and IoT and designed to run other people’s software. Given the growing number of multi-party entanglements, engineers have been working on patches for major operating systems (OSes), web browsers, and processor (hardware) microcode updates. Microcode is as close to the silicon as you can get with a downloadable patch and might be referred to as firmware by some.

Two identified security flaws exploit speculative execution, and researchers have named them Spectre and Meltdown. Neither is a virus or malware, but rather techniques that expose vulnerabilities in the way the hardware works with the OS. Both have existed for years, were recently uncovered, and yet kept secret; discussed on a need-to-know basis amongst major hardware, cloud, and software companies since around mid-2017 as engineers scrambled to create a fix from several different angles. Apple, Intel, AMD, Arm, Microsoft, Google, Qualcomm, Amazon, and Linux kernel engineers knew and were preparing patches until early January, when open source communications, being open source, couldn’t help but hint that something was up when a mysterious patch was introduced. People figured it out, and the news was released about a week before intended. No one had yet identified malware that actually uses the security flaws, thus keeping quiet about the vulnerability was one means of protecting the world against it. However, since neither flaw would show up in a computer’s security log, no one knows if either has been used against a real-world target yet. Both flaws are OS-agnostic. The Meltdown attack circumvents a central tenet of security: protection through isolation. A kernel is the core of an OS and is supposed to work in isolation from user memory, or “userspace,” which is where programs and applications operate. Meltdown allows any process running in user space to access all of a kernel’s privileged memory. Spectre uses similar mechanisms but abuses user programs.

Figure 2: The Spectre logo as portrayed on the https://meltdownattack.com site. (image credit: By Natascha Eibl (https://meltdownattack.com/) [CC0], via Wikimedia Commons)How Speculative Execution Works


The speculative execution technique is exploited by “cache timing side-channels.” Cache memory is involved, and exploiting speculative execution also involves timing cache . “Side-channels” is a term for a by-product of speculative processing. Processor speculation was introduced and became established before security was considered necessary at the bedrock physical layer, or at silicon level. Hardware has always been considered as less vulnerable than software, but as technology has become more complex, the lines have begun to blur between hardware and software. A white paper published by Arm, Cache Speculation Side-channelsdetails the background of speculative execution and discusses the susceptibility of Arm processors. According to Arm, by timing how long it takes for the processor to access the cache, malware could determine the addresses that have been allocated into the cache. Malware could run on the processor and issue requests that hitchhike on speculative execution. Advanced processors will speculate at least two steps ahead into a branch or decision, and this is where the breakdown occurs, since it is the second speculation activity that reveals information based upon the first speculation. Since speculation techniques use cache memory to infer at least part of the data results, the malware can eventually recover the entire memory that the system kernel can access. Accessing cache memory takes time, and by analyzing the timing of cache accesses in conjunction with information gathered by the first speculative read, Meltdown- or Spectre-based malware can gather information about the data inside the memory accessed by speculative reads.[i]Google Project Zero first identified the flaws, citing three variants. Variant 1 is a Spectre flaw that uses “bounds check bypass.” Variant 2 is also a Spectre flaw that uses “branch target injection.” Variant 3 is a Meltdown flaw that uses “rogue data cache load.”[ii]

Figure 3: The Meltdown logo as portrayed on the https://meltdownattack.com site. (image credit: By Natascha Eibl (https://meltdownattack.com/) [CC0], via Wikimedia Commons)

Both Spectre and Meltdown use side channels to steal data from privileged memory locations. The difference between them is that Meltdown does it by breaking the isolation between the OS kernel and userspace. As a consequence, software running in userspace has access to system memory that it would not have without exploiting the long-existent but new-found security flaw.[iii] Malware exploiting the Spectre flaw would induce “victim” software to perform speculative operations that it would not do during normal program execution. The result is that the victim’s confidential information could be leaked using a side channel.[iv] Sadly, technologists like Simon Seggars, CEO of Arm, know that this is not going to be the last security flaw springing from how hardware works with software or on such a deep level. As Seggars stated at the Consumer Electronics Show, “The reality is there are probably other things out there like it that have been deemed safe for years.” Rapid growth in technology delivers more complexity as we build upon yesterday’s innovations yet makes life more rich and productive. However, we are our own worst enemy as those who benefit from technology also exploit it for personal gain at the expense of everyone else. The best anyone can do is make sure that OS and browser updates are allowed to take effect as soon as they are available.

Who and What are Vulnerable
Anyone using a processor with exposure to external connectivity and built around 2010 or later may be affected, as this was when speculative processing was first commercially deployed. Some sources state that speculative execution has been in use for “roughly 20 years.”[v] Malware cannot infect something that it does not have access to. An isolated processor will not be affected if it has no connection to the internet or to external devices such as USB sticks. Processor architectures vary, not all are equally exposed. For instance, AMD believes that Variant 1 can be fixed with just an OS patch for AMD processors. Additionally, they state that AMD processor architectures would make it difficult to use Variant 2 techniques, nevertheless AMD is making optional microcode updates for customers and recommends updating with an OS patch. The AMD site states that AMD processors are not susceptible to Variant 3 (Meltdown) “due to our use of privilege level protections within paging architecture.”[vi] Initial updates for Intel architectures caused some problems with older machines, but the issue has since been fixed. OS patches that make it harder to exploit the kernel have been released for Linux, Windows, and iOS. Major web browsers have had updates to address the problem, as well. Anyone with a computer, smartphone or tablet should have experienced a system update starting at the end of 2017. Many expect to see a degradation of performance with the fixes, but various combinations of OSes, processors, and browsers will create a different experience for each combination. Hackers have made use of the news by phishing and offering patches that are actually malware. The official site to learn more about the flaws and how to protect against them are found at https://meltdownattack.com.

If the processor does not have an OS (typically microcontrollers), it is not affected by the Meltdown or Spectre flaws. Fixes for these potential malware vulnerabilities include hardening the kernel of the OS. The kernel is the root from which everything that needs an OS proceeds.  Patches for major OSes were released just before, or shortly after, this hardware vulnerability was revealed. Manufacturers of affected processors are also providing firmware update patches, although not all processors have patches yet. Some processors are deemed unaffected, such as Arm® Cortex-M™ processors. If the processor does not use the speculative technique as described, then it is not affected. AMD Radeon GPUs do not use speculative execution and therefore are not susceptible to any threat utilizing Meltdown or Spectre-based malware.

The whitepaper “Meltdown” covers the mechanics of the Meltdown flaw in detail, as well as means to mitigate potential attacks.[vii] A technique to randomize the location of kernel code at boot-up, called Kernel Address Space Layout Randomization (KASLR) was introduced to the Linux kernel as early as v 3.14 and enabled by default in May 2017 in Linux kernel version 4.12. KASLR also randomizes memory mapping, which helps obfuscate locations in memory, but is not bullet-proof. It is clear that patches are not the answer. Chip makers will need to re-design processors to avoid side-channel vulnerabilities. As engineers create new products, standing on the shoulders of those who came before them, technology naturally gains in complexity. It is rare for any one engineer to understand the entire picture from an integrated system point-of-view.

Engineers and IT personnel worldwide are still working hard to apply firmware updates and software patches before the flaws can be exploited. Clearly, design must take a more holistic view to marrying the security of hardware and software as an integrated entity, and the best security experts will be those who have extensive experience in both hardware and software.


Lynnette Reese is Editor-in-Chief, Embedded Intel Solutions and Embedded Systems Engineering, and has been working in various roles as an electrical engineer for over two decades. She is interested in open source software and hardware, the maker movement, and in increasing the number of women working in STEM so she has a greater chance of talking about something other than football at the water cooler.

[i] “Cache Speculation Side-Channels.” Arm, Feb. 2018.

[ii] Horn, Jann. “Project Zero.” Reading Privileged Memory with a Side-Channel, Google, 3 Jan. 2018, googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html.

[iii] Meltdown and Spectre, Graz University of Technology, Jan. 2018, meltdownattack.com/.

[iv] Kocher, Paul, et al. “Spectre Attacks: Exploiting Speculative Execution.” [1801.01203] Spectre Attacks: Exploiting Speculative Execution, Cornell University Library, 3 Jan. 2018, arxiv.org/abs/1801.01203.

[v] “An Update on Spectre and Meltdown.” SecureRF, SecureRF, 12 Feb. 2018, www.securerf.com/update-spectre-meltdown/.

[vi] “AMD Processor Security.” AMD, 11 Jan. 2018, www.amd.com/en/corporate/speculative-execution.

[vii] Lipp, Moritz, et al. “Meltdown.” Computer Science> Cryptography and Security, Cornell University Laboratory, 3 Jan. 2018, arxiv.org/abs/1801.01207v1.