At the start of the week, news emerged of a major security vulnerability in Intel processors.
While the full details of the vulnerability were under embargo, Linux kernel developers were discussing how to implement patches on their public mailing list.
AMD software engineer Thomas Lendacky submitted a patch to the mailing list, stating that AMD processors are not vulnerable to the types of attacks Linux’s new kernel page table isolation feature protects against.
The discussion expanded to the PostgreSQL developer mailing list, where Andres Freund submitted a performance comparison on an Intel CPU after applying the relevant Linux patches.
His benchmark showed that the best-case scenario was a 17% reduction in performance.
In the worst-case scenario for the benchmark, Intel CPUs performed 23% slower than before the patch.
These discussions resulted in an article on The Register, and less than two days later the full details of the issue were disclosed.
It has been confirmed that the vulnerability is related to speculative execution — a mechanism CPUs rely on to keep their pipelines filled with instructions so they can be as efficient as possible.
Confusion — war of words between Intel and AMD
Following the disclosure of the problem, Intel stated it had planned to disclose the vulnerability next week when more software and firmware patches will be available.
The issue was not a “bug” or “design flaw” as reported in the media, the chipmaker said.
Intel said it was an industry-wide problem and it was working with AMD and ARM to address it.
AMD responded, saying that there is “near-zero risk” to its processors as it uses different architecture to Intel.
“To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants,” AMD explained.
Meltdown and Spectre
- Meltdown affects only Intel processors which implement out-of-order execution, which is potentially every Intel CPU released since 1995, except Itanium and Intel Atom chips from before 2013. It lets programs access the memory of other programs and the operating system.
- Spectre affects almost every system and was successfully tested on Intel, AMD, and ARM-based processors. It can trick even error-free programs into leaking secrets. It is more difficult to exploit than Meltdown, but also more difficult to patch.
The researchers characterise the two vulnerabilities as follows:
- Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
- Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
More technically, Jann Horn describes the different attacks as follows:
- Variant 1: bounds check bypass — Spectre (CVE–2017–5753)
- Variant 2: branch target injection — Spectre (CVE–2017–5715)
- Variant 3: rogue data cache load — Meltdown (CVE–2017–5754)
How vulnerable are you to Meltdown?
For an attacker to exploit Meltdown, they must be able to execute code on your computer or mobile device.
This means an attacker would typically have to exploit another vulnerability to run some malware that lets them gain code execution privileges on your system.
While most mobile devices use ARM-based processors, ARM has noted that the majority of its core designs are not affected by either vulnerability. The only ARM core vulnerable to Meltdown is the Cortex-A75.
This has already been patched in Linux for Intel and ARM-based processors. Microsoft and Apple have also issued patches for their operating systems to address the Meltdown vulnerability in Intel CPUs.
How vulnerable are you to Spectre?
Like Meltdown, to exploit Spectre an attacker must be able to execute code on your device.
ARM cores vulnerable to Spectre include Cortex-A8, A9, A15, A17, A57, A72, A73, and A75.
Cortex-R7 and Cortex-R8 cores are also vulnerable to Spectre, but ARM noted that the common usage model for Cortex-R is in non-open environments where applications or processes are strictly controlled, and hence not exploitable.
Intel and AMD processors are also vulnerable to Spectre, and although some patches have been released, it is more difficult to protect against than Meltdown. In some cases it may require that software developers make changes to their code.
While the vulnerability of personal devices should not be downplayed, those most affected by Spectre and Meltdown are cloud services providers where users and programs may share the same hardware.
Amazon, Google, and Microsoft said that they have deployed fixes to their cloud environments. Administrators will still have to patch the operating systems they use in those environments, however.
Meltdown attack in action
- Google Project Zero report
- Spectre white paper
- Meltdown white paper
- ARM security update
- AMD security update
- Intel security advisory
- Microsoft security guidance
- Amazon security bulletin