Three weeks have already passed since Meltdown and Spectre turned out to be the biggest chip-level flaw in the history of CPU, affecting all processors since 1995. Meaning that almost every laptop, desktop, server, smartphone and other devices have these vulnerabilities. Jann Horn made the initial discovery of this critical security flaw half a year ago but it was kept in secret. Previously, the IT security industry was sure that CPU can isolate running programs from each other and if no errors occur, different processes cannot access each other’s data unless it was allowed. If this statement becomes false we are looking at dark times coming to IT security. Today we will try to carefully and closely examine Meltdown.
IT security industry was sure that CPU can isolate running programs from each other and if no errors occur, different processes cannot access each other’s data unless it was allowed. If this statement becomes false we are looking at dark times coming to IT security
Memory Management Unit (MMU) or PMMU is a part of CPU that handles virtual memory management and protection, and bus arbitration in x86 architecture. So instead of accessing the physical memory directly, applications get virtual address space mapped to physical memory so that the spaces of different applications do not overlap. This architecture made running applications separated from each other until we found that CPU could purposefully ignore the MMU while processing its internal algorithms. So Meltdown abuses this fault and can access data without having any permissions to do it.
All modern processors – if we are talking specifically about Intel x86, starting with Atom 2013, Pentium Pro and Pentium II – have the functions of speculative execution. This algorithm is necessary to ensure high performance of the entire system. As we know, all availablecomponents, including RAM, are much slower than the CPU. Whenever the next executable instruction needs to wait for the input data, the processor starts executing the code followed by the last instruction instead of being idle. This code is based on predictions about which data is most likely to arrive next. This version of speculative execution is called prediction execution or operations that are run out-of-order. The prediction execution results are stored in processor cache. It doesn’t matter whether speculation execution was true or false (predicted correctly or not) the results will remain in the cache. Malware cannot directly read processor cache but it can detect whether the data is stored in this cache or not depending on the response rate. As a result, an attacker can dump the entire kernel memory by reading privileged memory in a prediction (out-of-order) execution stream, and transmit the data from this elusive state to the outside world via a microarchitectural covert channel (e.g., Flush+Reload). On the receiving end of the covert channel, the register value is reconstructed.
Meltdown consists of three steps:
- Step #1. Reading the secret. The content of the memory location chosen by an attacker, which right now is inaccessible to him or her, is loaded into a register.
- Step #2. Transmitting the secret. A transient instruction accesses a cache line based on the secret content of the register.
- Step #3. Receiving the secret. The attacker uses «Flush+Reload» to determine the accessed cache line and hence the secret stored at the chosen memory location.
By repeating these steps for different memory locations, the attacker can dump the kernel memory, including the entire physical memory. So Meltdown doesn’t need to get full access rights to the system, it simply ignores operating system and addresses directly to the processor cache leaving no traces at all.
Which processors are affected by Meltdown?
All Intel Core processors, all Xeon processors, all Celeron and Pentium after 1995. ARM Cortex-A75, probably new Kryo 385, all Apple iOS devices.
AMD processors are unaffected.
How to get Rid of Meltdown?
For Linux users there is a patch named KAISER. Whereas current systems have a single set of page tables for each process, KAISER implements two.
For Apple devices – https://support.apple.com/en-us/HT208394
For Android devices – https://source.android.com/security/bulletin/2018-01-01
Microsoft has also released their patches – https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown
To enable fix using PowerShell type the following:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Reboot the system after the code execution.
After these patches benchmarks recorded a 10-20% performance drop especially in database performance. Interestingly, computer games did not show any difference.
If a post-patch performance impact doesn’t allow you to effectively use your servers, it can be disabled with the following PowerShell code:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Reboot the system after the code execution.
You can also test your server for Meltdown vulnerability using PowerShell. To do this you need to install SpeculationControl module:
Then import it:
After that run:
If your system is protected you will get the following output:
BTIHardwarePresent : True BTIWindowsSupportPresent : True BTIWindowsSupportEnabled : True BTIDisabledBySystemPolicy : True BTIDisabledByNoHardwareSupport : True KVAShadowRequired : True KVAShadowWindowsSupportPresent : True KVAShadowWindowsSupportEnabled : True KVAShadowPcidEnabled : True
If your computer is vulnerable to Meltdown you will get the following output:
BTIHardwarePresent : False BTIWindowsSupportPresent : False BTIWindowsSupportEnabled : False BTIDisabledBySystemPolicy : False BTIDisabledByNoHardwareSupport : False KVAShadowRequired : False KVAShadowWindowsSupportPresent : False KVAShadowWindowsSupportEnabled : False KVAShadowPcidEnabled : False
Remember that the fix will fully work only after you update the firmware for your processors.
However, to truly get rid of Meltdown, you will need a new processor with new core architecture. However, such such processors will not hit the market for at least 2 years. While we wait for its release, we have to get by somehow.
Meltdown Vulnerability Mitigation
If you are running risk assessment in your organization then Meltdown should be in your assessment report with the highest risk level. Until we get new processors from Intel, Meltdown threat will remain high for your assets. Here are some steps to lower this risk:
- Install Meltdown fix patches – install patches that are described in “How to Get Rid of Meltdown” section.
- Keep your antivirus updated – For now, there are only a few exploit kits that exploit Meltdown vulnerability and they are rather expensive. Therefore, the amount of reported malware that exploits Meltdown will increase exponentially. Antivirus software will greatly help you to detect such kind of malware, so keep Antivirus databases always updated.
- Don’t allow unauthorized software installation – Meltdown is a local attack, so it can be performed only by the code execution at your computer. If there you can guarantee that there is no chance that a malware will be installed on your system, than meltdown is not a danger for you. Therefore, you should follow privilege account management best practices and enable UAC on your servers. Also, don’t forget that Java script in your web browsers is also a locally executed code, so you need to disable Java on all your critical systems, unless it is absolutely necessary.
- Enable user behavior analytics and systems change auditing – this will help you to spot the hacker attack on the early stages and will greatly reduce the negative impact on your organization. Meltdown leaves no traces of its exploitation but we can trace the actions of a hacker that stole data using Meltdown. For example if he has stolen a password for a privileged account he will surely at least login to one of your systems and make some changes. You need to spot these unusual changes, identify the compromised account, detect the system that was compromised and stop the attack as soon as possible.
Applying these practices will allow you to reduce the Meltdown risk Meltdown to “Medium” level in 2018. However, we still have the Spectre vulnerability, which I will describe later.