Jump to content

Meltdown (security vulnerability): Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
External links: added relevant portal bar => {{portal bar|Computer science|Computer security}}
adds/adjs
Line 2: Line 2:
{{Merge |Spectre (security vulnerability)|discuss=Talk:Meltdown_(security_vulnerability)#Possible_merge_with_Spectre_(security_vulnerability)?|date=January 2018}}
{{Merge |Spectre (security vulnerability)|discuss=Talk:Meltdown_(security_vulnerability)#Possible_merge_with_Spectre_(security_vulnerability)?|date=January 2018}}
</noinclude>[[File:Meltdown with text.svg|thumb|150px|The logo of the vulnerability]]
</noinclude>[[File:Meltdown with text.svg|thumb|150px|The logo of the vulnerability]]
{{use mdy dates|date=January 2018}}

'''Meltdown''' is a hardware [[vulnerability (computing)|vulnerability]] that allows an unauthorized process access to privileged [[virtual memory|memory]]. The vulnerability is only known to affect [[Intel cpus|Intel microprocessors]]<ref>{{cite web|title=A Critical Intel Flaw Breaks Basic Security for Most Computers|url=https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/|publisher=[[Wired_(magazine)|Wired]]|date=2018-01-03}}</ref> and not [[List of AMD microprocessors|AMD]]'s.<ref name="NYT-20180103">{{Cite news|url=https://www.nytimes.com/2018/01/03/business/computer-flaws.html|title=Researchers Discover Two Major Flaws in the World’s Computers|last=Metz|first=Cade|date=2018|work=The New York Times|access-date=2018-01-03|last2=Perlroth|first2=Nicole|language=en-US|issn=0362-4331}}</ref><ref>{{Cite news |url=https://www.theverge.com/2018/1/3/16844630/intel-processor-security-flaw-bug-kernel-windows-linux|title=Intel’s processors have a security bug and the fix could slow down PCs|work=The Verge|access-date=2018-01-03}}</ref><ref name="auto">{{Cite web|url=https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-Initial-Gaming-Tests|title=Linux Gaming Performance Doesn't Appear Affected By The x86 PTI Work - Phoronix|website=www.phoronix.com|language=en|access-date=2018-01-03}}</ref><ref>{{Cite web|url=https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=694d99d40972f12e59a3696effee8a376b79d7c8|title=x86/cpu, x86/pti: Do not enable PTI on AMD processors|first=Thomas|last=Gleixner|date=3 January 2018}}</ref><ref>{{Cite web|url=https://lkml.org/lkml/2018/1/3/425|title=[tip:x86/pti] x86/cpu, x86/pti: Do not enable PTI on AMD processors|website=lkml.org|access-date=2018-01-03|first=Tom|last=Lendacky}}</ref> It was issued a [[Common Vulnerabilities and Exposures]] ID of CVE-2017-5754.
'''Meltdown''' is a hardware [[vulnerability (computing)|vulnerability]] that allows an unauthorized process access to privileged [[virtual memory|memory]]. The vulnerability is only known to affect [[Intel cpus|Intel microprocessors]]<ref>{{cite web|title=A Critical Intel Flaw Breaks Basic Security for Most Computers|url=https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/|publisher=[[Wired_(magazine)|Wired]]|date=2018-01-03}}</ref> and not [[List of AMD microprocessors|AMD]]'s.<ref name="NYT-20180103">{{Cite news|url=https://www.nytimes.com/2018/01/03/business/computer-flaws.html|title=Researchers Discover Two Major Flaws in the World’s Computers|last=Metz|first=Cade|date=2018|work=The New York Times|access-date=2018-01-03|last2=Perlroth|first2=Nicole|language=en-US|issn=0362-4331}}</ref><ref>{{Cite news |url=https://www.theverge.com/2018/1/3/16844630/intel-processor-security-flaw-bug-kernel-windows-linux|title=Intel’s processors have a security bug and the fix could slow down PCs|work=The Verge|access-date=2018-01-03}}</ref><ref name="auto">{{Cite web|url=https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-Initial-Gaming-Tests|title=Linux Gaming Performance Doesn't Appear Affected By The x86 PTI Work - Phoronix|website=www.phoronix.com|language=en|access-date=2018-01-03}}</ref><ref>{{Cite web|url=https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=694d99d40972f12e59a3696effee8a376b79d7c8|title=x86/cpu, x86/pti: Do not enable PTI on AMD processors|first=Thomas|last=Gleixner|date=3 January 2018}}</ref><ref>{{Cite web|url=https://lkml.org/lkml/2018/1/3/425|title=[tip:x86/pti] x86/cpu, x86/pti: Do not enable PTI on AMD processors|website=lkml.org|access-date=2018-01-03|first=Tom|last=Lendacky}}</ref> It was issued a [[Common Vulnerabilities and Exposures]] ID of CVE-2017-5754.


== History ==
== History ==
Meltdown was discovered independently by researchers from [[Google]]'s [[Project Zero (Google)|Project Zero]], Cyberus Technology, and [[Graz University of Technology]].<ref name=meltdownwebsite/> It was made public in conjunction with another vulnerability, [[Spectre (security vulnerability)|Spectre]], on 3 January 2018.
Meltdown was discovered independently by researchers from [[Google]]'s [[Project Zero (Google)|Project Zero]], Cyberus Technology, and [[Graz University of Technology]].<ref name=meltdownwebsite/> It was made public in conjunction with another vulnerability, [[Spectre (security vulnerability)|Spectre]], on January 3, 2018.


== Mechanism ==
== Mechanism ==
Line 26: Line 28:


== Impact ==
== Impact ==
According to researchers, "every Intel processor which implements [[out-of-order execution]] is potentially affected, which is effectively every processor since 1995 (except [[Intel Itanium]] and [[Intel Atom]] before 2013)."<ref name=meltdownwebsite>{{Cite web|url=https://meltdownattack.com/#faq-systems-meltdown|title=Meltdown and Spectre: Which systems are affected by Meltdown?|last=|first=|date=|website=meltdownattack.com|language=en|archive-url=|archive-date=|dead-url=|access-date=2018-01-03}}</ref>
According to researchers, "every Intel processor which implements [[out-of-order execution]] is potentially affected, which is effectively every processor since 1995 (except [[Intel Itanium]] and [[Intel Atom]] before 2013)."<ref name=meltdownwebsite>{{Cite web|url=https://meltdownattack.com/#faq-systems-meltdown|title=Meltdown and Spectre: Which systems are affected by Meltdown?|last=|first=|date=|website=meltdownattack.com|language=en|archive-url=|archive-date=|dead-url=|accessdate=2018-01-03}}</ref>


The vulnerability is expected to impact major [[cloud provider]]s such as [[Amazon Web Services]] (AWS)<ref>{{Cite web|url=https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/|title=Processor Speculative Execution Research Disclosure|website=Amazon Web Services, Inc.|language=en-US|access-date=2018-01-03}}</ref> and [[Google Cloud Platform]]. Cloud providers allow users to execute programs on the same physical servers where sensitive data might be stored, and rely on safeguards provided by the CPU to prevent unauthorized access to the privileged memory locations where that data is stored, a feature that the Meltdown vulnerability seems to be able to circumvent.
The vulnerability is expected to impact major [[cloud provider]]s such as [[Amazon Web Services]] (AWS)<ref>{{Cite web|url=https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/|title=Processor Speculative Execution Research Disclosure|website=Amazon Web Services, Inc.|language=en-US|access-date=2018-01-03}}</ref> and [[Google Cloud Platform]]. Cloud providers allow users to execute programs on the same physical servers where sensitive data might be stored, and rely on safeguards provided by the CPU to prevent unauthorized access to the privileged memory locations where that data is stored, a feature that the Meltdown vulnerability seems to be able to circumvent.

Revision as of 13:31, 4 January 2018

The logo of the vulnerability

Meltdown is a hardware vulnerability that allows an unauthorized process access to privileged memory. The vulnerability is only known to affect Intel microprocessors[1] and not AMD's.[2][3][4][5][6] It was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754.

History

Meltdown was discovered independently by researchers from Google's Project Zero, Cyberus Technology, and Graz University of Technology.[7] It was made public in conjunction with another vulnerability, Spectre, on January 3, 2018.

Mechanism

The following is a schematic outline.[8]

The attacker, to read a bit 0 at protected memory address Ap executes (attempts to) instructions

  1. clear cache for (attacker's address space, accessible) addresses A0u and A1u
  2. read the value V(Ap) of a protected memory location at address Ap to a register
  3. craft, as Axu, via a bitwise arithmetic operation, address A0u or A1u, depending on the value of bit 0 of V(Ap)
  4. read the memory at address Axu
  5. continue with effective NOOPs

The above sequence will (some architectures) result in a memory protection fault at step 2, but (speculative execution) instructions 2, 3, 4 will get executed, loading the cache with either A0u or A1u. The hardware will annul all "functional" consequences of instructions 2,3,4, as it should, when the fault gets detected (there is a delay in recognizing this fault). But the attacker reads, totally legally, (a forked beforehand process, or other standard mechanisms) "his" A0u and A1u, timing both accesses. This timing will determine which of the two locations is now in cache, and thus reveal the value of memory bit 0 at address Ap.

Repeating the above for other bits of V(Ap) will reveal those other bits as well.

The above depends on implementation of the address translation in a particular OS and on the hardware architecture. The attack can reveal the content of the memory which is mapped into the user address space, but is protected as (e.g.) a kernel space. The latter is true for all available physical memory for Linux, and in a large part for Windows.

Recognition of memory protection faults can have high latency, this is why some OS/architectures allow speculative execution of a memory access. Normally, there is no fault, so speculative execution can give serious performance advantage. One of mitigations of this vulnerability is to make sure that a protected address will not translate, user mode, to anything useful, but this approach has its own performance penalties.

Impact

According to researchers, "every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013)."[7]

The vulnerability is expected to impact major cloud providers such as Amazon Web Services (AWS)[9] and Google Cloud Platform. Cloud providers allow users to execute programs on the same physical servers where sensitive data might be stored, and rely on safeguards provided by the CPU to prevent unauthorized access to the privileged memory locations where that data is stored, a feature that the Meltdown vulnerability seems to be able to circumvent.

One of the paper's authors reports that paravirtualization (Xen) and containers like Docker, LXC and OpenVZ, are affected.[10] They report that the attack on a fully virtualized machine allows the guest user space to read from the guest kernel memory, but not read from the host kernel space.

Mitigation

See also: Kernel page-table isolation

Mitigation of this vulnerability requires changes to operating system kernel code, including increased isolation of kernel memory from user-mode processes. Linux kernel developers have referred to this measure as kernel page-table isolation (KPTI). KPTI patches have been developed for Linux kernel 4.15, and have been released as a backport in kernel 4.14.11.[11][12] macOS has been patched since 10.13.2.[13] Microsoft released an emergency update to Windows 10 to address the vulnerability on 3 January 2018,[14][15] and is expected to release the patches to other supported versions of Windows in an upcoming Patch Tuesday.[13]

It was reported that implementation of KPTI may lead to a reduction in CPU performance, with some reports claiming up to 30% losses in performance depending on usage. However, it was reported that Intel architectures since Skylake were not as susceptible to performance losses under KPTI as older generations.[16] An official statement by Intel states that "any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."[17][2] Phoronix benchmarked several major video games under a Linux system with KPTI demonstrated little impact on frame rate and performance.[4]

See also

References

  1. ^ "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. January 3, 2018.
  2. ^ a b Metz, Cade; Perlroth, Nicole (2018). "Researchers Discover Two Major Flaws in the World's Computers". The New York Times. ISSN 0362-4331. Retrieved January 3, 2018.
  3. ^ "Intel's processors have a security bug and the fix could slow down PCs". The Verge. Retrieved January 3, 2018.
  4. ^ a b "Linux Gaming Performance Doesn't Appear Affected By The x86 PTI Work - Phoronix". www.phoronix.com. Retrieved January 3, 2018.
  5. ^ Gleixner, Thomas (January 3, 2018). "x86/cpu, x86/pti: Do not enable PTI on AMD processors".
  6. ^ Lendacky, Tom. "[tip:x86/pti] x86/cpu, x86/pti: Do not enable PTI on AMD processors". lkml.org. Retrieved January 3, 2018.
  7. ^ a b "Meltdown and Spectre: Which systems are affected by Meltdown?". meltdownattack.com. Retrieved January 3, 2018. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  8. ^ Moritz Lipp; Michael Schwarz; Daniel Gruss; Thomas Prescher; Werner Haas; Stefan Mangard; Paul Kocher; Daniel Genkin; Yuval Yarom; Mike Hamburg. "Meltdown" (PDF). Meltdown and Spectre. p. 8 sec. 5.1. Retrieved January 4, 2018.
  9. ^ "Processor Speculative Execution Research Disclosure". Amazon Web Services, Inc. Retrieved January 3, 2018.
  10. ^ http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html
  11. ^ Corbet, Jonathon (November 15, 2017). "KAISER: hiding the kernel from user space". LWN. Retrieved January 3, 2018. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  12. ^ Corbet, Jonathon (December 20, 2017). "The current state of kernel page-table isolation". LWN. Retrieved January 3, 2018. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  13. ^ a b "Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign". The Register. Retrieved January 3, 2018. {{cite news}}: Cite has empty unknown parameter: |dead-url= (help)
  14. ^ Warren, Tom. "Microsoft issues emergency Windows update for processor security bugs". The Verge. Vox Media, Inc. Retrieved January 3, 2018.
  15. ^ Thorp-Lancaster, Dan (January 3, 2018). "Microsoft pushing out emergency fix for newly disclosed processor exploit". Windows Central. Retrieved January 4, 2018.
  16. ^ "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. Retrieved January 4, 2018.
  17. ^ "Intel says processor bug isn't unique to its chips and performance issues are 'workload-dependent'". The Verge. Retrieved January 4, 2018.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Meltdown_(security_vulnerability)&oldid=818594528"