Jump to content

Meltdown (security vulnerability): Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Szafranpl (talk | contribs)
431 edits
Mechanism: A brief outline
Line 6: Line 6:
== History ==
== History ==
Meltdown was discovered independently by researchers from [[Google]]'s [[Project Zero (Google)|Project Zero]], Cyberus Technology, and [[Graz University of Technology]].<ref name=meltdownwebsite/> It was made public in conjunction with another vulnerability, [[Spectre (security vulnerability)|Spectre]], on 3 January 2018.
Meltdown was discovered independently by researchers from [[Google]]'s [[Project Zero (Google)|Project Zero]], Cyberus Technology, and [[Graz University of Technology]].<ref name=meltdownwebsite/> It was made public in conjunction with another vulnerability, [[Spectre (security vulnerability)|Spectre]], on 3 January 2018.

== Mechanism ==
The following is a schematic outline.

The attacker, to read a bit 0 at protected memory address A<sub>p</sub> executes (attempts to) instructions
# clear cache for (attacker's address space) addresses A0<sub>u</sub> and A1<sub>u</sub>
# read the value V(A<sub>p</sub>) of a protected memory location at address A<sub>p</sub> to a register
# craft, as Ax<sub>u</sub>, via a bitwise arithmetic operation, address A0<sub>u</sub> or A1<sub>u</sub>, depending on the value of bit 0 of V(A<sub>p</sub>)
# read the memory at address Ax<sub>u</sub>
# continue with effective NOOPs

The above sequence will (some architectures) result in a memory protection fault at step 2, but (speculative execution) instructions 2, 3, 4 will get executed, loading the cache with either A0<sub>u</sub> or A1<sub>u</sub>. Upon servicing the fault, the attacker reads A0<sub>u</sub> and A1<sub>u</sub>, timing both accesses. This timing will reveal the value of memory bit 0 at address A<sub>p</sub>.

Repeating the above for other bits of V(A<sub>p</sub>) will reveal those other bits as well.

The above depends on implementation of the address translation in a particular OS and on the hardware architecture.


== Impact ==
== Impact ==

Revision as of 11:02, 4 January 2018

The logo of the vulnerability

Meltdown is a hardware vulnerability that allows an unauthorized process access to privileged memory. The vulnerability is only known to affect Intel microprocessors[1] and not AMD's.[2][3][4][5][6] It was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754.

History

Meltdown was discovered independently by researchers from Google's Project Zero, Cyberus Technology, and Graz University of Technology.[7] It was made public in conjunction with another vulnerability, Spectre, on 3 January 2018.

Mechanism

The following is a schematic outline.

The attacker, to read a bit 0 at protected memory address Ap executes (attempts to) instructions

  1. clear cache for (attacker's address space) addresses A0u and A1u
  2. read the value V(Ap) of a protected memory location at address Ap to a register
  3. craft, as Axu, via a bitwise arithmetic operation, address A0u or A1u, depending on the value of bit 0 of V(Ap)
  4. read the memory at address Axu
  5. continue with effective NOOPs

The above sequence will (some architectures) result in a memory protection fault at step 2, but (speculative execution) instructions 2, 3, 4 will get executed, loading the cache with either A0u or A1u. Upon servicing the fault, the attacker reads A0u and A1u, timing both accesses. This timing will reveal the value of memory bit 0 at address Ap.

Repeating the above for other bits of V(Ap) will reveal those other bits as well.

The above depends on implementation of the address translation in a particular OS and on the hardware architecture.

Impact

According to researchers, "every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013)."[7]

The vulnerability is expected to impact major cloud providers such as Amazon Web Services (AWS)[8] and Google Cloud Platform. Cloud providers allow users to execute programs on the same physical servers where sensitive data might be stored, and rely on safeguards provided by the CPU to prevent unauthorized access to the privileged memory locations where that data is stored, a feature that the Meltdown vulnerability seems to be able to circumvent.

One of the paper's authors reports that Paravirtualization (Xen) and containers like Docker, LXC and OpenVZ, are affected.[9] They report that the attack on a fully virtualized machine allows the guest user space to read from the guest kernel memory, but not the host kernel space.

Mitigation

See also: Kernel page-table isolation

Mitigation of this vulnerability requires changes to operating system kernel code, including increased isolation of kernel memory from user-mode processes. Linux kernel developers have referred to this measure as kernel page-table isolation (KPTI). KPTI patches have been developed for Linux kernel 4.15, and have been released as a backport in kernel 4.14.11.[10][11] macOS has been patched since 10.13.2.[12] Microsoft released an emergency update to Windows 10 to address the vulnerability on 3 January 2018,[13] and is expected to release the patches to other supported versions of Windows in an upcoming Patch Tuesday.[12]

It was reported that implementation of KPTI may lead to a reduction in CPU performance, with some reports claiming up to 30% losses in performance depending on usage. However, it was reported that Intel architectures since Skylake were not as susceptible to performance losses under KPTI as older generations.[14] An official statement by Intel states that "any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."[15][2] Phoronix benchmarked several major video games under a Linux system with KPTI demonstrated little impact on frame rate and performance.[4]

See also

References

  1. ^ "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. 2018-01-03.
  2. ^ a b Metz, Cade; Perlroth, Nicole (2018). "Researchers Discover Two Major Flaws in the World's Computers". The New York Times. ISSN 0362-4331. Retrieved 2018-01-03.
  3. ^ "Intel's processors have a security bug and the fix could slow down PCs". The Verge. Retrieved 2018-01-03.
  4. ^ a b "Linux Gaming Performance Doesn't Appear Affected By The x86 PTI Work - Phoronix". www.phoronix.com. Retrieved 2018-01-03.
  5. ^ Gleixner, Thomas (3 January 2018). "x86/cpu, x86/pti: Do not enable PTI on AMD processors".
  6. ^ Lendacky, Tom. "[tip:x86/pti] x86/cpu, x86/pti: Do not enable PTI on AMD processors". lkml.org. Retrieved 2018-01-03.
  7. ^ a b "Meltdown and Spectre: Which systems are affected by Meltdown?". meltdownattack.com. Retrieved 2018-01-03. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  8. ^ "Processor Speculative Execution Research Disclosure". Amazon Web Services, Inc. Retrieved 2018-01-03.
  9. ^ http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html
  10. ^ Corbet, Jonathon (2017-11-15). "KAISER: hiding the kernel from user space". LWN. Retrieved 2018-01-03. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  11. ^ Corbet, Jonathon (2017-12-20). "The current state of kernel page-table isolation". LWN. Retrieved 2018-01-03. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  12. ^ a b "Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign". The Register. Retrieved 2018-01-03. {{cite news}}: Cite has empty unknown parameter: |dead-url= (help)
  13. ^ Warren, Tom. "Microsoft issues emergency Windows update for processor security bugs". The Verge. Vox Media, Inc. Retrieved 3 January 2018.
  14. ^ "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. Retrieved 2018-01-04.
  15. ^ "Intel says processor bug isn't unique to its chips and performance issues are 'workload-dependent'". The Verge. Retrieved 2018-01-04.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Meltdown_(security_vulnerability)&oldid=818580408"