Jump to content

Meltdown (security vulnerability)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Szafranpl (talk | contribs) at 12:23, 4 January 2018 (→‎Mechanism: about the access privileges of the memory locations used). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The logo of the vulnerability

Meltdown is a hardware vulnerability that allows an unauthorized process access to privileged memory. The vulnerability is only known to affect Intel microprocessors[1] and not AMD's.[2][3][4][5][6] It was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754.

History

Meltdown was discovered independently by researchers from Google's Project Zero, Cyberus Technology, and Graz University of Technology.[7] It was made public in conjunction with another vulnerability, Spectre, on 3 January 2018.

Mechanism

The following is a schematic outline.[8]

The attacker, to read a bit 0 at protected memory address Ap executes (attempts to) instructions

  1. clear cache for (attacker's address space, accessible) addresses A0u and A1u
  2. read the value V(Ap) of a protected memory location at address Ap to a register
  3. craft, as Axu, via a bitwise arithmetic operation, address A0u or A1u, depending on the value of bit 0 of V(Ap)
  4. read the memory at address Axu
  5. continue with effective NOOPs

The above sequence will (some architectures) result in a memory protection fault at step 2, but (speculative execution) instructions 2, 3, 4 will get executed, loading the cache with either A0u or A1u. The attacker reads (a forked beforehand process, or other standard mechanisms) A0u and A1u, timing both accesses. This timing will reveal the value of memory bit 0 at address Ap.

Repeating the above for other bits of V(Ap) will reveal those other bits as well.

The above depends on implementation of the address translation in a particular OS and on the hardware architecture. The attack can reveal the content of the memory which is mapped into the user address space, but is protected as (e.g.) a kernel space. The latter is true for all available physical memory for Linux, and in a large part for Windows.

Impact

According to researchers, "every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013)."[7]

The vulnerability is expected to impact major cloud providers such as Amazon Web Services (AWS)[9] and Google Cloud Platform. Cloud providers allow users to execute programs on the same physical servers where sensitive data might be stored, and rely on safeguards provided by the CPU to prevent unauthorized access to the privileged memory locations where that data is stored, a feature that the Meltdown vulnerability seems to be able to circumvent.

One of the paper's authors reports that Paravirtualization (Xen) and containers like Docker, LXC and OpenVZ, are affected.[10] They report that the attack on a fully virtualized machine allows the guest user space to read from the guest kernel memory, but not read from the host kernel space.

Mitigation

See also: Kernel page-table isolation

Mitigation of this vulnerability requires changes to operating system kernel code, including increased isolation of kernel memory from user-mode processes. Linux kernel developers have referred to this measure as kernel page-table isolation (KPTI). KPTI patches have been developed for Linux kernel 4.15, and have been released as a backport in kernel 4.14.11.[11][12] macOS has been patched since 10.13.2.[13] Microsoft released an emergency update to Windows 10 to address the vulnerability on 3 January 2018,[14][15] and is expected to release the patches to other supported versions of Windows in an upcoming Patch Tuesday.[13]

It was reported that implementation of KPTI may lead to a reduction in CPU performance, with some reports claiming up to 30% losses in performance depending on usage. However, it was reported that Intel architectures since Skylake were not as susceptible to performance losses under KPTI as older generations.[16] An official statement by Intel states that "any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."[17][2] Phoronix benchmarked several major video games under a Linux system with KPTI demonstrated little impact on frame rate and performance.[4]

See also

References

  1. ^ "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. 2018-01-03.
  2. ^ a b Metz, Cade; Perlroth, Nicole (2018). "Researchers Discover Two Major Flaws in the World's Computers". The New York Times. ISSN 0362-4331. Retrieved 2018-01-03.
  3. ^ "Intel's processors have a security bug and the fix could slow down PCs". The Verge. Retrieved 2018-01-03.
  4. ^ a b "Linux Gaming Performance Doesn't Appear Affected By The x86 PTI Work - Phoronix". www.phoronix.com. Retrieved 2018-01-03.
  5. ^ Gleixner, Thomas (3 January 2018). "x86/cpu, x86/pti: Do not enable PTI on AMD processors".
  6. ^ Lendacky, Tom. "[tip:x86/pti] x86/cpu, x86/pti: Do not enable PTI on AMD processors". lkml.org. Retrieved 2018-01-03.
  7. ^ a b "Meltdown and Spectre: Which systems are affected by Meltdown?". meltdownattack.com. Retrieved 2018-01-03. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  8. ^ Moritz Lipp; Michael Schwarz; Daniel Gruss; Thomas Prescher; Werner Haas; Stefan Mangard; Paul Kocher; Daniel Genkin; Yuval Yarom; Mike Hamburg. "Meltdown" (PDF). Meltdown and Spectre. p. 8 sec. 5.1. Retrieved 4 January 2018.
  9. ^ "Processor Speculative Execution Research Disclosure". Amazon Web Services, Inc. Retrieved 2018-01-03.
  10. ^ http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html
  11. ^ Corbet, Jonathon (2017-11-15). "KAISER: hiding the kernel from user space". LWN. Retrieved 2018-01-03. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  12. ^ Corbet, Jonathon (2017-12-20). "The current state of kernel page-table isolation". LWN. Retrieved 2018-01-03. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  13. ^ a b "Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign". The Register. Retrieved 2018-01-03. {{cite news}}: Cite has empty unknown parameter: |dead-url= (help)
  14. ^ Warren, Tom. "Microsoft issues emergency Windows update for processor security bugs". The Verge. Vox Media, Inc. Retrieved 3 January 2018.
  15. ^ Thorp-Lancaster, Dan (January 3, 2018). "Microsoft pushing out emergency fix for newly disclosed processor exploit". Windows Central. Retrieved January 4, 2018.
  16. ^ "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. Retrieved 2018-01-04.
  17. ^ "Intel says processor bug isn't unique to its chips and performance issues are 'workload-dependent'". The Verge. Retrieved 2018-01-04.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Meltdown_(security_vulnerability)&oldid=818587647"