MY TAKE: A breakdown of why Spectre, Meltdown signal a coming wave of ‘microcode’ attacks
By Byron V. Acohido, The Last Watchdog, April 9, 2018, with comments from Virsec’s Atiq Raza and Satya Gupta
Hundreds of cybersecurity vendors are making final preparations to put their best foot forward at the RSA Conference at San Francisco’s sprawling Moscone Center next week. This will be my 15th RSA, and I can say that there is a distinctively dark undertone simmering under this year’s event. It has to do with a somewhat under-the-radar disclosure in early January about a tier of foundational security holes no one saw coming.
Related article: Meltdown, Spectre foreshadow another year of nastier attacks
Spectre and Meltdown drew a fair amount of mainstream news coverage. But I fear their true significance hasn’t resonated. We now know that there will be no quick way to fix this pair of milestone vulnerabilities that lurk in the architecture of just about every modern processor chip.
As I get ready to head to RSA, it struck me that none of the legacy security systems being hyped at the glitzy exhibition booths I’ll see at RSA seem able to solve this problem or mitigate the risks.
“Spectre and Meltdown will be the enormous elephants in the room at RSA,” said Atiq Raza, CEO of security firm Virsec. “The chip and OS vendors have failed with multiple patches and are asking for patience. Meanwhile, few security vendors understand or monitor what happens between applications and processors. This is leaving most customers worried and scratching their heads.”
To understand how profoundly Spectre and Meltdown have changed the cybersecurity landscape requires a bit of technical context. Processor chips are formally referred to as the Central Processing Unit, or CPU. These are the semiconductor chips manufactured by Intel, AMD, ARM and a few others.
CPUs give life to any computing device you can name. CPUs interact with the operating system, or OS, such as Windows, Macintosh, iOS and Linux. The OS, in turn, enables applications such web browsers, smartphones, business apps, web apps, games, video — and the digital infrastructure behind them — to run.
Around 1995, CPUs started getting dramatically faster and have been getting incrementally faster ever since. This happened both because of improvements in the hardware and clever ways engineers found to make processes more efficient. Every OS has a core piece of software, called the kernel, that manages and directs how each application can tap into the CPU. Keep in mind, this kernel-to-CPU interaction occurs below the operating system level – at the microcode level. Also note, the kernel is protected by the chip.
To protect the kernel, chip designers made certain to isolate the kernel from everything else running on the computer. To access the kernel, any given application must first receive specific permission from the CPU, which is responsible for running verification checks. Isolating the OS kernel in this fashion is the main way the chip keeps the memory and data associated with each application separated from each other.
Clock speed obsession
So what happened in the mid -1990s is that CPU clock speeds became faster than supporting memory and application processes, causing choke points on overall speed. The chip often had to wait, idle, to receive a piece of information it expected to receive from a given application, routed via the kernel, as part of the verification process. They saw that idleness equaled processing time going to waste. So chip designers came up with something they called “speculative execution.”
They essentially said it was okay for the CPU to guess what information should be coming back from memory and continue with the task at hand, postponing security checks. A high percentage of the time, they reasoned, the CPU would guess correctly. And for the few times it guessed incorrectly, it would simply run the process again, and guess again. The net gain translated into dramatically increased overall speed.
“Rather than keep the CPU idle, speculative execution lets operations complete while memory and security checks happen in parallel” said Adi Gadwale, Chief Enterprise Architect at General Dynamics. “Everybody always thought this was a great idea and it still is, but it turns out it has some subtle flaws which can be exploited. Every time the processor discards an inappropriate action, the timing and other indirect signals can be exploited to discover memory information that should have been inaccessible.”
Hindsight being 20-20, it’s now defensible to accuse Intel, AMD and ARM of becoming obsessed with the race to top each other’s clock speed while losing sight of the long run security implications – which we will now see reverberate through our business and home digital systems.
Spectre and Meltdown were disclosed by a number of separate groups and individuals, all of them white hat researchers. They discovered that Meltdown erodes the CPU’s ability to isolate the kernel. With a cleverly designed Meltdown exploit, it is now theoretically possible for an attacker to access whatever information might be residing in the kernel at any point in time, such as account logons, encryption keys and other components useful to a stealthy intruder.
Meltdown hasn’t been easy to patch, not by a long stretch. Both Intel and Microsoft — supplier of the Windows kernel used pervasively in corporate and home settings – have stumbled in their attempts to issue patches. It, in fact, may not be possible to come up with a patch that doesn’t drastically compromise performance or cause other unintended consequences.
“So far, the solutions offered by chip and OS vendors have required unacceptable tradeoffs,” said Satya Gupta, founder and CTO of Virsec. “Initial software patches have been ineffective or caused huge performance hits. Updating chip firmware is even riskier and can turn machines into bricks. And asking businesses to recompile all of their application code is a non-starter.”
Spectre makes the CPU vulnerable in a different way. It is possible for an attacker to trick the targeted CPU into conducting roque speculative execution routines – routines it normally would never do. The goal: to cause the kernel to leak data residing in memory.
Researchers at Virsec have been able to come up with several exploits that can do this. It’s complicated stuff, but if the good guys can do it, it is a safe bet that well-funded malicious parties certainly can, as well.
“We have reproduced powerful versions of Spectre and will demonstrate how it can be used to steal sensitive data at RSA,” said Gupta. “These threats won’t go away anytime soon, but we are developing ways to insulate applications and sensitive data from this and similar attacks.”
Dawning of ‘microcode’ attacks
Spectre and Meltdown represent a vast new attack surface at the deepest layer of the digital devices and supporting infrastructure that we take for granted – our smart phones, automobiles, home entertainment appliances.
And they represent the first of a type of vulnerability at the microcode layer, a layer no one was focused on, and now the best and brightest programmers, both white hat and black hat, certainly will drill down on. The security questions we’ve been tackling as part of pushing ahead with the Internet of Things, virtualization and cloud computing just redoubled in complexity.
“Clearly, we can’t be complacent with current security models,” said Raza. “As attacks find new ways to go below the radar we need to shift our mindset from chasing elusive external threats to identifying and stopping attacks on business crown jewels – their applications and data.”
Article By Byron V. Acohido, The Last Watchdog, April 9, 2018
(Editor’s note: Last Watchdog has supplied consulting services to Virsec.)