Over a million developers have joined DZone.

Spectre and Meltdown Vulnerabilities: Cutting to the Chase

DZone 's Guide to

Spectre and Meltdown Vulnerabilities: Cutting to the Chase

Well, 2018 is officially here in the cybersecurity world, as the latest vulnerabilities to hit the web, Spectre and Meltdown, are here with a vengeance.

· Security Zone ·
Free Resource

It appears these nefarious entities have delivered a whole new class of vulnerabilities affecting almost all desktops, laptops, and phones.

No need to get into the gory details as many others have done a great job there. In summary, it is a vulnerability that involves virtual memory and the impact is wide-ranging — affecting all operating systems that implement virtual memory and might involve a hardware fix (i.e. throw out your server and start over).

Intel uses "Speculative Execution," a technique used by most modern processors (CPUs) to optimize performance. This is similar to branch prediction and goes even further, evaluating code ahead of time to get increased speeds. Testing by Google showed that an attacker running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host — revealing the contents of kernel memory from a user application.

To do this, that attacker might read to kernel memory location directly from a piece of malicious code. The processor will then "speculate" that the read operation will succeed and recovers the value of that memory, only later discovering that this is a violation and destroying the results.

What this means is that if the attacker does something like:

  1. Read the memory from KernelAddress1 into a register as an integer (illegal).
  2. Read the memory from (UserspaceAddress1 + the result of that last operation).

There is a possibility that step 2 will execute before the fault from step 1 has been recognized. It may also be possible that as a result of step 2 running, the data at (UserspaceAddress1 + KernelReadResult) will be added to the cache for a speedy recovery.

This means that after the fault has occurred, an attacker can monitor the time it takes to read from this same userspace memory location to determine whether that value has been read before, thus determining the value of that protected kernel memory.

By carefully organizing memory in userspace, it's possible that an attacker can leverage these optimizations to learn what the value of kernel memory is at any arbitrary location. In simpler terms, think of it as an escalation of privilege followed by information disclosure.

To compound the issue, disabling this will likely cause a 10-20% performance hit for pretty much all applications everywhere.

So What Does This Mean for You?

If you are using a modern machine, you are most likely affected by this vulnerability. If you are hosting VMs or are running software in a cloud environment, there is a risk that attackers on the same hardware will target your system to steal sensitive data. If you are an end user, it is more important than ever to be vigilant of what code is running on your machine and avoid visiting malicious websites which might be using JavaScript to target your system.

Overall, the most important thing is to keep your systems patched and updated as quickly and as often as possible. Teams across all areas of technology (browsers, operating systems, cloud) are working around the clock to provide mitigations against this new category of vulnerabilities, so it is important to stay up to date in order to receive the benefit of these new protections.

It appears that there are three variants of the issue (CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754). The mapping is as follows:



Whitepapers for each:

Spectre - https://spectreattack.com/spectre.pdf

Meltdown - https://meltdownattack.com/meltdown.pdf

spectre ,meltdown ,security vulnerabilities ,security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}