The race to patch against the Meltdown and Spectre processor vulnerabilities disclosed last week is on. As of today, there are no known exploits in the wild impacting vulnerable Intel, AMD and ARM devices.
Currently, vendors are focused on three main mitigation efforts. Patches that address the Meltdown flaws are KPTI (Kernel Page Table Isolation) and KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed). On Thursday, Google unveiled a Retpoline coding technique for mitigating against Spectre attacks.
Intel said last week that it is “rapidly issuing updates for all types of Intel-based computer systems” that include software patches and firmware updates that will “immunize” more than 90 percent of processors introduced in the past five years. By the end of this week those ambitious patching efforts will be complete, Intel said.
Security experts say two vectors that exploit Spectre will be particularly challenging to “immunize.”
Currently known methods for exploiting Meltdown and Spectre are identified as variants “bounds check bypass” (CVE-2017-5753/Spectre/variant 1), “branch target injection” (CVE-2017-5715/Spectre/variant 2) and “rogue data cache load” (CVE-2017-5754/Meltdown/variant 3).
“Meltdown is a well-defined vulnerability where a user-mode program can access privileged kernel-mode memory. This makes patching Meltdown much easier than Spectre by ensuring kernel memory is unmapped from a user-mode, which is what we see in the form of kernel page-table isolation (KPTI),” said Jeff Tang, senior security researcher at Cylance.
Spectre is much more difficult to attack to carry out because it breaks the isolation between different applications, researchers say. But at the same time, it will also be harder to patch.
Ben Carr, VP of strategy at Cyberbit, said there is not a single patch that can be applied for Spectre and mitigation efforts will require ongoing efforts. He said Spectre attacks do not rely on a specific feature of a single processor’s memory management and protection system, making future attacks part of a generalized strategy to undermine a CPU.
“In the case of Spectre, it is a class of attack not a specific vulnerability… Exploits are based on the side effects of speculative execution, specifically branch prediction. This type of exploit will be tailored and continue to morph and change making patching extremely difficult,” Carr said.
Researchers say, Spectre also represents a larger challenge to the industry because it requires a greater degree of coordination among stakeholders to mitigate.
Exploits targeting Spectre variant 1 (bounds check bypass) requires custom compiled binaries from vendors. Fixing variant 2 (branch target injection) entails a microcode update, which will be delivered through Intel OEM partners, as well as a patched OS kernel which leverages the microcode update, said Alex Ionescu, vice president of EDR strategy at CrowdStrike.
“All major browsers have provided patches, and Linux’s kernel JIT engine needs a patch as well. Other JIT-type applications/libraries/kernel components which run arbitrary code will require individual patches,” Ionescu said of variant 1.
Microsoft Windows kernel has a patch available to leverage an update for variant 2, and Linux is currently merging a fix into their mainline kernel for release to distributions, Ionescu said.
Because Spectre patches require mitigation techniques that don’t exist, software vendors need to update their compiler infrastructure and recompile their products for patches, researchers said. Next, users need to update their software.
“That’s quite the pipeline in order to address just one vulnerability with a massive window of opportunity for nefarious actors to cause mischief,” Tang said.
There is also a greater sense of urgency with Spectre. A Meltdown attack scenario requires an attacker to already have a foothold on the targeted system. Spectre opens up certain types of remote attack scenarios such as browser-based attacks, said Jimmy Graham, director of product management at Qualys.
“A JavaScript attack being able to pull memory contents of the browser and could result in pulling credentials and session keys, which bypasses a lot of a lot of security protections,” Graham said.
Last week Mozilla, along with Microsoft and Google, updated the code in their browsers to increase them time it takes to execute certain JavaScript commands that could exploit the Spectre flaws, making it exponentially harder – but not impossible – to exploit.
Lastly, experts also claim patches for Spectre negatively impact CPU performance to a greater degree than Meltdown patches, something that could dissuade some from patching.
Google said its Retpoline patch for Spectre and Meltdown have a “negligible” impact on CPU performance. Retpoline has already been deployed by in the Google Cloud infrastructure, with no significant impact on speeds, according to the company.
The Retpoline technique focuses on mitigating one of the three variants involved in the new attacks (branch target injection/variant 2), considered the most difficult of the three to address. The patch technique is described as “a specially contrived way to run operating system kernel code that prevents incorrect branch speculation,” said Jon Masters, chief ARM architect with Red Hat in a blog post.
The fix requires CPU vendors to have kernel with countermeasures, such as microcode updates, already in place. Intel said that it would issue its own microcode updates to address the issue. AMD said a microcode update to disable branch prediction is now available.
“The Retpoline technique is currently being introduced to the Clang/LLVM compiler as a mitigation for one variant of the Spectre vulnerability,” Tang said. “However, the LLVM compiler is predominantly used by Apple’s macOS, certain Linux and BSD distributions, and Google Chrome. Missing from this list is Microsoft Windows and other popular programs for Microsoft Windows that typically use Microsoft’s C/C++ compiler.”
Experts point out each of the patches don’t remove the threat of attacks, just reduce by varying degrees the likelihood an attacker will be successful. They maintain the only the only true fix is replacing a computer’s CPU.
“Given the increased scrutiny of speculative execution attacks (aka side channel attacks) and the fact that the available updates are merely mitigations, we may see some very creative workarounds that continue to give these vulnerabilities additional lifespan if not new vulnerabilities within the same class,” Tang said.
He said the same way buffer-overflow vulnerabilities and Heartbleed lead to years of vulnerable programs, Meltdown and Spectre will have a similar impact on the security landscape.