A newly released processor vulnerability has quickly sparked the first major security panic of 2018. With terms like Kernel page table isolation, speculative execution, and cache timing, it is difficult to grasp the full implications of this vulnerability. Mix in names like Meltdown and Spectre and there is even more information to digest and understand before making an educated decision to patch, not patch, or burn down your data center. This post wrangles this whirlwind and breaks down the major components of the Spectre and Meltdown vulnerabilities.
Enterprise Compatibility
But first, let’s talk about the elephant in the room. Patches released by Microsoft today sparked concerns over how the updates impact speed and functionality of processors, as well as (in)compatibility with antivirus products. These patches do not impact the Endgame agent in any way, including our unique protections like Endgame’s hardware assisted control flow integrity (HA_CFI). In addition, Endgame does not interfere with patches being applied across the enterprise. Customers will see no performance impact after applying these patches. Patch away!
Making Sense of It All
So what does all of this talk of Spectre, Meltdown, and processor chips really mean? Modern processing architectures are highly optimized and parallelized. To achieve this level of efficiency, Intel, AMD, ARM have invested heavily into designs which order operations in the most cost effective way possible. These operations are part of a cycle that fetches memory, executes machine instructions, and caches frequently used data. Properly optimizing this cycle can lead to upwards of 30% performance improvements, without needing a higher clock frequency.
Unfortunately, this optimization comes at a price. Yesterday, multiple researchers revealed a significant side effect to this optimization at the chip level. With enough time, and the ability to measure time at microsecond frequency, memory can be read regardless of existing security boundaries in the hypervisor, operating system kernel, or user processes such as a web browser. These types of attacks fall into a category we call side-channel attacks.
This vulnerability is significant because critical private data, such as encryption keys, passwords, and cookies, could potentially be stolen from unprivileged processes or across domain boundaries. For example, and hypothetically, during malvertising campaigns, a malicious ad could lead to theft of the cookies and private data of the web user. Alternatively, a cloud hosted Linux system could hypothetically steal ssh keys from a completely different virtual machine on the same host.
Google's Project Zero technical post outlines several proof-of-concept attacks they call Variant 1, 2, and 3 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754), where Variant 1 and 2 are also known as Spectre, while Variant 3 is known as Meltdown. These posts and their research papers provide exceptional detail and are recommended reading for the technical intricacies of these vulnerabilities. However, it is important to point out that Spectre affects Intel, ARM, and AMD processors while Meltdown seems to only affect Intel CPUs.
Assuming Breach
Given the omnipresence of this vulnerability in virtually all machines, it is essential to focus on post-compromise responses instead of hoping for the best. Endgame’s protections apply across the breadth and width of the MITRE ATT&CK Matrix, and therefore provide holistic coverage against a range of delivery mechanisms, including those in these attacks. Although the definitive protection will occur once Intel updates their processors, Endgame’s multi-layer approach is well-positioned to stop a targeted attack leveraging these new exploits before damage and loss.