Two 2018 Vulnerabilities that Can Eat Your Assets Vol 7 rel 6

WHEN

On January 3 2018, a group of security experts announced the discovery of two security flaws that were so pervasive, it virtually stopped every security officer in their tracks.

WHAT

They revealed two security flaws that could allow hackers to lift passwords, photos, documents and other data from smartphones, PCs and the cloud computing services that many businesses rely on.
The affect nearly all microprocessors, the digital brains of the world’s computers. These flaws, were named Meltdown and Spectre,

Meltdown vulnerability

Rogue data cache load

The first vulnerability, known as Meltdown, is surprisingly simple to explain and almost trivial to exploit. It takes advantage of the CPUs speculative execution which for performance reasons executes

ahead of the instruction set - including the faulting instruction - which opens a field of kernel memory where the instructions are still visible - using OS functionality to trap the usual fault error and allow to continue the execution.  The exploit code roughly looks like the following:

1. uint8_t* probe_array = new uint8_t[256 * 4096];
2. // ... Make sure probe_array is not cached
3. uint8_t kernel_memory = *(uint8_t*)(kernel_address);
4. uint64_t final_kernel_memory = kernel_memory * 4096;
5. uint8_t dummy = probe_array[final_kernel_memory];
6. // ... catch page fault
7. // ... determine which of 256 slots in probe_array is cached

Let’s take each step above, describe what it does, and how it leads to being able to read the memory of the entire computer from a user program.

1. In the first line, a “probe array” is allocated. This is memory in our process which is used as a side channel to retrieve data from the kernel. How this is done will become apparent soon.
2. Following the allocation, the attacker makes sure that none of the memory in the probe array is cached. There are various ways of accomplishing this, the simplest of which includes CPU-specific instructions to clear a memory location from cache.
3. The attacker then proceeds to read a byte from the kernel’s address space. Just know that all modern kernels typically map virtual memory and page tables entire kernel virtual address space into the user process. Operating systems rely on the fact that each page table entry has permission settings, and that user mode programs are not allowed to access kernel memory. Any such access will result in a page fault. That is indeed what will eventually happen at step 3.
4. However, modern processors also perform speculative execution and will execute
   ahead of the faulting instruction. Thus, steps 3–5 may execute in the CPU’s pipeline before the fault is raised. In this step, the byte of kernel memory (which ranges from 0–255) is multiplied by the page size of the system, which is typically 4096.
   
5. In this step, the multiplied byte of kernel memory is then used to read from the probe array into a dummy value. The multiplication of the byte by 4096 is to avoid a CPU feature called the “prefetcher” from reading more data than we want into into the cache.
6. By this step, the CPU has realized its mistake and rolled back to step 3. However, the results of the speculated instructions are still visible in cache. The attacker uses operating system functionality to trap the faulting instruction and continue execution (e.g., handling SIGFAULT).
7. In step 7, the attacker iterates through and sees how long it takes to read each of the 256 possible bytes in the probe array that could have been indexed by the kernel memory. The CPU will have loaded one of the locations into cache and this location will load substantially faster than all the other locations (which need to be read from main memory). This location is the value of the byte in kernel memory.

Using the above technique, and the fact that it is standard practice for modern operating systems to map all of physical memory into the kernel virtual address space, an attacker can read the computer’s entire physical memory.

Now, you might be wondering: “You said that page tables have permission bits. How can it be that user mode code was able to speculatively access kernel memory?” The reason is this is a bug in Intel processors. In my opinion, there is no good reason, performance or otherwise, for this to be possible. Recall that all virtual memory access must occur through the TLB. It is easily possible during speculative execution to check that a cached mapping has permissions compatible with the current running privilege level. Intel hardware simply does not do this. Other processor vendors do perform a permission check and block speculative execution. Thus, as far as we know, Meltdown is an Intel only vulnerability.

Edit: It appears that at least one ARM processor is also susceptible to Meltdown as indicated here and here.

Spectre vulnerability

Spectre shares some properties of Meltdown and is composed of two variants. Unlike Meltdown, Spectre is substantially harder to exploit, but affects almost all modern processors produced in the last twenty years. Essentially, Spectre is an attack against modern CPU and operating system design versus a specific security vulnerability.

Bounds check bypass (Spectre variant 1)

The first Spectre variant is known as “bounds check bypass.” This is demonstrated in the following code snippet (which is the same code snippet I used to introduce speculative execution above).

if (x < array1_size) {
  y = array2[array1[x] * 256];
}

In the previous example, assume the following sequence of events:

• The attacker controls x.

• array1_size is not cached.

• array1 is cached.

• The CPU guesses that x is less than array1_size. (CPUs employ various proprietary algorithms and heuristics to determine whether to speculate, which is why attack details for Spectre vary between processor vendors and models.)

• The CPU executes the body of the if statement while it is waiting for array1_size to load, affecting the cache in a similar manner to Meltdown.

• The attacker can then determine the actual value of array1[x] via one of various methods. (See the research paper for more details of cache inference attacks.)

Spectre is considerably more difficult to exploit than Meltdown because this vulnerability does not depend on privilege escalation. The attacker must convince the kernel to run code and speculate incorrectly. Typically the attacker must poison the speculation engine and fool it into guessing incorrectly. That said, researchers have shown several proof-of-concept exploits.

Branch target injection (Spectre variant 2)

Recall that indirect branching is very common in modern programs. Variant 2 of Spectre utilizes indirect branch prediction to poison the CPU into speculatively executing into a memory location that it never would have otherwise executed. If executing those instructions can leave state behind in the cache that can be detected using cache inference attacks, the attacker can then dump all of kernel memory. Like Spectre variant 1, Spectre variant 2 is much harder to exploit than Meltdown, however researchers have demonstrated working proof-of-concept exploits of variant 2.

Here is a guide to what you need to know and what you should do.

WHERE

Both are issues reside on the computer chips, basically due to the way computer chips are designed.

Meltdown affects most processors made by Intel, the company that supplies the chips for a majority of PCs and more than 90 percent of computer servers.

Spectre is far more difficult for hackers to exploit. But it is even more pervasive, affecting Intel chips, microprocessors from the longtime Intel rival AMD and the many chips that use designs from the British company ARM. Your smartphone most likely contains an ARM chip.

WHY

Why should people be concerned?  Both flaws provide hackers with a way of stealing data, including passwords and other sensitive information. If hackers manage to get software running on one of these chips, they can grab data from other software running on the same machine. This is a particular issue on cloud computing services.

WHO

So Who is trying to fix these vulnerabilities? Meltdown can be fixed by installing a software “patch” on the machine. Microsoft has released a patch for PCs that use its Windows operating system. Apple said it had released software patches for iOS, Macs and the Apple TV that help mitigate the issue. Intel is also working on updates to help fix the problem.
The onus is now on consumers and businesses to install the fix on their machines.

HOW

Keep your software up-to-date. That includes your operating system and apps like your web browser and antivirus software. Microsoft, Mozilla and Google have already released patches for Internet Explorer, Firefox and Chrome to help address the problem.

Installing an ad blocker on your web browser is also a safeguard, according to security experts. Even the largest websites do not have tight control over the ads that appear on their sites — sometimes malicious code can appear inside their ad networks. A popular ad blocker among security researchers is uBlock Origin.

“The real problem is ads are dangerous,” said Jeremiah Grossman, the head of security strategy for SentinelOne, a computer security company. “They’re fully functioning programs, and they carry malware.”

How do I update my software?

Your operating system and apps typically have a button you can click to check for software updates. For example, in Google’s Chrome browser on a computer, you can click on the three dots in the upper-right corner and click Update Google Chrome. To update Windows, click the Start button and click through these buttons: Settings, Update & security, Windows Update and Check for updates. To update the Mac system, open the App Store app and check the Updates tab for the latest software.

Don’t procrastinate. Last year, a piece of malware called WannaCryinfected hundreds of thousands of Windows machines worldwide. Microsoft had released an update before the attack, but many machines were behind on downloading the latest security updates.

Clouds in my Coffee?

Amazon, Google and Microsoft said that they had already patched most of the of servers that underpin their cloud computing services, and that largely addresses the problem. But Amazon and Google also said customers might need to make additional changes.

To share computing power with customers, cloud services offer “virtual machines.” These are computers that exist only in digital form. Customers use these virtual machines to run their own software. After Amazon, Google and Microsoft update their machines, customers may have to update the operating systems running on their own virtual machines to guard against some exploits.

So that’s it? NOPE…

So, once updated are we all safe?  No. The researchers who discovered Meltdown said that patching systems would slow them down by as much as 30 percent in certain situations. That could be a problem for big cloud systems.

Independent software developers also ran tests on a patched version of Linux, the open-source operating system that now drives more than 30 percent of the world’s servers, and saw similar slowdowns.

“There are many cases where the performance impact is zero,” said Andres Frome, a software developer who has tested the new code. “But if you are running something like a payment system, where a lot of small changes are made to data, it looks like there will be a significant performance impact.”

Consumers are less likely to be affected, and Mr. Kocher said slowdowns could dissipate over time as companies refined their patches.

Only a Partial Fix

According to the researchers who discovered these flaws, including security experts at Google, the memory chip maker Rambus and various academic institutions, Spectre can’t be completely fixed. But patches can solve the problems in some situations. Intel and Microsoft and others said the same.

Looks like I Picked a Wrong Time to Quit Smoking

Spectre can be fixed?  No, according to the researchers. But if it’s any comfort at all, Spectre is much more difficult than Meltdown for hackers to exploit.

Similar to Meltdown, Spectre can steal information from one application and share it with another. For example, an app you download from the web could steal information like passwords from other software on a computer.

On Wednesday, the Department of Homeland Security issued an alert that said the only solution to the threats posed by Meltdown and Spectre would be a full replacement of the chips. But that does not seem feasible, given how many machines are involved. “Spectre is going to be with us a lot longer,” Mr. Kocher said.

An Intel vice president, Donald Parker, is adamant that the company’s chips will not need to be replaced. He said that with software patches and “firmware updates” — a way of updating code on the chip itself — Intel and other companies could “mitigate the issues.”

___________________________________________

We would like to thank our sponsors, for without them - our fine content wouldn't be deliverable!

Rick's Cafe' American

____________________________________________

Source(s)

• https://www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-explained-what-they-are-how-they-work-whats-at-risk.html
• https://www.nytimes.com/2018/01/04/technology/meltdown-spectre-questions.html

So “Once more unto the breach, dear friends, once more;”

____________________________________________________________

About Rick Ricker

An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 399-6085 x502