Spectre and Meltdown Malware: What You Need to Know

Posted by Instor on Feb 21, 2018 9:00:00 AM

Information security, data breaches, ransomware, malware, viruses, trojans, zero-day, side channel attacks, back doors, and many others are becoming almost the daily norm.  Various cyber attacks and statistics are published daily in many international headlines with many victims who are never aware that they’ve been hacked – it’s costly for all organizations. Not to be forgotten and just as susceptible, attacks are occurring more frequently on energy sectors and power grids, Supervisory Control and Data Acquisition (SCADA), Internet of Things (IoT), Industrial control system (ICS), trans-oceanic cables, and other infrastructure.



Image: Pixabay


How to Keep an Eye Out for Vulnerabilities

We have been at cyber war and attacks are only increasing in frequency and sophistication – want proof? There are many reports that attempt to capture statistics but the truth is no one really knows the extent of the attacks until many months after the event and then there are staggering costs associated with prevention and recovery.

Since New Years, the latest and most severe threats are Meltdown and Spectre  – vulnerabilities (“vulns”) which lead to accessing passwords and sensitive data. How serious a threat are they? Who is affected? How can a system be protected? What do IT managers and data center operators need to know about this new threat? Just to be clear, these vulns have not been exploited but they leave a gaping security hole in many products built over the past two decades.

The National Cybersecurity and Communications Integration Center (NCCIC) initially discovered Spectre and Meltdown malware in early January 2018. These vulns include three variants that can infect mobile devices, computers, and the cloud and more importantly almost all computer chips manufactured within the past 20 years. The three fundamental variants listed in the Common Vulnerability and Exposure (CVE) library include:

The two primary techniques to exploit these vulns are through caching and speculative execution. The vulns are known to affect Intel and AMD CPU processors including ARM by leaking information out of misspeculated execution, virtual memory reads and across security boundaries also known as side channel to read privileged data. Before taking a deep dive, it helps to understand some terminology.

  • Cache data – this is the data which is resident in the main memory exclusive of the CPU.
  • Speculative execution – every CPU thread uses a pipelining engine to execute instruction code out of order due to caching. For every cache miss, there is a cumulative and increasing delay time associated with program execution. As a result, the CPU will execute in advance and out of order while awaiting memory to load.
  • Virtual memory – an abstract layer between physical memory devices and memory addresses – many apps require more memory so this facilitates the use and reuse of real memory storage.
  • Kernel Page Table Isolation (KPTI) – a relatively new feature that involves the system core which uses all available hardware unlike user-based security apps such as virtual memory. The kernel uses page tables to control mapping between virtual and physical addresses.
  • Bounds Check Bypass – uses existing code with privileged access and thereby permitting speculative execute memory operations which affects operating systems (OS) and virtual machine managers (VMM).
  • Branch Target Injection – properties of the CPU branch prediction features are supplanted using malicious software code which can infect firmware, OSes, and VMMs.

These vulns were first identified by various industry experts from the University of Adelaide, Graz University of Tech, University of MD, University of PA, and Google Project Zero. Of particular interest are the cloud providers which rely on Intel CPUs for virtualization and those without virtualization – including use of containers with shared kernels (e.g., Docker, OpenVZ, LCX, etc.).

There has been some confusion as to how to mitigate these vulns with some sources citing where to obtain “patches” and other sources stating not to patch until all testing and validation have been completed – in the mean time we wait or attempt to triage but beware of the fake sites.

It’s prudent to check with the vendors for remedies and a way forward from this cloud of confusion. In the mean time, you can monitor how the cyber war is going until these vulns finally get resolved:

Topics: Management