Some of you might be hearing about #Spectre and #Meltdown today, which allow memory from other processes and the kernel itself to be read. They exploit CPU designs.
I'm still doing my reading, but a good place to start if you're technically inclined is spectreattack.com
I'm still doing my reading, but a good place to start if you're technically inclined is spectreattack.com
Spectre involves training the CPU to speculatively run invalid code in the victim's address space, and then using a side-channel (such as cache timings) to infer details about the victim's memory.
It affects at least AMD, Intel and ARM CPUs
The sample exploit reads 10KB/s.
It affects at least AMD, Intel and ARM CPUs
The sample exploit reads 10KB/s.
Spectre also includes sample code for breaking out of the JavaScript sandbox on chrome.
It's very, very clever.
It's very, very clever.
#Meltdown works by exploiting the fact that CPUs will execute instructions ahead of the "current" instruction as means of optimisation.
It's possible to observe the side-effects of instructions that were executed but never committed.
It's possible to observe the side-effects of instructions that were executed but never committed.
Meltdown reads from kernel memory (an illegal op), then uses that read times the page size to make a second memory access.
By observing cache hits and misses, you can infer the memory that was read by the invalid-and-discarded operation.
Which means you can read kernel memory.
By observing cache hits and misses, you can infer the memory that was read by the invalid-and-discarded operation.
Which means you can read kernel memory.
By use of some clever optimisations, #Meltdown kernel dumping at a speed of 122KB/s is possible.
On modern (Broadwell+) Intel CPUs, a speed of 502KB/s is achieved.
On modern (Broadwell+) Intel CPUs, a speed of 502KB/s is achieved.
In addition, because kernel memory usually maps the physical address space, #Meltdown can read most (on unpatched Windows) or all (on unpatched Linux) physical memory.
So it can and does break containers, virtual machines, and everything else we rely upon.
So it can and does break containers, virtual machines, and everything else we rely upon.
The good news is that #Meltdown can be defended against with a series of kernel patches. On Linux these are known as KPTI (formerly KAISER).
These exist in Linux 4.15, 4.14.11, Windows 10 Build 17035, and OSX 10.13.2.
Upgrade your systems if you haven't already done so.
These exist in Linux 4.15, 4.14.11, Windows 10 Build 17035, and OSX 10.13.2.
Upgrade your systems if you haven't already done so.
Both of these vulnerabilities are scary.
Meltdown because lots of devices won't get patched.
Spectre because patching at all seems to be extremely challenging to patch at all. It's named because it will "haunt us for some time".
Meltdown because lots of devices won't get patched.
Spectre because patching at all seems to be extremely challenging to patch at all. It's named because it will "haunt us for some time".
We're seeing a lot more vulnerabilities exploiting flaws & artefacts of hardware.
Rowhammer changes memory by using voltage fluctuations to flip bits.
I've seen ssh sessions run over cache invalidation channels between VMs.
I don't think spectre and meltdown will be the last.
Rowhammer changes memory by using voltage fluctuations to flip bits.
I've seen ssh sessions run over cache invalidation channels between VMs.
I don't think spectre and meltdown will be the last.
