Clever Geek Handbook
📜 ⬆️ ⬇️

Meltdown (vulnerability)

Vulnerability logo

Meltdown is a third-party channel leakage hardware vulnerability found in a number of microprocessors, in particular, from Intel and ARM architectures . Meltdown uses the error of the implementation of speculative command execution in some Intel and ARM processors (but not AMD [1] [2] ), due to which the processor ignores page access rights during speculative execution of memory read instructions.

Vulnerability allows a local attacker (when starting a special program) to gain unauthorized read access to privileged memory (memory used by the operating system kernel). [3] [4] [5] .

Attack was allocated CVE -vulnerability identifier CVE-2017-5754 [6] .

History

The Meltdown attack was independently discovered by researchers from Google , Cyberus Technology, and Graz University of Technology in mid-2017 and was at the stage of closed discussion and correction for several months. The publication of detailed information and corrections was scheduled for January 9, 2018, but the details of the vulnerability were made public on January 4, 2018 at the same time as Specter’s attack, due to publications of The Register journalists [7] who learned about the KAISER / KPTI fixes from the Linux kernel distribution list [8] .

Short Description

The possibility of an attack is generated by three mechanisms that allow the processor to speed up, and each of these mechanisms separately does not create vulnerabilities:

  • Profound speculative execution of operations, including reading from RAM without checking the process access rights to readable areas. If, as a result, speculative execution will be recognized as erroneous, then an exception on access to the forbidden memory area is not generated, and the results of loading data into the registers are simply canceled.
  • The absence of clearing the cache of the results of an erroneous speculative execution (such a cleaning would probably reduce the speed of the processor). Formally, the contents of the cache is not available to the program directly; but an analysis of the access time to individual memory cells may indirectly indicate whether specific data is in the cache or not (in this case, whether this data was loaded during the speculative execution of commands).
  • The kernel of the operating system keeps its data in the address space of the process, protecting it from access by privilege level. This technology allows you to quickly perform system calls. With such calls, the privilege level rises, and when you return, the privilege level drops again, and you do not need to reload the page descriptor table.

Modern high-performance microprocessors have the ability to execute a new code, without waiting for the end of the execution of previous actions. For example, if a branch instruction is waiting for data from RAM to make a decision, an idle processor can start executing one of the branch directions (and in some architectures, even both branches) in the hope of having a ready result of the calculations by the time the branch result becomes known. This technique is called speculative execution. In the case of a successful guessing, a speculatively executed code changes the visible values ​​of the registers (architectural state), and execution will continue. If the execution branch was assumed incorrectly, the commands from it do not change the visible state of the processor, and the actual execution will be returned to the branch point.

Due to the nature of a number of implementations, during speculative execution, memory access is actually carried out regardless of the access rights of the executable process to this memory; This allows you to execute commands without waiting for a response from the memory controller . If later this branch of speculative execution turns out to be correct, then an exception of erroneous memory access will be generated. If the branch is rejected as erroneous, the exception will not be generated; but the variables loaded into the cache during the execution of the branch will remain in the cache. Accordingly, the authors of the attack proposed a method for analyzing the availability of data in the cache (based on the access time to them), which, if properly constructed, could give an idea of ​​what was happening in the rejected branch of speculative execution and the content of more privileged memory.

Mechanism

The attack can be carried out approximately as follows. [9]

To read bit 0 from protected memory A p , attacking:

  1. Clears the cache for the addresses A0 u and A1 u (from the attacker's address space available for reading / writing)
  2. Performs branching on a condition known to the attacker
  3. In the code branch, which, according to the condition, should never be executed (but will be executed with speculative execution):
  4. Reads the value of V (A p ) from the protected area of ​​memory at A p
  5. By performing a bitwise operation on the value of V (A p ), it obtains the address A0 u or A1 u
  6. Reads memory at the received address (A0 u or A1 u )

In normal execution, step 4 causes a protection error, but at the speculative execution stage on vulnerable architectures, this error is temporarily ignored, continuing to perform steps 5 and 6. As a result, one of the values ​​is loaded into the cache - from the address A0 u or A1 u . After finding out the branch condition, the processor cancels all the results of steps 4, 5 and 6, but the cache state remains unchanged.

After that, it is enough for the attacker to read “his” addresses A0 u and A1 u , measuring the time of access to them. And based on the measurements, determine which bit (0 or 1) was read from the protected area of ​​the memory A p .

Repeating this algorithm for other bits of the value of V (A p ), you can get the entire contents of the protected memory area entirely.

Impact

According to the researchers, "any microprocessor from Intel, which implements an extraordinary performance , is potentially subject to attack, that is, any processor since 1995 (except for Intel Itanium and Intel Atom , released before 2013)." [10]

The vulnerability is expected to affect the world's largest cloud providers , in particular, Amazon Web Services (AWS) [11] , Google Cloud Platform , Microsoft Azure . Cloud providers allow different users to run their applications on shared physical servers. Since programs can process sensitive user data, the protection and isolation measures provided by the processor are used to prevent unauthorized access to privileged memory (used by the OS kernel). The Meltdown attack, when used on systems that do not implement software protection (patches), allows you to bypass some of the memory isolation measures and gain read access to the operating system memory.

One of the authors of the publication on the vulnerability indicates that para-virtualization systems ( Xen ) and container systems ( Docker , LXC , Openvz , etc.) are also subject to attack [12] . Systems with full virtualization allow user applications to read only the memory of the guest core, but not the memory of the host system.

Software fixes

There is a reliable software method of dealing with an attack in which the kernel page of the OS kernel does not appear in the table of user processes (with the exception of a small number of service areas of the kernel memory), Kernel page-table isolation (KPTI) technology. At the same time, calls with a change in the level of privileges (in particular, system calls) slow down somewhat, since they have to additionally switch to another page table describing the entire memory of the OS kernel.

  • Microsoft has released an emergency update of Windows 10 to prevent attacks on January 3, 2018, [13] similar patches are expected to be released for other supported versions of Windows on next Tuesday Patches . [14]
  • The Linux kernel developers proposed a patch set called Kernel page-table isolation (KPTI, working names KAISER, UASS, FUCKWIT), which entered the kernel version 4.15 in early 2018 and ported to the kernel version 4.14.11. [15] [16]
  • The macOS kernel has received a fix in version 10.13.2.

In some cases, a patch can degrade the performance of a number of functions, for example, applications that very often make system calls. At the same time, Phoronix tests show no slowdown in games running on Linux with a KPTI patch [17] [18] .

See also

  • Pentium FDIV processor error
  • Pentium F00F processor error
  • Stroke hammer (Row Hammer) - unintended side effect in dynamic memory (DRAM), causing unplanned electrical interaction between memory cells.
  • Specter is a similar vulnerability for Intel, AMD and ARM processors, which cannot be fixed by the KPTI software patch.
  • TLBleed is a Intel processor vulnerability that uses an associative translation buffer as a side channel of data leakage.

Notes

  1. ↑ Gleixner, Thomas x86 / cpu, x86 / pti: Do not enable PTI on AMD processors (Independent) (3 January 2018).
  2. ↑ Lendacky, Tom [tip: x86 / pti x86 / cpu, x86 / pti: Do not enable PTI on AMD processors] (Unsolved) . lkml.org . The appeal date is January 3, 2018.
  3. ↑ Metz, Cade . Researchers Discover Two Major Flaws in the World's Computers (English) , The New York Times (2018).
  4. ↑ Intel's slow down PCs , The Verge .
  5. ↑ Linux Gaming Performance Doesn’t Appear Affected By The x86 PTI Work - Phoronix (Eng.) . www.phoronix.com . The appeal date is January 3, 2018.
  6. ↑ CVE-2017-5754 with util cess util izing util util util util util util (Unsolved) (inaccessible link) . The date of circulation is January 6, 2018. Archived January 6, 2018.
  7. ↑ https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
  8. ↑ Understanding Meltdown & Specter: What To Know About
  9. ↑ Meltdown (Neopr.) (PDF). Meltdown and Specter . The appeal date is January 4, 2018.
  10. ↑ Meltdown and Specter: Which systems are affected by Meltdown? (eng.) meltdownattack.com . The appeal date is January 3, 2018.
  11. ↑ Processor Speculative Execution Research Disclosure (English) . Amazon Web Services, Inc. . The appeal date is January 3, 2018.
  12. ↑ Cyberus Technology Blog - Meltdown
  13. Issues Microsoft issues emergency Windows update (for Windows ) . The Verge . Vox Media, Inc .. Appeal Date January 3, 2018.
  14. ↑ Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign (English) , The Register .
  15. ↑ Corbet, Jonathon KAISER: hiding the kernel from user space (Unreferenced) . LWN (November 15, 2017). The appeal date is January 3, 2018.
  16. ↑ Corbet, Jonathon The current state of kernel page-table isolation . LWN (December 20, 2017). The appeal date is January 3, 2018.
  17. ↑ NVIDIA Gaming Performance Minimally Impacted By KPTI Patches - Phoronix
  18. ↑ Linux KPTI Tests Using Linux 4.14 vs. 4.9 vs. 4.4 - Phoronix

Links

  • The official website of Specter and Meltdown attacks
  • Meltdown Article (eng.)
  • Google Project Zero: Reading privileged memory with a side-channel (English)
  • Intelpaper of Analysis Paper Backgrounds , Intel, January 2018 (Eng.)
  • Artem S. Tashkinov. Disclosed details of two attacks on processors Intel, AMD and ARM64 (rus.) . OpenNET (January 4, 2018). The appeal date is January 6, 2018.
  • Christmas gifts, part one: Meltdown - user blog olartamonov, January 5, 2018, Geektimes.
Source - https://ru.wikipedia.org/w/index.php?title=Meltdown_ ( vulnerability )&oldid = 101365196


More articles:

  • Zumakulova, Tanzilya Mustafaevna
  • Embassy Tensho
  • Koshman, Judah Antonovich
  • Meriel, Gilbert
  • Kirk, Hans
  • Chuvilevsky
  • Combat Opportunities
  • Do not say goodbye
  • Barnatt, Luke
  • Phaeodactylum tricornutum

All articles

Clever Geek | 2019