January 10 2018

The Chip Exploit: Is it the tip of an iceberg?

Dr Mahdi Aiash, Senior Lecturer and Researcher in Cyber Security, gives his take on the recent discovery of vulnerabilities in Intel processor chips. The security flaws potentially leave millions of computers open to cyber attacks. Dr Aiash explains what this means for computer users, and shares some advice for protecting your devices from this threat.

A large team of researchers discovered two hardware-related security flaws (now known as Meltdown and Spectre) that enable attackers to get privileged access to your system and steal sensitive data, including passwords and banking information from your device. Initially, the flaws have been thought to be only relevant to Intel processor chips. However, Intel has issued a statement indicating that the issue is not specifically a bug in Intel CPUs but rather an exploit that can be applied to all systems with AMD and ARM processors. The issue is related to how programs access memory, specifically information that should only be accessible to the part of the operating system (known as the kernel) that maintains the highest level of privileges. The exploits are ones where malicious programs can access the protected kernel memory space and “see” information that should be locked away.

The exploits in more details

The kernel is the core of the operating system on your device (PC, desktop, mobile phone, etc). It controls the interaction between applications and the file system (the structure that enables you to view and edit files) allowing a program to read and write files. It also manages memory and peripherals, such as your keyboard and your camera. In other words, the kernel can do everything on your device by design. Clearly, you don’t want the kernel to be compromised. Therefore, interactions between users’ – least privileged – processes and the kernel have been made as efficient as possible through various hardware and software optimizations.

Generally speaking, the kernel will reside in a protected part of the memory, while users’ processes and applications are stored in different parts of the memory. Operating systems use a data structure known as “Page Table” to identify and access processes from different parts of the memory. Any attempt of the users’ processes to access (read, write) the kernel part of the memory should be denied by the operating system. Unfortunately, the current attacks exploit a design flaw which enables users’ programs with low privileges to access protected kernel memory if represented by the same page table. If an attacker can find a way to install a normal program on your computer, they could then be able to read passwords stored in the kernel memory, private encryption keys, files cached from the hard drive and more!

How about multi-user systems?

All modern operating systems provide multi-user environments. One of the most basic premises of computer security in this is isolation. If you run somebody else’s sketchy code as an untrusted process on your machine, you should restrict it to its own tightly sealed playpen. Otherwise, it might peer into other processes, or snoop around the computer as a whole. The newly discovered attack breaks some of the most fundamental protections computers promise. These attacks could enable users to access the information of other users sharing the same memory.

Are these attacks relevant in the Cloud?

Multi-tenancy is the key common attribute of both public and private clouds, and it applies to all three layers of a cloud: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). A tenant is any application that needs its own secure and exclusive virtual computing environment. This environment can encompass all or some select layers of enterprise architecture, from storage to user interface. All interactive applications (or tenants) have to be multiuser in nature.

Considering the multi-tenant nature of Cloud, these attacks might seem a disaster to Cloud providers. Well, this is not quite true; as one of the major technologies to facilitate Cloud, virtualisation could potentially enable Cloud providers to create isolated virtual instances of their resources for different users and to potentially mitigate the new attacks.

Recall that the Meltdown bug enables reading memory from address space represented by the same page table. Without getting into the details of address translation inside the operating systems and the mechanisms of virtualisations, you just need to understand that virtualisation in the Cloud comes (mainly) in two types:

  • Full-Virtualisation: In this type a virtual machine (VM) is created. Inside the VM, both the OS (known as guest OS) and hardware are virtualised by the host operating system. This means that the guest can issue commands to what it thinks is actual hardware, but really are just simulated hardware devices created by the host.
  • Containerisation: also called container-based virtualisation and application containerisation — is an OS-level virtualisation method for deploying and running distributed applications without launching an entire VM for each application. Instead, multiple isolated systems, called containers, are run on a single control host and access a single kernel.

The nature of the new exploits means that different customer VMs on the same fully-virtualised hypervisor cannot access each other’s’ data because these VMs do not share the same page table. But different users on the same guest instance can access each other’s data (they share the same page table of the guest OS). This latter part holds true for non-virtualised hardware as well: users under the same OS kernel can access each other’s’ data. A quick solution to this flaw would be using a virtual page table between virtual tables of different VMs. Such a solution could be deployed in fully-virtualised platforms. Therefore, fully virtualised technologies are not affected in the sense that guests cannot access host (hypervisor) memory while container-based technologies are affected by Meltdown across container boundaries.

What can you do to protect your device?

In these types of processor-level flaw, your best bet, as usual, is to keep your PC updated with any new drivers that become available. Microsoft’s fix was released late on January 3. You can likely see it if you check Windows Update.

Apple issued a new support document highlighting how the recently unearthed chip vulnerabilities involving Intel, ARM, and AMD processors impacts nearly the entirety of Apple’s product line. “All Mac systems and iOS devices are affected,” the support document reads, “but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.” With respect to the Spectre vulnerability, which Apple notes is “extremely difficult to exploit,” Apple says that iOS and Mac users can expect a patch relatively soon.

Google says that Android smartphones and tablets that have the latest security updates are protected from the flaws. To check for available updates, go to Settings, System and System Update. Unfortunately, a significant portion of Android users are stuck on older, unsupported versions of the operating system, and could therefore remain vulnerable. Google, however, has moved to reassure concerned users by saying, “On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices.”

ARM said that patches had already been shared with the companies’ partners.

AMD said it believes there “is near zero risk to AMD products at this time.”

The tip of an iceberg

The bad news is that the Kernel Page Table Isolation fix (potentially using a virtual page table) makes everything run slower on Intel x86 processors. So if your computer appears slower than it should be, it’s because it is. Furthermore, Microsoft’s testing revealed a “small number” of antivirus programs are making unsupported calls into Windows kernel memory, which result in blue screen of death (BSOD) errors. To avoid causing widespread BSOD problems Microsoft opted to only push its January 3 security updates to devices running antivirus from firms that have confirmed their software is compatible. “If you have not been offered the security update, you may be running incompatible antivirus software and you should follow up with your software vendor,” the company explains. “Microsoft has been working closely with antivirus software partners to ensure all customers receive the January Windows security updates as soon as possible.” Unlike recent cyber incidents, these attacks exploit a processor-level flaw which makes it more challenging for software security solutions such as antivirus to discover them. Also, ironically, such attacks at the lowest components of the computing systems could have a devastating impact on the latest technologies such as the Cloud, Smart Cities and Internet of Things. These two observations highlight the fact that there is a wider attack surface than traditional security solutions could potentially cover and stress the need for a more comprehensive “Defence in depth” approach for providing security.

Share this post


Tags: , , , , , , , , ,

Leave a Reply

Latest tweets from Middlesex Minds

Follow MDXminds


Related blogs