It was announced in early February that AV-TEST, an independent organization that tests antimalware and security software, discovered 139 samples of malware that “appear to be related to recently reported CPU vulnerabilities”—otherwise known as Spectre and Meltdown.
The organization previously reported the discovery of 77 unique samples of Meltdown and Spectre malware on January 17. By January 23, AV-TEST posted another update that the unique malware samples had risen to 119.
Although most of the samples discovered seem to be based on proof-of-concept (PoC) code created by security researchers, experts aren’t ruling out that some of the samples are from malware authors looking for ways to weaponize the PoC code. Furthermore, even if most of the samples are PoC code released by security researchers, it demonstrates the extent to which the code can be exploited.
What’s So Scary about Meltdown & Spectre
Meltdown and Spectre are the names given to recently discovered CPU flaws that expose billions of microprocessors to side-channel attacks. Meltdown and Spectre are severe vulnerabilities that when exploited, give attackers access to a wealth of information, both from the kernel memory space and from other apps—all by virtue of abusing the normal function of processors, including those of .
How do they do it? Essentially Spectre and Meltdown take advantage of performance optimizations, also called speculative execution, that have been implemented in microprocessors. In order to improve speed and efficiency, processors guess what data they’re going to receive instead of waiting for data to move in and out of memory. If the guess is correct, the processor executes instructions based on that. If it’s wrong, the microprocessors throw away what they’ve done without losing time.
How Meltdown and Spectre Exploits Could Access Sensitive Information
The exploit takes place when the processor “gets rid” of the information it does not need—because it’s not actually deleted. So even though it did not need certain data, speculative execution occupies the cache. The presence of the data in the cache can then be detected, because accessing it will be a little bit quicker than if it weren’t cached. Other data structures in the processor, such as the branch predictor, can also be probed and have their performance measured.
Meltdown uses speculative execution to leak kernel data to regular user programs. The good news is that there have been patches released to fix the problem, even if it might affect application workload.
Spectre is a whole other ballgame. Spectre attacks can be used both to leak information not just from the kernel to user programs, but also from virtualization hypervisors to guest systems. What this means is that by exploiting speculative execution, Spectre breaks down the isolation between apps on your computer or server. For security reasons, one app is not supposed to be able to see what another app is doing. You wouldn’t want your internet browsing app to be able to spy on your banking app, for example. An attacker exploits this design flaw of the microprocessors which allows attacks across application boundaries. And the solution to fixing Spectre is not so straightforward unless we get rid of speculative execution completely, which could majorly affect performance.
Furthermore, neither Spectre nor Meltdown are unique to one particular chipmaker or device. They impact the entire computing industry, and the very foundations of computer security that we’ve come to know for the past 20 or so years.
What About Patches?
When a vulnerability is discovered, the typical response is to issue a patch as soon as possible. In the case of Spectre and Meltdown, patches are not so simple…chipmakers and operating system vendors are struggling to patch their customers’ systems due to unforeseen issues that the patches can cause.
While most of the major software makers have issued patches, some patches cannot be issued or have had to be pulled back. For example, Intel pulled its Spectre variant 2 patch because it was causing rebooting errors. Furthermore, additional microcode updates that Intel is releasing must be integrated and delivered by OEM vendors themselves such that most currently used PCs, laptops and mobile devices may never see these fixes.
Bruce Schneier explains the extent of the problem in his blog post on Spectre & Meltdown:
“This news isn’t really any different from the usual endless stream of security vulnerabilities and patches, but it’s also a harbinger of the sorts of security problems we’re going to be seeing in the coming years. These are vulnerabilities in computer hardware, not software. They affect virtually all high-end microprocessors produced in the last 20 years. Patching them requires large-scale coordination across the industry, and in some cases drastically affects the performance of the computers. And sometimes patching isn’t possible; the vulnerability will remain until the computer is discarded.”
Essentially, Meltdown and Spectre demonstrate “a new playing field” for ways attackers can exploit vulnerabilities. We all know that unpatched systems are a gold mine for the bad guys to instigate attacks. With the PoC code already out there detected by security researchers, now all cybercriminals need is to take that information and weaponize it. Because there are no easy fixes to Meltdown and Spectre, and because of the numerous unpatched systems that remain, it’s very likely that we will start seeing these types of damaging side-channel attacks.
Read Yehuda Lindell’s article in Dark Reading on software such as SGX in trusted execution environments, Foreshadow, SGX & the Failure of Trusted Execution