With the start of a new year, two major vulnerabilities affecting nearly all modern computers were disclosed. Malicious users can exploit and to view any sensitive data on an unpatched device. What’s more is that the Mozilla team confirmed that this can be exploited via JavaScript in the browser. Since this was one of those vulnerability disclosures that made mainstream news, several people pinged me asking for a simple explanation of the two attacks.
- img2001 - Meltdown and Spectre For Dummies

Computer processors have a performance feature called “speculative execution”. When hitting a fork in the code, like an if statement, the processor can decrease processing time by pre-executing code that it thinks it will need to execute later on. When the processor makes a mistake, it rolls back *most* of the side effects of the instructions executed. However, due to the performance cost of rolling back, the cache and branch prediction history are not reverted. There are several ways to exploit this behaviour. The end result being that malicious users can exploit Meltdown and Spectre to steal data which is current processed on the vulnerable machine.

- img2002 - Meltdown and Spectre For Dummies

Meltdown is vulnerable on both Intel and Apple architectures. This attack “melts” the isolation between user applications and the underlying operation system. The attacker can access system memory and view sensitive information belonging to other programs running as well as operating system data. Spectre, named after the speculative execution feature described above, is vulnerable on Intel, Apple, ARM and AMD architectures. This attack breaks the isolation between different programs. When exploited, malicious users can trick applications into leaking sensitive information. Several browser vendors have confirmed that attackers can exploit the flaws via JavaScript. The following Proof of concept code was released as part of the original Spectre disclosure.

- img2003 - Meltdown and Spectre For Dummies

The Firefox team noted that the attacks require measuring precise time intervals in order to exploit them, thus as a short term mitigation they reduced the precision in several time sources. Specifically starting from Firefox v57, the performance.now() function resolution is reduced to 20µs and the SharedArrayBuffer feature is disabled by default. Similarly, the Chromium team also announced that in Chrome v64 the SharedArrayBuffer feature will be disabled by default and the performance.now API will be modified. The Chrome team also suggested the following mitigations that web developers can implement on their own sites:
  • Where possible, prevent cookies from entering the renderer process’ memory by using the SameSite and HTTPOnly cookie attributes, and by avoiding reading from document.cookie.
  • Make sure your MIME types are correct and specify an X-Content-Type-Options: nosniff header for any URLs with user-specific or sensitive content, to get the most out of cross-site document blocking for users who have Site Isolation enabled.

There are patches against Meltdown for , Windows, and OS X. Based on the kernel patches as well as the browser patches, Meltdown and Spectre can only be fixed by incurring a performance penalty, at least until CPU manufacturers can implement a fix within the CPU architecture. In terms of the risk level, any sensitive data stored in the device memory can be mined. This includes financial data like credit card information and banking data as well as logins and passwords. For more information about these attacks, include proof of concept code, see https://meltdownattack.com/

Source link


Please enter your comment!
Please enter your name here