Meltdown, Spectre, and Speculative Execution, Oh My!

Official Site for Spectre and Meltdown

meltdown logospectre logo

Modern processors are very complex and, as such, contain some features that make use of advanced techniques to provide users with faster execution times. One of these features utilizes speculative execution, a technique that utilizes additional memory in order to save time in the long run. Since this may not be a well-known concept outside of lower-level programming, here is a small example to provide context.

In computer programming, several types of constructs provide logical structure to determine the execution path. One group of these constructs can operate different execution paths based upon the state of the system at a given point in time. The state refers to the contents of system registers, environmental values, etc. When the program reaches one such junction, it makes a decision based on a provided condition. To do this, it must reference other parts of memory to check if the condition is true or false. Before the program can proceed, it waits until the check completes and then determines the correct path forward. However, with speculative execution, the program executes the path it thinks would most likely be executed. This happens while the program loads values for the conditional check and comparisons, which can massively speed up the process by potentially eliminating idle time during memory accesses. When the check finishes, the program either continues with the current path or resets to the original check and moves to the correct path.

Some, not all, modern processor architectures employ speculative execution and are vulnerable to attacks that target it. In the Spectre article, the authors identified shared operating system libraries that contained programming instructions capable of leaking information from the victim device. Using these instructions, a malicious program can be created that leveraged speculative execution to read and send every address in memory to the attackers. This program attacked the branch target buffer (the part of the processor that predicts which branch to execute in advance) in order to train it to “mispredict” a branch’s execution and process the malicious code. This process bears an incredible similarity to the classifier poisoning that occurs within adversarial machine learning. Additionally, the authors crafted a JavaScript program that leverages the browser process that houses it to access additional memory locations. Both of these proof-of-concept attacks violate memory isolation boundaries that have delineated program execution spaces. Common vulnerability and Exposures (CVEs) were issued for these findings under CVE-2017-5715 and CVE-2017-5753.

The Meltdown article provides additional detail into violations of memory boundaries between user-space (think: applications) and kernel-space (think: core functionality set built into your computer’s processor). To do this the authors utilize the ability of a processor to load program instructions on an availability basis. This out-of-order execution loads chunks of a program into memory as processor space frees up, though this does not necessarily happen in order as the name suggests. Once necessary parts of the program are loaded, it can be executed in the order it was designed. When we previously discussed speculative execution we briefly discussed a pre-processing of possible execution paths that might be discarded if incorrect. This runaway process (the technical term is transient instruction) can provide insight into a secret value that allows operating in a privileged environment. This concept is leveraged to provide an attacker with a vehicle to access memory locations in a privileged fashion, which distinguishes it from Spectre. Once attackers access memory locations, they must establish covert channels in order to exfiltrate memory locations, similar to Spectre. Meltdown was issued CVE-2017-5754 for the discovered vulnerability.

The Spectre authors recommend high-level fixes, such as using memory-safe fencing instructions (mfence and lfence), but not more volatile methods such as forcing serialized execution of processes which may destroy memory register values. Chip manufacturers have provided updates that employ these techniques and safeguard against exploitation of speculative execution poisoning and hijacking.

The Meltdown authors recommend the KAISER mitigation which was proposed by Gruss et al. This mitigation provides protection against side-channel attacks targeting weaknesses in Kernel Address Space Layout Randomization (KASLR).

Spectre and Meltdown based data exfiltration is limited to so-called covert channels and their proper set up, which may pose additional technical hurdles that eliminate execution by unskilled attackers. Moreover, an attacker must load a malicious program (unlikely) or JavaScript (much more likely) to your device in order to perform a successful attack, so be extra vigilant with what content you load if you have not installed an update patch. Although scripts to instantiate these conditions will likely emerge, it is imperative to install pertinent updates to harden your systems against these vulnerabilities.

Authored by: Roland Varriale