Researchers reveal details of leaks in modern CPUs from Intel, AMD and ARM

Security researchers have released details of vulnerabilities in modern processors, which have been speculated in recent days. The so-called Specter and Meltdown attacks give access to sensitive data in the memory of systems.

The researchers have published their findings in the form of a website and papers on Meltdown and Spectre. The first attack affects Intel CPUs as of 1995 and uses the speculative execution optimization technique to read kernel memory on x86 systems. This is possible with the help of processes that run in userspace. That means the attack bypasses memory isolation. Meltdown does not rely on a software leak and therefore works independently of the user’s operating system.

One of the discoverers of the vulnerability, Michael Schwartz of the Technical University of Graz, shows a application from Meltdown to steal passwords in real time. For cloud providers, the attack means that isolation between different guest systems on the same host can be circumvented, the researchers said. This does not apply to fully virtualized systems, but to shared kernel containers. An attack would be difficult to detect and leave no trace.

Image via Daniel Miessler

The second bug, Specter, is broader than Meltdown and therefore affects a wider range of CPU manufacturers, such as AMD, Intel and ARM. This makes it possible for an application in userland to read the memory of another process. In the accompanying paper, the researchers describe a Specter proof-of-concept implementation in JavaScript, which they tested in Google’s Chrome browser. The code makes it possible to read out the memory of the process in which it is executed. Specter also abuses speculative execution. According to the discoverers, the success of the attack mainly depends on whether the attacker can execute code on the same CPU as the target.

It is possible for Meltdown to offer a solution in the form of patches for Windows, macOS and Linux, among others. Microsoft reports that the January 3 patches are dependent on the user’s existing antivirus software, so systems with incompatible software will not receive the patches. It is more difficult for Specter to provide a comprehensive solution and to secure systems. The researchers state that in many cases a solution must be sought in changes to processor designs and updates for isas.

Specter is also referred to as CVE-2017-5753 and CVE-2017-5715, while Meltdown is only known as CVE-2017-5754. Researchers at Google’s security project have devoted a blog post to the vulnerabilities, discussing different proof-of-concepts of different attack variants. AMD has published a message on its website, in which it discusses those variants and the vulnerability of its processors. In it, the manufacturer claims that it is not or hardly susceptible to the CVEs ending in 5754 and 5715, which belong to Meltdown and one of the Specter vulnerabilities. About CVE-2017-5753 AMD only says that this can be fixed with patches. The Project Zero researchers say they successfully performed a proof-of-concept of that so-called bounds check bypass on AMD processors. In the aforementioned Specter paper, we managed to carry out the attack on a Ryzen CPU. An advisory has also been published for ARM.