Google on Kernel Bug – 3 Variants, Intel & ARM Chips Mostly Affected, Less Risk to AMD
Intel has been making it to the headlines for a bug that gives malicious actors access to sensitive information. While the chipmaker's competitors have been using this to their advantage, it appears Intel isn't the only one affected and Google has come forward to clear these speculations.
Variant 1 (Spectre) hits almost all modern processors; Variant 2 (Spectre) affects AMD and others; Variant 3 (Meltdown) mostly hits Intel but affects others like Apple too
In a security blog post published today, Google took the responsibility for discovering serious security flaws caused by "speculative execution," which we have already discussed in depth in our earlier post. The technique is essentially used by most modern processors (CPUs) to optimize performance, however, it also creates security problems as malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible to them.
In the past couple of years, Google's Project Zero team has singlehandedly helped multiple tech leaders in securing their products and services. The security team wrote about this chip attack in a detailed research made public today:
An unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
Google's security team added that the flaws were first identified last year and the industry has since been scrambling to patch it. Originally, the details of these security issues were supposed to go public on January 9. However, thanks to growing speculation about the issues and the expected heightened risk of exploitation, full Project Zero report has now been made available to the public.
As for protecting Google's own products, the company shared the following:
- Android: Pixel and Nexus devices on January patch are protected; Intel and ARM Processor specific fixes have been provided to partners.
- Chrome browser: Google has recommended to turn on "Site Isolation" to avoid exploitation; Chrome 64 due to release on January 23 will bring a fix. More information here.
- Chrome OS: Intel Chrome OS devices on kernels 3.18 and 4.4 are patched with Kernel Page Table Isolation (KPTI) in Chrome OS 63 and above.
The security flaws that have become the talk of the
week month date back to over two decades. Two critical vulnerabilities known as "Meltdown" (specific to Intel and admittedly more severe) and "Spectre," affect "almost every system" and can enable attackers to steal sensitive data. While AMD had claimed its chips weren't affected, the company has now clarified that "the threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants." The chipmaker also suggests that there is "near zero risk to AMD processors at this time." From Google's security report, it appears that AMD and ARM are also in the affected list, but not as severely hit as Intel.
During the course of our research, we developed the following proofs of concept (PoCs):
- A PoC that demonstrates the basic principles behind variant 1 in userspace on the tested Intel Haswell Xeon CPU, the AMD FX CPU, the AMD PRO CPU and an ARM Cortex A57. This PoC only tests for the ability to read data inside mis-speculated execution within the same process, without crossing any privilege boundaries.
- A PoC for variant 1 that, when running with normal user privileges under a modern Linux kernel with a distro-standard config, can perform arbitrary reads in a 4GiB range  in kernel virtual memory on the Intel Haswell Xeon CPU. If the kernel's BPF JIT is enabled (non-default configuration), it also works on the AMD PRO CPU. On the Intel Haswell Xeon CPU, kernel virtual memory can be read at a rate of around 2000 bytes per second after around 4 seconds of startup time.
- A PoC for variant 2 that, when running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian's distro kernel  running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM. (If 2MB hugepages are available to the guest, the initialization should be much faster, but that hasn't been tested.)
- A PoC for variant 3 that, when running with normal user privileges, can read kernel memory on the Intel Haswell Xeon CPU under some precondition. We believe that this precondition is that the targeted kernel memory is present in the L1D cache.
In its report, Project Zero said that there are three variants of the attack - bounds check bypass (CVE-2017-5753), branch target injection (CVE-2017-5715), and rogue data cache load (CVE-2017-5754), which is what is being referred in the above excerpt. All three of these will work under different conditions, but all of them eventually allow a process with normal user privileges to perform unauthorized reads of memory data, which may include reading sensitive information such as passwords or cryptographic key material, etc.
Variant 1 is software patchable and affects almost all modern processors. The patch itself will have negligible performance hit. Variant 2 and 3 are rooted further in hardware and attempting to patch these using software will result in performance hits and so far these only seem to affect Intel and ARM processors with near zero risk to AMD CPUs according to chipmaker itself.
Reports had suggested that the Kernel Page Table Isolation (KPTI) fix to these issues could hit performance by a double-digit percentage. In its statement Intel claimed "any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time." It remains to be seen if these patches being delivered by the industry partners cause any performance issues in the coming weeks.
Google said the company first informed Intel, AMD and ARM several months ago in June, 2017 and adds that many partners have made patches available to one or more variants of this attack. Windows, macOS, and Linux have already developed patches with Android having released them earlier this month.
- On a side note, Intel's CEO apparently dumped millions of dollars in company stock late last year. While those were sold under the 10b5-1 automated sales plan which is designed to prevent insider trading, they are still being seen under a different light since the chip flaws went public.