Meltdown (vulnerability)

from Wikipedia, the free encyclopedia
Meltdown

Meltdown logo

Type hardware
CVE number (s)

CVE-2017-5754

Date of discovery 28th July 2017
Release Date January 3, 2018
Architecture (s)

ARM , IA-32 ( x86 ), POWER / PowerPC

Operating systems

AIX , Android , iOS , Linux , macOS , System i , Windows and many more.

Manufacturer

Apple , ARM , IBM , Intel , Qualcomm

Products)

ARM Cortex A75, IBM POWER, PowerPC 970 and Intel x86 processors


Meltdown is a hardware - vulnerability in microprocessors , via an unauthorized access to the memory of other processes is possible. The vulnerability to this vulnerability was identified for x86 processors from the manufacturer Intel (all processors since 1995 with the exception of the Atom series before 2013), the Cortex-A75 processor design (not yet used in cell phones in Jan. 2018) from ARM and of the POWER architecture from IBM . AMD's x86 processors , however, are not affected. The Meltdown vulnerability is listed under CVE number CVE-2017-5754.

Specifically, the security gap consists in the fact that the processor temporarily reads out and further processes the content of a memory cell as part of out-of-order execution , although the calling process has no rights for this memory section. This changes the runtime behavior when accessing the cache and, by means of an exact time measurement, allows a clear conclusion to the data content under certain conditions, even after the result of the out-of-order execution has been rejected. In principle, this method represents a method known as a side channel attack in cryptanalysis .

history

Meltdown was discovered independently by researchers from Google's Project Zero, Cyberus Technology and Graz University of Technology and published on January 3, 2018 at the same time as the Specter processor vulnerability , after some hardware and software companies were informed on July 28, 2017 were. On November 14, 2017, Alex Ionescu announced changes for the new Windows 10 version on Twitter , which would result in a loss of speed without explaining this. He emphasized that something similar would be done with Linux .

In the spring of 2017, researchers at TU Graz tried to present their procedure (Kernel) Page Table Isolation , or (K) PTI, described in the so-called "KAISER" document to the public at the annual Black Hat conference in July 2017. however, the congress organizers rejected the submission.

Vulnerable systems

All Intel processors that implement out-of-order execution are potentially affected. H. all x86 processors since 1995, that is 32 and 64 bit processors of the Intel Architecture 32 bit (IA-32), with the exception of the Atom processors produced before 2013 . Processors of the same architecture from direct competitor AMD, however, are not vulnerable.

All operating systems common at the time of publication, such as AIX , BSD , iOS , Linux , macOS , System i and Windows for the x86 , ARM and POWER architecture, will be available until the u. G. Countermeasures (Page Table Isolation, PTI) are generally prone to similar attacks, as they map the kernel address space and at least parts of the physical memory in the address space of all processes. This is a prerequisite for the attack to be able to read out memories for which the reading process is not authorized.

Tablets , smartphones or other IoT devices that have a processor with the ARM Cortex-A75 design are also affected . These are z. B. Qualcomm CPUs of the type Snapdragon 845.

Mode of action and effects

Attacks on the meltdown vulnerability - as well as attacks on the Specter vulnerability (s) - take advantage of the fact that in processors that carry out out-of-order execution , instructions from the processor are executed in parallel or in a different order and the State of the system changed, even if the result of the out-of-order execution is subsequently discarded. These changes, such as B. loading a memory page into the cache , serve as a hidden channel to transfer information from the address space of the attacked process, which otherwise would not be accessible, to a receiving program.

In contrast to the Specter loopholes, which exploit various forms of speculative execution , Meltdown only uses parallelization in the form of out-of-order execution .

The discoverers demonstrated an attack that makes it possible to read the contents of any memory location on affected Intel processors. The memory location to be read must be mapped in the address space of the attacking process. In all affected operating systems, the kernel memory and at least parts of the physical memory are mapped in the address space of each process. The start of the meltdown attack is the execution of a statement that leads to an exception due to insufficient permissions . The following instructions are executed on affected processors before the exception is processed, even if they are based on data for which the calling process does not have access rights. The algorithm consists of the following steps:

Sample code on the sender side:

 1 ; rcx = kernel address
 2 ; rbx = probe array
 3 retry:
 4 movzx rax, byte [rcx]        ; Lädt den Inhalt der auszulesenden Speicherstelle in Register rax.
 5                              ; Das führt zu einer Ausnahmebehandlung.
 6                              ; Der folgende Code wird nur prozessorintern im Voraus ausgeführt.
 7 shl rax, 12                  ; Multipliziert den Inhalt des 64-bit Registers rax mit 4096,
 8                              ; so dass es nun eine Seitenadresse enthält, die vom Inhalt der
 9                              ; auszulesenden Speicherstelle abhängt.
10 jz retry                     ; Beginnt von vorn, wenn das Zero-Flag (und damit hier auch rax)
11                              ; gleich 0 ist (Auch bei [rcx]=0 keine Endlosschleife, da aufgrund
12                              ; der Ausnahmebehandlung die out-of-order Ausführung schließlich
13                              ; abgebrochen wird).
14 mov rbx, qword [rbx + rax]   ; Greift auf eine Speicherstelle auf der Seite zu, deren Index innerhalb
15                              ; des probe arrays rbx in rax steht. Dies lädt eine Seite in den Cache, 
16                              ; deren Adresse vom Inhalt der auszulesenden Speicherstelle abhängt.
  1. In the attacking process , a sender and receiver thread are started.
  2. The sender thread executes a program that changes the internal state of the processor depending on the memory location to be read out. To
    • it first contains an instruction to read the contents of a memory location that would not be accessible to the process in a regular way. Attempting to execute this statement will interrupt the thread and perform exception handling .
    • it also contains instructions that would access a memory page depending on the content of the memory location to be read out. If the program was executed sequentially, this code would never be executed because the thread was previously interrupted. With out-of-order execution , however, this code is largely executed in advance. This causes the internal state of the system to change, e.g. B. a memory page is read into the cache . In the example code, based on the content of the memory location to be read, the address of a memory page is calculated and its content is accessed.
  3. The receiver thread executes a program that reads the internal state of the processor. To do this, it executes instructions that, in the example attack, use time measurements to determine whether a specific memory page is loaded into the cache.

The sender thread can transmit messages into the cache of the receiver thread by loading a memory page that it triggers. By making these messages dependent on the content of the memory location to be read out, he can send the content of the memory location to the recipient process.

In the example attack, the authors succeeded in transferring the entire physical memory of the system.

Countermeasures

Page table isolation (PTI, formerly also known as KAISER like the published document) is listed as a workaround against the security gap. Kernel PTI (KPTI) ensures that the kernel address space and the physical memory are not mapped into the address space of the process when the processor is in user mode . In kernel mode , they are still included. As a result, the address space must be changed with every transition from user to kernel mode (e.g. for system calls and vice versa), as is otherwise the case with a context change . In addition, the two instances of the address space must be kept synchronous. Depending on the processor architecture, this leads u. a. this means that with each such change the translation lookaside buffers are emptied and refilled during the further program sequence, which reduces the performance of the processor.

The meltdown countermeasure is referred to as "Kernel VA Shadowing" in operating systems that have been patched since January 2018 . Initially, however, this countermeasure was not effective for the 32-bit versions of the Windows operating systems, despite the updates installed until January 12, 2018, and under Linux there were no updates that were effective against meltdown for the 32-bit versions either. On January 18, 2018, Microsoft began issuing meltdown updates for 32-bit operating systems, starting with Windows 10 version 1709. On tablets and smartphones with the affected ARM processors, KPTI of the Linux kernel used with Android also provides a remedy but in many cases it depends on the manufacturer, as not all older devices always receive Android updates .

IBM-POWER systems were only supplied with firmware updates (against Specter) by IBM starting with the POWER7. Unfortunately, the countermeasure against Meltdown, KPTI, was only implemented in the operating systems from POWER7 onwards, so that the 64-bit systems POWER4, POWER5 and POWER6 remain potentially vulnerable. Unfortunately, IBM does not provide any clear information about even older POWER systems (before the POWER4). The PowerPC 970 marketed by Apple as the PowerPC G5 is derived from the POWER4 + and also affected by Meltdown.

As with the Specter -interruptions the tapping of information requires an accurate time measurement so that the reduction in time resolution by dithering the clock ( jitter ) against both attacks is considered to be effective.

Web links

Individual evidence

  1. Cade Metz, Nicole Perlroth: Researchers Discover Two Major Flaws in the World's computer. In: nytimes.com. 2018, Retrieved January 3, 2018 (American English).
  2. Intel's processors have a security bug and the fix could slow down PCs. In: The Verge. Retrieved January 3, 2018 .
  3. Linux Gaming Performance Doesn't Appear Affected By The x86 PTI Work. In: phoronix.com. Retrieved January 3, 2018 .
  4. ^ Meltdown and Specter. Retrieved November 15, 2019 .
  5. Arm Processor Security Update. In: developer.arm.com. January 3, 2018, accessed January 5, 2018 .
  6. a b Potential Impact on Processors in the POWER Family. In: PSIRT Blog . IBM , May 14, 2019, accessed August 9, 2019 .
  7. Thomas Gleixner: x86 / cpu, x86 / pti: Do not enable PTI on AMD processors. In: git.kernel.org. January 3, 2018, accessed January 3, 2018 .
  8. Tom Lendacky: [tip: x86 / pti] x86 / cpu, x86 / pti: Do not enable PTI on AMD processors. In: lkml.org. Retrieved January 3, 2018 .
  9. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
  10. a b Meltdown and Specter: Which systems are affected by Meltdown? In: meltdownattack.com. Retrieved January 3, 2018 .
  11. Meltdown and Specter: 'worst ever' CPU bugs affect virtually all computers. In: theguardian , January 4, 2018
  12. Alex Ionescu: Windows 17035 Kernel ASLR / VA Isolation In Practice (like Linux KAISER). In: Twitter.com
  13. Daniel Gruss: #FunFact: We submitted #KAISER to # bhusa17 and got it rejected. In: Twitter.com
  14. Rudolf Opitz: Processor gap: Qualcomm CPUs are also susceptible. In: Heise online . January 6, 2018 . Retrieved January 6, 2018.
  15. ^ Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher , Daniel Genkin, Yuval Yarom, Mike Hamburg: Meltdown. (PDF) Retrieved January 4, 2018 (English).
  16. Meltdown patches: 32-bit systems are back at heise.de on January 12, 2018
  17. Windows / Meltdown: Patch for 32 Bit, AMD problem solved In: Heise.de , January 19, 2018
  18. Michael Larabel: PowerPC Memory Protection Keys In For Linux 4.16, Power Has Meltdown Mitigation In 4.15. Phoronix, January 22, 2018, accessed August 10, 2019 .
  19. Processor bug: browser manufacturers react to Meltdown and Specter In: Heise.de , January 4, 2018