Posted on Jan 4, 2018
Meltdown and Spectre are two different hardware vulnerabilities that seem difficult to separate from one another. A vulnerability is often what inherent flaws in system software code are called. However, hardware exploits compromise different security protocols than software gaps.
Computer hacking uses software vulnerabilities, often discovered through penetration testing, to access your systems and thus your databases. A software exploit, such as the Apache Struts vulnerability, means that remote hackers can potentially execute remote commands using the content-type headers. Our CEO Alex Yampolskiy shared today on CNN QuestExpress that he was “not that worried about Meltdown and Spectre attacks, as compared to the Apache Struts vulnerability that led to the Equifax breach, because to the best of my knowledge no published remote exploits can be used.”
Hardware exploits like Meltdown and Spectre require access to the physical device. Although most information security focuses on network security and internet security, Meltdown and Spectre pose a physical access risk instead.
Both of these exploits share two things: First is the physical access needed to exploit the vulnerability. Second is the way they interact with the computer’s memory process.
Focus on your daily routine for a second. Every day you get up, get ready for work, and then you may travel to your office. If you’re tired in the morning, you take the same route and sometimes just zone out. This is what your computer does. It has a daily routine that separates information on your hard drive. The private information is in one place. The program information is in another. Both areas share login information using cache. This is where the computer makes a temporary file so that you can use a password on a browser or an application. Then, the computer erases that file.
If you live in a city, you might take a subway to work. If you look at the difference between a local train and express train, then what Meltdown and Spectre do makes more sense. A local train stops at all the stops on the track. An express train only stops at a few. Your computer hard drive is conditioned to take the local train where it takes several stops, or steps in your computer’s case, to get you from opening a program to logging into the program. However, these exploits change the order of the steps taken to get from point A to point B. This is called an “out-of-order” execution.
Yampolskiy explained, “For example, every day I take the “N” train to 34th Street stop to the SecurityScorecard offices. A few weeks ago, an N train arrived, and I hopped onto it without thinking. Only after I missed my stop, I realized that the route of the train got changed while I was on it, and it skipped my stop.” This is exactly what happens with an out-of-order attack. The routine gets changed and information goes to the wrong place. In the case of Meltdown and Spectre, that information goes to malicious users.
While a more complex computer security issue than Meltdown, Spectre also impacts more brands of processing chips thus potentially affecting more devices. These are the chips that sit inside your device and make it work. Meltdown is limited to Intel CPU processors such as Intel AMT, Intel Skylake, Intel MEI, and the latest intel processors. Spectre impacts Ivy Bridge, Haswell, Skylake, AMD Ryzen CPUs, and several Samsung and Qualcomm processors. Although, since Spectre is more complex and less likely to impact data security, it is also more difficult to create a computer protection program that thwarts it.
To get technical for a minute, you need to get a general sense of what Spectre does. In order to infiltrate a CPU, Spectre needs a computer hacker who can insert an if/then statement into the computer’s conversation between the program and the private information stored. This means the attacker has to have access to the cache and temporary files, which involves a USB hack.
Moreover, Spectre focuses on branch prediction. All computer programming acts like a tree with branches. If you’ve ever climbed a tree, you know you need to think about which branch is strongest and will take you to the top of the tree. Sometimes, especially on large trees, you may make a mistake and need to backtrack.
This is how computer programming works as well. As Yampolskiynoted today, “Processors try to optimize execution of instructions so they get “trained” on what to expect. One of the techniques is to line up instructions in a normal user process to speculatively fetch data from a wrong place.” In other words, computers learn what to expect and then make guesses based on previous actions. Each if/then statement leads to another, and another, and to infinitely more. A Spectre exploit requires making an educated guess about which branch will get the intruder to the cache they need for the information they want.
To make computers faster, many core processing chips create a system of smaller caches, similar to the smaller branches on a tree that allow water to move more efficiently to the leaves. The majority of the information is stored in the tree trunk hierarchy while additional information travels across the smaller, faster hierarchies to get where it needs to go.
To speed up processes, computers make assumptions based on what you’ve done in the past. This means that if you’re using several programs at the same time, your computer is going to guess that the information is the same across both. Again, if you’re climbing a tree and two branches look similar, you might assume that they both go to the same place. If a malicious user exploits the Spectre vulnerability, then they are relying on this assumption. If the information requested comes back quickly, then the attacker found the right place in the cache. Again referring to tree branches, if someone wants you to fall out of the tree, they may try to save time by cutting only one of the branches. If you fall out immediately, they got it right. If you don’t, then they guessed wrong.
Meltdown attacks your cache in a different way than Spectre, but it is limited to Intel Processor chips. Spectre relies almost entirely on branch prediction to create attacks. Meltdown not only utilizes branch prediction but it moves information around without your computer noticing it. Described in three concrete steps, Meltdown poses a different set of problems than Spectre.
If you’ve ever tried to hide a birthday gift from someone only to have them find it, then Meltdown will make sense to you. When your computer stores information, it takes the regular information and makes a virtual address that helps move that data to a physical address.
Imagine buying a birthday gift for your significant other. You don’t want them to find the gift, so you have it mailed to your officea few blocks away and plan to pick it up from there. This is what happens when your computer moves information from the main memory into a register.
Assume, then, that your significant other finds out that the gift was delivered to your office. By intercepting the information, they are reading your secret (and ruining their surprise)!
In the technical terms, the attacker chooses a memory location to steal from.
Your significant other knows where the gift, or secret, is located, and they can intercept it. This is how the instruction sequence that got out of order in step one now becomes dangerous. Instead of you picking the gift up at your office, your significant other might visit you and see/obtain the present.
In technical terms, they created a transient instruction sequence that intercepts the original instructions. Your CPU normally creates a file, sends it to a cache, and then retrieves it. When the delivery is intercepted, the file can go anywhere the malicious attacker chooses.
Now that your significant other knows where the gift, or secret, is going to be delivered, they can get go to the address and take it. Once the package arrives at your office, your significant other can spoil their surprise before you have a chance to give them the gift.
This is the same thing that happens with a Meltdown attack. In computer terms, however, this process gets repeated numerous times over a large number of addresses stealing information.
Your significant other might just take the package and exchange it for something else. (In that same way, a malicious attacker will dump your data and then sell it for a profit.)
Meltdown and Spectre, while certainly intimidating at first glance aren’t entirely new. Yampolskiy shared today, “The technique used in these papers is clever, but it’s been used before. For example, the Return Oriented Programming (ROP) technique discussed in the Spectre Paper was used for many buffer overflow attacks.” In August 2017, CSO Online shared an NSA hack to disable the Intel Management Engine interface. In November,2017 Intel patched a major flaw in its Intel Management Engine.
In other words, while these exploits are newly discovered, the way in which they are managed is nothing new. In fact, Google, Microsoft, and Intel have already begun issuing patches to help protect against the dangers of these newly-discovered vulnerabilities. However, before assuming that you’re protected, you need to ensure that your antivirus software incorporates the appropriate registry changes.
Meltdown and Spectre aren’t malware. Computer virus protection and endpoint security alone won’t protect you but that shouldn’t worry organizations. A SQL injection, which can infect a computer once an employee has clicked on an infected website, is more dangerous. Yampolskiy reminded readers that for hackers to leverage Meltdown and Spectre, they still need access to the computer.
Yes, physical access is going to be key to protecting your IT environment from these exploits. However, without distance access, they are a lot less frightening.
Security awareness training is still the main protection against the worst vulnerabilities in your ecosystem. These new exploits can only work when an individual has access to your offices and devices. If you want to protect against Meltdown and Spectre, you need to focus on security awareness training which means ensuring that your employees recognize that even their personal activities can be dangerous.
As Yampoliskiy reminds “as a former CISO and a security professional, I would still be much more worried about a phishing attack or user security awareness - than this type of an exploit. So it would not get me to change much in my security program - besides ensuring that I patch on a regular basis and apply security updates.”
Yampolskiy noted today one example of how Meltdown and Spectre, “The proliferation of IOT devices only makes these attacks more dangerous since your vendors could be accessing a security camera installed in your offices.”
You can’t control your vendors, but you can monitor them.
Security Scorecard provides detailed information in 10 risk categories ranging from network security to patching cadence, enabling organizations to closely and continuously monitor their risk ecosystem. Beyond monitoring, the collaborative features of the tool allow those organizations worried about risks posed by vendors to invite vendors to the platform to enable them to remediate vulnerabilities.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.
Calculating Total Risk Across 3rd Party Portfolios