The Meltdown and Spectre Cyber Attacks
White Paper February 2018
Prepared by: Raytheon 2214 Rock Hill Road, Suite 150 Herndon, VA 20170
Copyright © 2018, Raytheon Company. All rights reserved. THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. RAYTHEON MAKES NO WARRANTIES, EXPRESS OR IMPLIED, FOR THE CONTENT IN THIS DOCUMENT. Approved for release. E18-HHX2. This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. WHITE PAPER
The Meltdown and Spectre Cyber Attacks
Driving performance at the intersection of learning and business
Introduction As of the beginning of January 2018, a multitude of articles, publications, tweets, and advisories have been released around the Meltdown and Spectre attacks. These two attacks collectively affect nearly every CPU architecture currently in use today by desktops, servers, cloud servers, laptops and mobile devices. At this time, information is still being released about these vulnerabilities, some of which introduce several contradictions and misleading information. It is the mission of Raytheon to provide only information that is known and reported by well-respected sources, although it is still possible that some information provided may be later proven incorrect, as we are still in the early stages of information being released. What is it? The attack type is referred to as a "side-channel" attack that produces leaked memory data. Researchers say that vulnerabilities can be exploited to read data from a computer's kernel memory, as well as data handled by other apps. The attacks can be run multiple times on a system with very little possibility of a crash or other error that would keep the exploit from being performed several times over, subsequently leaking large amounts of memory data. The memory data can include the most protected information stored in memory, such as passwords and other sensitive user/system information. Affected technologies include web browsers, CPU chips, and operating systems. Based on our research, all vendors are currently working towards releasing security countermeasures for their respective technologies by the end of the month. Users should download and apply security updates, patches, and/or firmware updates when released to prevent exploitation through Meltdown and Spectre attacks. As always, before deploying any patches and /or firmware, the patches and firmware should be fully tested to ensure that it does not have a negative impact on the user's current operational infrastructure. Vulnerability Information and Scope of Impact
It is recommended to review CPU and/or OS vendor's website for more details of whether your systems might be affected. Intel, Linux and Microsoft have all released methods of determining if a host is potentially affected or vulnerable (see reference section).
The current Common Vulnerabilities and Exposures (CVE) IDs tracking these vulnerabilities are as follows:
Use or disclosure of data contained on this sheet is subject to the 1 restrictions on the title page of this document WHITE PAPER
The Meltdown and Spectre Cyber Attacks
Driving performance at the intersection of learning and business
Meltdown and Spectre in Depth The Meltdown vulnerability can affect desktops, laptops and cloud-based servers/computers. At this time researchers have indicated it only affects Intel processors that implement out-of-order execution. This includes nearly all Intel processors produced after 1995, with the potential exception of Intel Itanium and Intel Atom CPUs produced before 2013. As mentioned, it is important to check with your CPU vendor, and if applicable, utilize the tools provided by Intel and Microsoft to verify whether a vulnerability exists on your systems. However, the Spectre attack, according to researchers, affects nearly all processors currently in use, to include AMD, some ARM processors, Qualcomm, and Intel. AMD has publicly announced that their products are not affected by the vulnerability, contrary to the Google Researcher's tests and white paper. Given the scope of processors affected, this particular vulnerability could affect desktops, laptops, cloud servers and mobile devices. Both attacks can be carried out via binary file execution on the victim host. At this time, there has been no supporting information to indicate a potential method of getting the binary to execute on the victim, however typical methods such as phishing and fake flash/font type of attacks that can coerce users into executing a malicious binary are theoretically be possible. Once executed on a host, the attacker would also have to devise a method to exfiltrate any obtained data from the malicious binary. This would have to be done via command and control channels, which use similar method typically observed for data exfiltration. While this attack surface is likely no more significant than standard methods for coercing binary execution, the implications of executing the binary are much more grave, if allowed to run long enough. Finding success in this type of attack could result in the exfiltration of data as no protected data residing in memory would be safe from the attacker. For in-depth technical information on Meltdown and Spectre vulnerabilities and how it affects the CPUs, please see Stratechery’s article by Ben Thompson as well as the Spectre attack website hosted by the Graz University of Technology. Both hyperlinks are cited in the reference section for convenience.
Industry Impact Web Browsers Based on our research, multiple proofs of concept (POC)s in exploting the vulnerabilities have been created. Additionally, several separate thorough tests against various processor architectures have provided positive results, though the code for these tests has not been released to the public. There has been POC code released for Spectre, which can be compiled and distributed as a binary file, though we have not observed reports or indication of any campaign or attack in the wild at this time. Initially, it was thought the vulnerabilities were only exploitable via local binary execution. However, Mozilla has confirmed that the vulnerabilities are remotely executable via JavaScript in FireFox, but that countermeasures were put in place as of FireFox 57 in November 2017. Google has also confirmed Chrome is affected and has released an update with countermeasures (Strict Site Isolation) in version 63. The white papers released by the authors of the vulnerabilities also indicates any browser built on WebKit is also potentially affected.
Mozilla confirmed on January 3rd that both attacks could also be carried out via JavaScript running within a browser. This is achieved by using timing attacks within the browser to obtain data from the application memory, which could include browser passwords. Mozilla provided a patch in version 57 in November of 2017 that makes it more challenging to obtain access to memory. However, researchers performed further tests and verified it was only a countermeasure and not full mitigation. Both Mozilla and Google will be releasing further countermeasures as soon as possible.
Use or disclosure of data contained on this sheet is subject to the 2 restrictions on the title page of this document WHITE PAPER
The Meltdown and Spectre Cyber Attacks
Driving performance at the intersection of learning and business
JavaScript Attacks
JavaScript attacks are by far the most dangerous given that they could be invisible to the user as well as defenses, while binary execution requires user interaction and could potentially be flagged by heuristics engines and EDR type solutions. At this time, two consistent JavaScript commands need to be performed to carry out the timing attack. The main issues is that JavaScript commands are utilized for many legitimate services necessary to most operations. Using this well-known factor, attacks can easily be obfuscated to evade detection. Cloud Services Cloud providers that use Intel CPUs and Xen paravirtualization are impacted. Amazon Web Services (AWS) and Microsoft Azure have been working on patches and they have informed customers that cloud instances will need to be rebooted in the upcoming days to apply security patches. While there have been reports of performance issues due to patches, not all systems are affected. Organizations experiencing this type of issue should refer to their respective vendor for additional guidance. CPU, ARM and OS Vendors Intel, Nvidia and OS vendors have provided patch updates based on the initial assessment regarding these vulnerabilities. All timelines and/or patch information are subject to change based on the vendors and affected parties should ensure that they review the vendor’s website for more information regarding patches and updates necessary to mitigate vulnerabilities. AMD’s response to the latest vulnerabilities is categorized into three variants based on the Google Project Zero research. For more information on AMD’s response to these CPU vulnerabilities, please consult their vendor website which includes the AMD Response Matrix. Currently, AMD has stated that variant one, bounds check bypass (Google Project Zero Research title), should be resolved by Software/OS updates with negligible performance impact expected. Intel has released updates to cover some of their products, please consult their vendor website which includes the full scope of updates and/or progress that they have implemented thus far.
Recommendations At this time, researchers have indicated that the only way to fully mitigate the Meltdown attack is via firmware updates on all affected devices. However, there are also conflicting reports indicating software and OS updates are recommended to effectively mitigate the attack. Some researchers claim Software and OS updates are likely only going to be countermeasures to make the attacks more difficult if not impossible to carry out, though the vulnerability may still exist until the firmware is updated. Multiple vendors have released information on timing and schedules of patches and mitigations, which the main site for the vulnerabilities (https://spectreattack.com/) has done an excellent job documenting.
This site has several Q&A posts that are very helpful, in addition to housing the white papers describing in detail the vulnerabilities, tests and results the researchers found. It is recommended to reach out to your device manufacturers for more information on patches and updates. Microsoft has provided updates for Windows OS as of January 2018 and has been continuing to work with industry partners per their Spectre Metldown FAQ. Linux has already incorporated KPTI as of late 2017.
Use or disclosure of data contained on this sheet is subject to the 3 restrictions on the title page of this document WHITE PAPER
The Meltdown and Spectre Cyber Attacks
The Raytheon Approach
As an added layer of defense, it is important to continually address the issues around security before the attack can happen. In addition to updating technologies as the industry continues to deploy countermeasures against Meltdown and Spectre, Raytheon recommends prevention using the best of breed cybersecurity practices.
These cybersecurity practices include building defenses around potentially targeted assets, creating or improving a comprehensive cybersecurity program, implementing security-focused network architecture, and limiting the attack surface. Through this multi-step approach, organizations can improve their cyber resilience and grow their cybersecurity maturity to better handle threats.
Raytheon understands that cybersecurity maturity and building resilience to threats is a journey. As a leader in security, Raytheon provides cybersecurity services that range from professional services to active threat hunting. As a company, we are committed to helping our clients on the uncharted road to face the ever-increasing challenges that continue to threaten the industry.
References https://spectreattack.com/ https://www.intel.com/content/www/us/en/support/articles/000025619/software.html https://downloadcenter.intel.com/download/27150 https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe https://www.bleepingcomputer.com/news/security/mozilla-confirms-web-based-execution-vector-for-meltdown-and-spectre-attacks/ https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and- updates/https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ http://www.securityweek.com/intel-amd-chip-vulnerabilities-put-billions-devices-risk https://www.amd.com/en/corporate/speculative-execution https://stratechery.com/2018/meltdown-spectre-and-the-state-of-technology/ http://nvidia.custhelp.com/app/answers/detail/a_id/4611/~/security-bulletin%3A-nvidia-driver-security-updates-for-cpu-speculative-side https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
Use or disclosure of data contained on this sheet is subject to the 4 restrictions on the title page of this document For further information contact: Raytheon 2214 Rock Hill Road, Suite 150 Herndon, Virginia 20170 USA
Copyright © 2018, Raytheon Company. All rights reserved