This is a write up I did, after reading the white paper and investigating the workings of speculative execution. I was genuinely interested in how it all played out and how this seems like the year for exploits and vulns.
I’m legitimately wondering if this ever did get weaponized yet. I’ve often thought about trying to implement it with BEeF as a post module of sorts as a JavaScript payload.
Also take note, that I really didn’t have the energy to try to read through Spectre even though its probably the worst one.
A non-technical synopsis of the microprocessor and kernel flaws.
Meltdown (CVE-2017-5754)
You might be hearing about these things in the news, or social media, or even your tech savvy friends. Meltdown this, Spectre that, meanwhile the scale of this flaw appears to be affecting nearly every device manufactured within the past decade. What’s more is the level of confusion upon first disclosure, seemingly it was only Intel affected by the flaws within it’s processors microcode, however throughout the day and the days that followed Spectre was introduced which pulled AMD, ARM, and Qualcomm microprocessors into the fray.
Fast forward the clock to today; as the world watches and waits hoping that this nightmare can be patched. Rumors and working code and theory continue to swirl about regarding mitigations, performance drops, and exploitability. Reviewing all the documentation surrounding the issue, it seems there is one clear answer in sight… Patches are coming, and in a hurry.
As developers of applications, operating systems and microprocessor microcode set to the monumental task of patching, we can appreciate this massive cause for alarm.
Meltdown
Starting with Meltdown, this was the first in the series of flaws within Intel’s (Possibly AMD, ARM, Qualcomm) processor microcode in which an instruction within the processor known as “out-of-order” execution. This flaw resides entirely on the out-of-order execution to essentially break-out of the “userland” process’s mapped memory to reading kernel memory. This method previous to the incoming patches, could bypass all protections of the host machine, include ASLR, anti-virus, kernel protections, as well as the CPU “privileged check bit”. The privileged check bit is what effectively set kernel memory access.
At a high-level Meltdown’s flaw can be summarized as the ability for userland applications to read all mappable memory contents, including kernel protected addressed memory, however I still suggest giving the technical papers a review. When performing “out-of-order” execution the CPU will attempt to predict and execute, but not commit to actual memory or registers. This in effect allows rapid processing of data due to the processor attempting to prefetch and execute the dependency free instructions without actually performing a commit to memory. While parallel computing performance were increased, it added the fatal flaw…
Meltdown – THE FLAW
Suppose I developed an application or binary that’s sole purpose was to be executed. I don’t care about what level of OS permission I have, nor do I care about what software protections are in place. At execution the application will force an exception within its execution sequence (Idk… divide by zero, doesn’t matter just hit the OS exception handler).
The instructions that follow on are still problematically executed in advance and its resulting data is stored within the microprocessor’s cache, as well as the memory registers, but never commit. This exception is trapped by the exception handler that locks the kernel down and terminates the application. The issue from this is that follow-on code without any dependencies, normally cannot access memory beyond it’s applications bounds, however and more interestingly is that all prefetched executions are performed as if the “CPU Privileged Check Bit” was set to true, effectively executing the instructions and reading kernel addressed memory then transmitting via side-channel attacks such as “Flush+Reload” in time-based attacks.
IMPACT
Consequences from this are limited to what is contained within memory, however this goes beyond your typical workstation. Meltdown can also cross the hyper visor isolation and read into the physical memory. Most impacted are data centers, virtualization servers, and share web hosting. All it would take is one malicious actor to dump the entire server’s physical memory, which more likely than not secrets from other shared virtual servers.
Full memory disclosures are possible with this flaw.
Potential performance impacts from removing the out-of-order execution are speculative from anywhere at no impact, to upwards of up to 30% degradation of performance.