With names straight out of an Ian Fleming novel, you would be forgiven in thinking that this post was all about 007’s latest adventures, but in fact it’s a post about transient execution CPU vulnerabilities – Not as sexy I admit, but a vulnerability that does have the ability for world domination – so a bit like a bond film (not really!)
All about performance
A transient execution CPU vulnerability is a term given to a type of vulnerability which occurs when speculative execution optimisation is implemented in a microprocessor and is exploited to leak secret data to an unauthorised party.
Speculative execution?
If a CPU operation cannot be performed because some earlier slow operation (such as a memory read) has not yet completed, the CPU may attempt to predict the result of the earlier operation (based on recent behaviour of the system) and execute the later operation speculatively, acting as if the prediction was correct.
When the earlier, slower operation completes, the CPU determines whether prediction was correct or not. If it was correct then the execution proceeds uninterrupted; if it was incorrect then the CPU rolls back the speculatively executed operations and repeats the original instruction with the real result of the slow operation.
Overall, this greatly improves the performance of the system..
Transient instructions and data compromise
A transient instruction is one where an instruction is processed by error by a CPU which can affect the micro-architectural state of the processor, leaving the architectural state without any trace of execution – it is as if the speculatively executed code “never happened”.
Speculative execution may however affect the state of certain components of the CPU, such as the cache, and these effects may be discovered by careful monitoring of the timing of subsequent operations.
If an attacker can arrange that the speculatively executed code (which may be directly written by the attacker, or may be present due to a software vulnerability) operates on secret data that they would normally be unauthorised to access, they may be able to discover the value of that secret data.
Spectre & Meltdown
Discovered in 2018, Spectre and Meltdown are the names given to two transient instruction vulnerabilities identified at the same time.
Spectre is a vulnerability that tricks a program into accessing arbitrary locations in the program’s memory space, thus allowing an attacker the ability to read the content of accessed memory, and thus potentially obtain sensitive data.
Meltdown is a vulnerability which utilises a CPU race condition that can arise between instruction execution and privilege checking.
With Meltdown, an instruction execution leaves behind certain side effects that constitute information not hidden to the process by the privilege check. The process carrying out Meltdown then uses these side effects to infer the values of memory mapped data, thus bypassing the privilege check and allowing for unauthorised data access.
Detailed information about both spectre & meltdown attacks can be read here
Downfall
Downfall, known as Gather Data Sampling (GDS) by Intel, is a vulnerability which has been recently identified in a number of current Intel CPUs
Intel has released a list of all affected CPU variants on its website.
The vulnerability was discovered by security researcher Daniel Moghimi, who has been allowed to publicly release the information about the vulnerability after a year-long embargo period which has allowed Intel to mitigate the issue.
Downfall is a transient execution CPU vulnerability which relies on the speculative execution of Advanced Vector Extensions (AVX) instructions to reveal the content of the vector registers.
The vulnerability can be triggered by a malicious actor to access and steal data from other users who share the same computer.
For example, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages.
Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.
Detailed information about Meltdown can be read here.