Modern computer systems isolate memory between various user processes and kernel(operating system) processes. This is an important security feature that prevents a process from reading or writing arbitrary information from other processes or from the operating system itself. For example, a photo editing application should not be allowed to read the system memory where a password manager application stores secret passwords. Or a web server service should not be allowed to read login credentials from kernel (operating system) memory. This feature, implemented by operating systems and supported by specific processor features, strengthens the security of computer systems.

Modern processors use clever techniques to improve performance. One technique, known as “out-of-order execution” allows a processor to look ahead and process instructions that would be delayed if processed linearly. For instance, while a process is waiting for data to be read from a hard drive, it will look ahead and process instructions that are not dependent on that data. Another technique, known as “branch prediction” allows the processor to guess which path a process will take, and then compute the instructions in the guessed path. If the guessed path is wrong, then those instructions are rolled-back with no harm to the integrity of the process.

Researchers were able to use the branch prediction and out-of-order execution techniques, along with a known side-channel attack called “FLUSH+RELOAD” to allow a user process to read kernel memory. First, the attacking program requests to read information from kernel memory. The branch prediction and out-of-order execution techniques allow this information to be read. This information is never shared directly with the attacker program, because of memory isolation. This information is, however, stored in the processor cache. This processor cache, too, is not directly readable by the attacking process. The previously developed “FLUSH+RELOAD” attack allows the attacker process to indirectly deduce the contents of the cache. Ultimately, this allows the attacking process to read kernel memory.

Risk Mitigation Steps Taken by ATS on Behalf of Clients
Spectre and Meltdown represent a new class of vulnerabilities leveraging speculative execution. These vulnerabilities affect a wide range of physical processors (including Intel, AMD, ARM) and virtual machines (JavaScript JIT compilers). Some patches for these vulnerabilities have caused degraded processing performance. In short, mitigation techniques for these vulnerabilities are complex and ongoing.

Microsoft Azure infrastructure VM instances were updated with mitigations before public disclosure of the vulnerabilities. [0]

Managed Microsoft Windows systems have been updated to protect the operating system, as well as the Edge Browser. In some cases, these patches require firmware updates that are ongoing.[1]

Managed Apple hardware including supported versions iOS and MacOS have been updated with Apple-provided mitigations. [2]

Managed Ubuntu Linux systems are updated to implement kernel mitigations. [3]

What Can You Do?
This is a serious issue that affects almost all servers, workstations and laptops. Some tablets and phones may be affected, as well. ATS will work to mitigate these vulnerabilities to all affected managed systems. It is important that all systems are updated, including unmanaged and personal devices. Please apply patches to any unmanaged and personal computers.

Feel free to contact [email protected]with any questions or concerns. As always, we value hearing from our clients about general and specific security concerns so that we can provide the best possible services.

[0] https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
[1] https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown
[2] https://support.apple.com/en-us/HT208394
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown