Meltdown and Spectre are a family of security attacks that operate at the hardware-level of modern processors. Some of the attack variants have supposedly been mitigated by microcode and BIOS patches issued by the processor vendors; however, new research published by Cornell University reveals several new attack vectors and the report suggests that the previously-issued fixes and patches may be less than effective. These newly-identified vulnerabilities will be of particular interest to organisations that use cloud hosting, as they raise the possibility of an attacker or malware escaping from a virtual machine and being able to pivot an attack into other virtualised hosts and environments which are hosted on the same physical server.
Modern processors use a number of tricks in order to boost their performance, including executing instructions in parallel and even out of order. This is done, for example, by using mechanisms that predict the likely outcome of decisions and perform the next step anyway. If the prediction is correct – the next instruction has already be executed and so time is saved, if the prediction is wrong then the predicted data is simply discarded and the correct next instruction is executed. These types of instruction are known as ‘Transient Executions’ because where the results of wrong predictions are discarded (or rolled-back), they vanish – as if they had never happened. Or at least that is the idea.
The root of the Meltdown and Spectre attack families is that the rolling-back of incorrect predictions is not fully effective and traces are left in elements of the CPU (such as the CPU cache), which can be examined and used to infer useful information. This is because at the micro-architectural level in the CPU, some elements are shared across cores so a process running in CPU core 0 could access data left in the CPU cache by a process running in CPU core 1. Malware or an attacker can execute instructions within its own CPU core to make this much more likely.
It is worth remembering that ‘the cloud is just someone else’s server’ and to be secure we have to not only secure our virtual environment correctly but also trust the hosting provider has secured their network and server hardware to prevent malware or attacks being pivoted from one client’s system to another.
System Administrators responsible for in-house (private cloud virtualised environments) should consider carefully whether to separate Virtual Machines (VMs) onto different physical hosts based on their security risk, to avoid the risk of an Internet-facing VM being compromised and malware escaping the VM to attack another virtual machine hosted on the same hardware. If you are using a hosting provider, you would be wise to check their plans and progress implementing available patches from the hardware vendors and also to research and apply future patches to the CPU and BIOS, given the findings from Cornell that many existing mitigations are not fully-effective against the vulnerabilities which cause Meltdown and Spectre attacks to be successful.
You can get more information on this article from the following link to the research paper:
A Systematic Evaluation of Transient Execution Attacks and Defenses
