CPU Vulnerabilities – How Flaws Can Lead to Exploits

Finjan TeamBlog, Cybersecurity

Finjan CPU Vulnerabilities   How Flaws Can Lead to Exploits

As we’ll see in a moment, design flaws and other weaknesses in the central processing unit or CPU of a computer or mobile device can create and have in fact produced a number of vulnerabilities that are causing concern to hardware manufacturers and users the world over.

They have reason to worry because, in the assessment of Google, “effectively every” variation of one particular brand of processor released since 1995 is vulnerable to one of the discovered vulnerabilities, regardless of the operating system you’re running, or whether you have a desktop system or laptop.

On that somber note, we’ll begin our own assessment of the situation of CPU Vulnerabilities.

Some Basic Concepts, To Start

The Central Processing Unit or CPU of a desktop/laptop computer or mobile device is responsible (among other things) for interpreting commands and actions from the user, and acts as a mediator between the internal operating system (OS) and any external documents, files, and application software created or installed by the user.

A fast or powerful CPU is crucial to good system performance, and a number of mechanisms have for many years been incorporated into the design of processors, to boost their own performance.

A mechanism called speculative execution is used to improve the response time of the computer chips on a CPU. Essentially, the technique involves predicting what the processor is most likely to be called upon to do in future, then doing it early. So if for example, a CPU discovers that a particular program uses a specific function on a regular basis, the chip may perform the calculations necessary to perform this function in advance.

Calls to a computer’s Random Access Memory or RAM (the non-permanent storage essentially bolted on to the system to do real-time number crunching and other tasks specific to the software and other processes) take time to come through. And even though modern systems typically come with generous stores of RAM, it’s a finite resource.

A mechanism known as caching is used to speed up memory access for CPUs. A small amount of memory space which can be accessed very rapidly is set aside on each CPU chip. This area is called a cache, and any information that the processor requires immediately may be temporarily stored here. This includes the data from the calculations and other tasks associated with speculative execution.

While caching and speculative execution can provide performance benefits, they both may also work in opposition to a security principle known as protected memory. This basically boils down to the idea that no process on a computer system should be allowed access to information that it doesn’t have a right to.

Protected memory empowers software applications to keep some of their information private – both from the user and from other processes running on the system. The kernel of an operating system forms a part of this protected memory area, and has complete access to the OS, with the highest possible level of permissions. It also enables the operating system to prevent one program from seeing data that belongs to another. A privilege check is performed on each process that expresses a need for certain information, to determine whether it has the authority to access it.

But while this privilege check is being run (and it can take a relatively long time), CPU chips are still free to engage in speculative execution and caching for the tasks that they expect they’ll have to perform next. And during this period, the information that they produce or store is available on the chip, and potentially capable of being extracted and interpreted by outside forces.

This conflict between processes is the principal source of a number of CPU vulnerabilities which have already been discovered.

CPU Vulnerabilities to Worry About

Discovered in late 2017 and first made public in early 2018, three mechanisms that exploit CPU vulnerabilities caused by caching and speculative execution have been making the news ever since, under their given names of Spectre and Meltdown.

Spectre is the collective term for two of these vulnerabilities. It takes advantage of speculative execution by attempting to read an element of protected memory that doesn’t exist. This provokes a reaction from the processor, which disturbs its memory cache in a detectable way. Reading these signs, an attacker can make deductions about the data that was speculatively read.

Meltdown breaks or melts the security boundaries normally enforced by a CPU and its associated hardware. Using this mechanism, an attacker could run a program on a machine to gain access to information from all over the system that it wouldn’t be able to reach under normal circumstances – including top-level data that only administrators and privileged users should see.

Discovery of the Spectre and Meltdown flaws was just the tip of the iceberg, and researchers have been unearthing fresh variants and tweaks on them, throughout this year.

In March 2018, a team at Ohio State University revealed a way of using the Spectre design flaw to break into the Software Guard eXtensions or SGX environment of an Intel CPU. This secure area normally allows applications to put a defensive ring or enclave around sections of memory to block other programs, the operating system, or a hypervisor from gaining access. Dubbed SgxPectre, the exploit discovered by the team allows an attacker with direct access to a computer to use malicious code to breach and read its memory.

May 2018 saw the discovery of the Speculative Store Bypass, a “side-channel” exploit capable of affecting AMD, ARM and Intel CPUs. This was made public by Microsoft and Google’s Project Zero.

In July, Vladimir Kiriansky at MIT and independent researcher Carl Waldspurger discovered a new variant on this theme, in the form of speculative buffer overflows. It works in a similar fashion to the Spectre method of querying a protected memory array for a value that doesn’t exist, to provoke a traceable response, but attempts to write a non-existent value to memory, instead.

The Potential Damage of CPU Vulnerabilities

Though these exploits may sound theoretical (and actual attacks using them are still in a developmental stage), they do have potential applications in the real world.

Mechanisms like Spectre and Meltdown which allow access to a system’s kernel memory could give an attacker virtually limitless powers and privileges over the machine. These could allow them to expose highly sensitive data held in protected memory, such as passwords, cryptographic keys, personal photographs, or emails.

Independent antivirus testing house AV-Test reports the existence of around 139 separate code samples which exploit the Spectre and Meltdown vulnerabilities. Among them are the first JavaScript exploits, which specifically target web browsers and render them particularly vulnerable to the Spectre attack.

Even cloud environments aren’t safe. Spectre exploits are capable in theory of stealing data from any processor – and this would include data from any virtual computer running on shared hardware.

Brands of CPU Affected

If your computer or mobile device was manufactured within the past 20 years, it’s pretty safe to assume that its CPU will be susceptible in some way to at least one of the CPU vulnerabilities that we’ve described.

Intel CPUs, AMD, and ARM processors are all affected by Spectre or its variants, so the CPU chips inside mobile phones and tablets are also vulnerable to it.

Meltdown principally affects Intel CPUs and their derivatives, because of their heavy reliance on speculative execution. It also affects Apple CPU chips and ARM’s Cortex A75. AMD chips have been largely unaffected – but the company has nonetheless issued some remedial patches for the flaw.

What’s Being Done to Help

Short of stripping out and reconstructing the entire CPU architecture of the last generation, there are no hardware fixes available for the types of CPU vulnerabilities that are currently threatening computer and device users across the globe. So manufacturers and vendors have been concentrating their efforts on firmware, operating system, and software patches, to address the weaknesses exposed by Spectre, Meltdown, and their off-shoots.

Intel’s first round of Spectre CPU firmware updates were found to cause system instability, but revised versions have been gradually rolling out. Users are advised to check for them from the website of their PC, laptop, or motherboard maker, rather than Intel itself. The company has also issued an updated software development kit (SDK) for SGX application providers.

AMD has released firmware updates for Meltdown, and an optional set of updates to protect against Spectre. ARM has added a new instruction for their CPU chips to insert a delay which thwarts the array element verification loophole that facilitates Spectre attacks.

Apple has addressed the CPU vulnerabilities issue via a number of updates, including patched versions of its macOS, iOS, and tvOS operating systems, and its Safari web browser. Other browser manufacturers have also issued Spectre and Meltdown-specific security updates to their software.

There’s been some controversy relating to operating system updates issued to combat these problems, with conflicting reports of system slowdowns after installation, ranging from as little as 10% to 50% and more, for certain applications. Microsoft Windows updates have been the biggest culprits so far.

For the future, it’s hoped that the next generation of CPU architectures will have resistance to these vulnerabilities (and any that are likely to follow them) built in, from the outset.

Share this Post

Summary
Finjan CPU Vulnerabilities   How Flaws Can Lead to Exploits
Article Name
CPU Vulnerabilities | How Central Processing Unit Flaws Can Lead to Exploits
Description
Mechanisms designed to speed up CPU memory performance have instead resulted in the creation of a number of potentially very damaging CPU vulnerabilities.
Author
Publisher Name
Finjan
Publisher Logo