Blog
04.12.2018

Q&A: How to prepare for Spectre, Meltdown exploits — and next-gen ‘microcode’ attacks

By Byron V. Acohido, The Last Watchdog, April 12, 2018, with comments from Virsec’s Satya Gupta

If you think the cyber threat landscape today is nasty, just wait until the battle front drops to the processor chip level.

Related article: A primer on microcode vulnerabilities

It’s coming, just around the corner. The disclosure in early January of Spectre and Meltdown, critical vulnerabilities that exist in just about all modern computer processing chips, introduced virgin territory for well-funded, highly motivated criminal hackers. And this is where the front lines will inevitably shift — to a much deeper level of the digital systems we take for granted.

Spectre and Meltdown are the first examples of a new class of flaws so deep and so profound that they really can’t be fixed until the next generation of chips gets here. That suggests that well-financed, highly motivated criminal hacking rings have years, if not a decade or more, ahead of them to take full advantage.

We are in this predicament because the chipmakers, led by Intel, AMD and ARM, aided and abetted by the operating system suppliers, Microsoft, Apple and Linux, made a decision in 1995 to toss security in the back seat as they embarked, hell bent, on a race to build and leverage faster and faster Central Processing Units, or CPUs.

The chipmakers came up with a technique, called “speculative execution,” essentially taking shortcuts at the chip level, slightly delaying verification checks to buy more clock speed. Meltdown and Spectre represent two approaches hackers can now take to manipulate speculative execution at the chip level and thereby gain access to any sensitive data residing a level above — in the operating system memory.

Last Watchdog recently asked Satya Gupta, founder and CTO of Virsec, a supplier of data security systems, to put this into a broader context. Here are excerpts from that discussion edited for clarity and length.

LW: Given problems with the first rounds of patching, it seems like it may not be feasible to fix the current generation of chips. Is that truly the case?

Gupta: That’s correct. The initial patches were rushed out the door and had many unintended consequences – crashed applications and some machines turning into bricks. Even if they work, the patches try to effectively turn off speculative execution, but that can kill 30% of performance and that’s unacceptable for most organizations. Other recommendations require changing and recompiling application source code – a non-starter for most organizations with complex software stacks. The problem may be fixable in a next generation of chips, although it’s taken Intel several months to even promise a future fix. But then you have to flush out all the billions of flawed chips in the world. That will take many years and may never be fully completed. As long as there are flawed chips in service, there will be security gaps.

LW: There has been a lot of attention lately on so-called fileless attacks and memory attacks. How does Spectre and Meltdown fit into this trend, if at all?

Satya Gupta

Gupta: They actually are the latest, most sophisticated examples of fileless and memory-based attacks.

Fileless attacks are pretty broad, covering anything that doesn’t have a malicious binary file that you can track and block with a signature. This can be any type of manipulation where hackers tweak an existing process or tool, as opposed to inserting a traditional virus.

Memory attacks are a growing subset of fileless attacks. Keep in mind, most programs nowadays, especially cloud-based programs, are running in memory, not sitting idly on a disk. Because they target applications in runtime memory, a lot of these exploits are below the surface of what people normally worry about. These types of attacks manipulate legitimate processes to corrupt systems and take control. Spectre and Meltdown do this at a deeper level that has been ignored by the security industry.

LW: So fileless and memory-based techniques come into play as part of a multi-stage attack, then?

Gupta: Exactly. Most attacks are carried out in several steps. An attacker may start by phishing a username and password. From there they can roam around your network, hijack a server with a command shell and lay low until they can poison the memory of a critical process, ultimately to steal data or disrupt critical systems. Memory is playing an increasing role in what’s happening in high profile attacks like WannaCry, NotPetya, Industroyer, Triton and many others.

LW: Some observers say the complexity of chip flaws limits the likelihood of widespread attacks? Do you agree?

Gupta: That’s naïve. People said the same thing about memory-based attacks and now they are wide-spread and have become a leading type of attack. Attackers are increasingly sophisticated, well-funded and organized. Now that Spectre and Meltdown are here, malicious parties inevitably are hard at work figuring out ways to exploit them. The financial motivations and risks are just too high to pretend otherwise.

Businesses should at least be aware of Spectre and Meltdown and have a plan to protect critical applications and data. Attacks are likely to start making news in 2018 and will ramp up in 2019. This will become yet another tool in the hacker arsenal to add firepower to other fileless and memory-based attack techniques.

LW: How are security vendors responding to this?

Gupta: It’s a difficult problem to solve, and very few vendors even have visibility between applications and process memory. Most security vendors will continue to try perimeter approaches to identify threats, but this is looking in the wrong direction and won’t be effective against Spectre and its variants. The problem needs to be solved at the application/process memory level, where few vendors have expertise.

LW: Virsec is bringing a working Spectre exploit to RSA next week. What will you demonstrate?

Gupta: We will be showing a live instance of Spectre running and extracting sensitive cache data in real-time. Users will be able to type names, mock credit card numbers, or other sensitive data into an isolated web server attack. Our Spectre emulator will be running side-channel attacks against the processor cache and will then extract the user data, which we’ll display live on a hacker-side screen. It’s not easy to do this, and our engineers have very specialized skills to make this work. Of course, we’ll also show how Virsec stops this by selectively fencing sensitive data from speculative execution, eliminating the user data from the cache, without a big performance hit.

LW: What’s the exposure for the big cloud service providers, such as AWS, Azure and Google Cloud?

Gupta: The cloud providers have the most to lose and have been hit hardest by the performance tradeoffs of current solutions. They will all claim to solve the problem, either by re-writing their code, or increasing other defenses. Hackers will likely pick easier targets first, but the stakes for cloud providers are very high.

LW: What approach should companies take?

Gupta: Take Spectre and Meltdown and this entire new vector of attack very seriously. Even though there hasn’t been an exploit in the wild that we know about, these are real, exploitable vulnerabilities at a level no one has dealt with before. Everything is running on flawed processors, so the time is now to focus on protecting mission-critical application. The biggest threat is to enterprise servers and applications – either on-premise or in the cloud.

Article By Byron V. Acohido, The Last Watchdog, April 12, 2018

(Editor’s note: Last Watchdog has supplied content consulting services to Virsec.)