Originally published in Jan 2018, at Onica.com/blog
This article is a brief overview of Meltdown and Spectre, two bugs that represent security risks in the cloud as we understand them and the next steps.
As you have undoubtedly heard, Google® Project Zero released information about two vulnerabilities in modern processors: Meltdown and Spectre. This post is a brief overview of these two bugs that represent security risks in the cloud as we understand them and the next steps.
Note: This is a simplified take on these very complex bugs and is not a complete analysis. The academic papers on the bugs are available here.
These are two vulnerabilities in modern processor Meltdown impacts Intel® CPUs since the Pentium II®, and Spectre impacts those Intel chips, plus AMD® and ARM® chips. The bugs enable an attacker to bypass memory protection, allowing access to memory that shouldn’t be accessible to the attacker. In both cases, CPU optimizations that have unintended side-effects cause the bugs.
Meltdown uses a flaw in out-of-order execution optimizations in Intel CPUs to enable access to all kernel-mapped memory from a user-space process. In most cases, physical memory is mapped into kernel space, and as such, Meltdown effectively allows any user-space process to access all of the physical memory on the machine.
Spectre uses a side-channel and timing attacks in predictive branching and speculative execution that allow an attacker to trick a process into accessing arbitrary memory locations and revealing such data to an attacker.
While we know from the various announcements that Meltdown can escape virtual machine sandboxes in certain circumstances, particularly, in Xen® paravirtual environments, AWS immediately patched its entire EC2 fleet against the hypervisor vulnerabilities.
Given this, the virtual machine sandbox is secure. Regardless of any OS-patches, other instances on the same physical hardware as your instances cannot access any data inside your instances, and the isolation between virtual machines remains completely intact.
The remaining exposure for Meltdown is primarily in the form of local exploits inside the virtual machine. While this is important, it isn’t as significant as the virtual machine sandbox escape or remote exploit. Assuming that all of the applications running on the instance are trusted, there’s a less immediate concern. That said, Meltdown is fixed with a recent kernel update that enables Kernel Address Isolation to have Side-channels Efficiently Removed (KAISER), which patches even the local exploit path.
Spectre is an entirely new class of vulnerability. We expect to see more patches as the industry learns more about the attack vectors enabled by Spectre. For now, the primary focus is on software that executes untrusted code and sandboxed code—notably web browsers.
Rackspace Onica’s team of security experts can help you apply emergency patches for Meltdown. We’ve worked with numerous companies in highly regulated markets, including the medical and financial industries. We identify security risks and take steps to ensure compliance across multiple mandates.
Contact us for a comprehensive security assessment to uncover vulnerabilities and security threats in your AWS environment.
Use the Feedback tab to make any comments or ask questions. You can also click Sales Chat to chat now and start the conversation.