google-site-verification: google30a059f9a075f398.html

Round-Up of News on Fixes and Mitigations for Your CPU Speculative Execution Issue

Are you hoping the Meltdown and Ghost Security issues could mean that Intel will buy you a shiny new computer after the chip recall?   ……   Sorry, it will not happen this event.

Intel discovered hundreds of millions of dollars in recycling Pentium processors after it discovered “FDIV errors” in 1994, a mistake that revealed a rare but true calculation error. Meltdown and Specter also have similar damage to Intel’s brand, with the company’s share price plunging more than 5%.. The fix is through vendors patches.

Meltdown & Specter

Two major security vulnerabilities in processors, dubbed Meltdown and Specter, were disclosed earlier this week by Google’s Project Zero team. With the ability to allow attackers to gain unauthorized access to sensitive information in memory, Meltdown and Specter represent a new class of microarchitectural attacks that use processor chip performance optimization features to exploit built-in security mechanisms.

Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.

Specter exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Specter are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.

What is vulnerable?
Meltdown has the potential to affect every Intel processor that supports out-of-order execution; essentially all Intel processors since 1995.  Meltdown exploits the shared kernel-space mapping in the user-space virtual memory. Mitigating this vulnerability involves a technique known as Kernel Page Table Isolation (KPTI), which improves the isolation between kernel-space and user-space memory.

Specter, on the other hand, Events almost every system in existence: desktops, laptops, cloud servers, tablets, and smartphones. Specter has been exploited successfully on Intel, AMD, ARM, System Z, and Power 9 processors, among others. There is no single fix for this vulnerability, as it is at an architectural level, and mitigation requires fixes at each application level.

  • .
Variant 1: bounds check bypass (CVE-2017-5753)
This attack variant allows malicious code to circumvent bounds checking features built into most binaries. Even though the bounds checks will still fail, the CPU will speculatively execute instructions after the bounds checks, which can access memory that the code could not normally access. When the CPU determines the bounds check has failed, it discards any work that was done speculatively; however, some changes to the system can be still observed (in particular, changes to the state of the CPU caches). The malicious code can detect these changes and read the data that was speculatively accessed.
The primary ramification of Variant 1 is that it is difficult for a system to run untrusted code within a process and restrict what memory within the process the untrusted code can access.
In the kernel, this has implications for systems such as the extended Berkeley Packet Filter (eBPF) that takes packet filterers from userspace code, just-in-time (JIT) compiles the packet filter code, and runs the packet filter within the context of the kernel. The JIT compiler uses bounds checking to limit the memory the packet filter can access, however, Variant 1 allows an attacker to use speculation to circumvent these limitations.

Mitigation requires analysis and recompilation so that vulnerable binary code is not emitted. Examples of targets which may require patching include the operating system and applications which execute untrusted code.
Variant 2: branch target injection (CVE-2017-5715)
This attack variant uses the ability of one process to influence the speculative execution behavior of code in another security context (i.e., guest/host mode, CPU ring, or process) running on the same physical CPU core.
Modern processors predict the destination for indirect jumps and calls that a program may take and start speculatively executing code at the predicted location. The tables used to drive prediction are shared between processes running on a physical CPU core, and it is possible for one process to pollute the branch prediction tables to influence the branch prediction of another process or kernel code.
In this way, an attacker can cause speculative execution of any mapped code in another process, in the hypervisor, or in the kernel, and potentially read data from the other protection domain using techniques like Variant 1. This variant is difficult to use but has great potential power as it crosses arbitrary protection domains.
Mitigating this attack variant requires either installing and enabling a CPU microcode update from the CPU vendor (e.g., Intel’s IBRS microcode), or applying a software mitigation (e.g., Google’s Retpoline) to the hypervisor, operating system kernel, system programs and libraries, and user applications.
Variant 3: rogue data cache load (CVE-2017-5754)
This attack variant allows a user mode process to access virtual memory as if the process was in kernel mode. On some processors, the speculative execution of code can access memory that is not typically visible to the current execution mode of the processor; i.e., a user mode program may speculatively access memory as if it were running in kernel mode.
Using the techniques of Variant 1, a process can observe the memory that was accessed speculatively. On most operating systems today, the page table that a process uses includes access to most physical memory on the system, however, access to such memory is limited to when the process is running in kernel mode. Variant 3 enables access to such memory even in user mode, violating the protections of the hardware.
Mitigating this attack variant requires patching the operating system. For Linux, the patchset that mitigates Variant 3 is called Kernel Page Table Isolation (KPTI). Other operating systems/providers should implement similar mitigations.

Meltdown vulnerability impact:

  • Read arbitrary kernel memory from userspace application.
  • Fully virtualized machines are not affected (guest userspace application cannot read host user/kernel space memory)
  • Hypervisor escape is possible in para-virtualized environment (Xen, Docker, etc.)
  • Sensitive information disclosure and privilege escalation attacks, as the dumped memory may contain password hashes, private keys, etc.

Specter vulnerability impact:

  • Theoretically allows random access to the entire memory-space
  • Works across Virtual Machines
  • Practical PoC for user-space to user-space attacks exist at the moment
  • Harder to exploit than Meltdown
  • Leaking user-space module addresses and thus bypassing ASLR for further attacks is possible (remote code execution)

What may be impacted?

Two major security vulnerabilities disclosed by cybersecurity researchers Wednesday affected billions of devices. PCs, laptops, servers, virtualization software, cloud servers, and so on, are all impacted if they are running the vulnerable processor.

The defects, called Meltdown and Specter, affected the processing chips produced by Intel (INTC), AMD (AMD) and ARM Holdings. This means that you may be attacked if you use desktops, laptops, smartphones or cloud services from Apple (AAPL), Google (GOOGL), Amazon (AMZN) or Microsoft (MSFT).

  • Meltdown: All modern Intel x86 processors are vulnerable. Exploitation is theoretically possible on AMD and ARM, but not yet practically achieved.
  • Specter: Intel, ARM, AMD, System Z, and Power 9 processors.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.


Here is how companies are responding to revelations of the flaws, also referred to as “speculative execution side-channel attack” vulnerabilities.

As for Intel, all Intel processors released since 1995 are impacted by Meltdown, according to researchers. The company said Wednesday that OEMs will release relevant Intel firmware updates to address the issue. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said in a statement.

Microsoft said it was offering an out-of-band update for Windows, ahead of next week’s Patch Tuesday security update. “Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services,” the company said in a statement to its Security TechCenter.

Linux security patches, protecting against Spectre and Meltdown exploits, were pushed out last week. Thomas Gleixner, a Linux kernel developer, posted last month to the Linux Kernel Mailing List information about isolation patches called KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed).

Mobile chip designer ARM said most processors designed by the company are not affected by Spectre. Those chips that are include: Cortex-A75, Cortex-A73, Cortex-A72, Cortex-A57-, Cortex-A17, and Cortex-A9.

Google addressed the issue on Wednesday stating: “We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation.”

Google said Android devices with the latest security update, released on Jan. 3, are protected. Google Chrome OS versions prior to 63 are not patched. Google added, “Chrome 64, due to be released on January 23, will contain mitigations to protect against exploitation.” Google said its Google Cloud Infrastructure and Google App Engine require “no additional user or customer action.” Google Compute Engine customers have been informed the infrastructure is patched, but “customers much patch/update guest environment(s),” according to Google.

Amazon released a statement regarding the impact of Meltdown and Spectre stating: “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.”

“While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin,” Amazon said.

Mitigation – Waiting for Intel and Chip Makers…

In order to protect the system from robot crashes and ghost attacks, a hardening technique called core page table isolation (KPTI) can be implemented. This technique allows you to isolate kernel space from user-space memory.

Intel confirmed that system builders have provided firmware and software updates to eliminate chip crashes and malicious attacks initiated in the past five years.

Customers will have to wait for the system manufacturer to distribute security patches for their affected products.

According to Intel, next weekend, the company will issue security patches for more than 90% of commercial chips in the past five years.

Project Zero discusses three variants of speculative execution attacks. There is no single fix for all three attack variants; each requires separate protection.

  • Variant 1 (CVE-2017-5753), “bounds check bypass.” This vulnerability affects specific sequences within compiled applications, which must be addressed on a per-binary basis.
  • Variant 2 (CVE-2017-5715), “branch target injection”. This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software mitigation technique called “Retpoline” to binaries where concern about information leakage is present. This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed.
  • Variant 3 (CVE-2017-5754), “rogue data cache load.” This may require patching the system’s operating system. For Linux there is a patchset called KPTI (Kernel Page Table Isolation) that helps mitigate Variant 3. Other operating systems may implement similar protections – check with your vendor for specifics.

After patching, performance may be diminished by up to 30 percent. Administrators should ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect if possible.

Additionally, impacts to availability in some cloud service providers (CSPs) have been reported as a result of patches to host OSes. Users and administrators who rely on cloud infrastructure should work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.

The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.

Link to Vendor Information Date Added
Amazon(link is external) January 4, 2018
AMD(link is external) January 4, 2018
Android(link is external) January 4, 2018
Apple(link is external) January 4, 2018
ARM(link is external) January 4, 2018
CentOS January 4, 2018
Chromium January 4, 2018
Citrix(link is external) January 4, 2018
Debian January 5, 2018
F5(link is external) January 4, 2018
Fedora Project January 5, 2018
Fortinent(link is external) January 5, 2018
Google(link is external) January 4, 2018
Huawei(link is external) January 4, 2018
IBM(link is external) January 5, 2018
Intel(link is external) January 4, 2018
Lenovo(link is external) January 4, 2018
Linux January 4, 2018
Microsoft Azure(link is external) January 4, 2018
Microsoft(link is external) January 4, 2018
Mozilla January 4, 2018
NVIDIA(link is external) January 4, 2018
OpenSuSE January 4, 2018
Red Hat(link is external) January 4, 2018
SuSE(link is external) January 4, 2018
Trend Micro(link is external) January 4, 2018
VMware(link is external) January 4, 2018
Xen January 4, 2018



More details about mitigations for the CPU Speculative Execution issue by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program ManagerYesterday, Google’s Project Zero team posted detailed technical information on three variants of a new security issue involving speculative execution on many modern CPUs. Today, we’d like to share some more information about our mitigations and performance.In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” — a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance.In addition, we have deployed Kernel Page Table Isolation (KPTI) — a general purpose technique for better protecting sensitive information in memory from other software running on a machine — to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform.There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.In our own testing,… More details about mitigations for the CPU Speculative Execution issue

Intel releases patches to mitigate Meltdown and Spectre attacks

Vendors Share Patch Updates on Spectre and Meltdown Mitigation Efforts, Amazon, ARM, Microsoft and others have shared patch updates to keep customers informed on their mitigation efforts to protect against the far reaching Spectre and Meltdown vulnerabilities impacting computers, servers and mobile devices worldwide. … Vendors Share Patch Updates on Spectre and Meltdown Mitigation Efforts

If you like to receive more of these curated news alerts then subscribe to my mailing list. and come back soon at, and/or read additional CyberWisdom Commentaries.