What are the key differences between recently discovered hardware vulnerabilities Meltdown and Spectre? I know that they both rely on speculative execution, but how does they differ from each other?
Dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), these hardware bugs can allow malicious programs to steal data from the memory of other programs, potentially putting a wide variety of sensitive information such as stored passwords, crypto-keys, and files at risk.
What are Meltdown/Spectre? 'Meltdown' and 'Spectre' are two related, side-channel attacks against modern CPU microprocessors that can result in unprivileged code reading data it should not be able to. Most devices - from smartphones to hardware in data centres - may be vulnerable to some extent.
The security vulnerability was called Meltdown because "the vulnerability basically melts security boundaries which are normally enforced by the hardware." On 8 October 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors.
In March 2018, Intel announced that they had developed hardware fixes for Meltdown and Spectre-V2 only, but not Spectre-V1. The vulnerabilities were mitigated by a new partitioning system that improves process and privilege-level separation.
What are the key differences between recently discovered hardware vulnerabilities Meltdown and Spectre?
The Spectre attack has two flavors. The most dangerous flavor of Spectre uses branch misprediction and cache side effects to read any byte in current process virtual memory. It works on a variety of processors, including mobile phones, tables, etc.
So, why can't we just read any byte in current process, without any Spectre? Why Spectre is dangerous? There are variety of languages which create sandboxes (JavaScript) or virtual machines (Java) to isolate local machine from potentially dangerous code you downloaded from Internet.
Due to Spectre, there is no such isolation anymore, so JavaScript downloaded from a website can read any data within browser. Potentially, there might be some passwords, credit card numbers and other sensitive information.
Meltdown is a hardware issue on some processors (Intels, some ARMs, some IBM POWERs), which read memory and check privileges in parallel. This opens a possibility to read memory you have no privilege to access to. For example, user process is able to read kernel memory due to Meltdown.
Why Meltdown is dangerous? Kernel stores encryption keys, passwords or even physical pages of other processes, which due to Meltdown potentially could be read from any user process in the system.
The key difference between Spectre and Meltdown is that due to Spectre you can read or trick other processes to leak memory on the same privilege level, using Meltdown you can read memory you have no privileges to access.
Here is my Linux Spectre-Based Meltdown (i.e. 2-in-1) proof of concept in just 99 lines of code:
https://github.com/berestovskyy/spectre-meltdown
It allows to read kernel space (i.e. Meltdown) using bounds check bypass (i.e. Spectre).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With