12/29/2023 0 Comments Spectre meltdown![]() First, the attacks both require tailoring of the exploit to the victim’s unique digital environment. The Meltdown attack only affects Intel CPUs ( Meltdown Whitepaper). Only a subset of architectures and models are tested to be vulnerable ( Spectre Whitepaper). The Spectre attack affects CPUs from Intel, AMD and ARM. The threat actor would use a side channel attack to recover the sensitive data on the cache ( Meltdown Whitepaper). The transient transactions would access an attacker-chosen memory location which is inaccessible to the attacker and it is eventually stored in the cache. Out-of-order execution is used to maximize CPU performance by executing instructions down the stream of the program ahead of time. Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection Meltdown exploits out-of-order executionsĢ. However according to Meltdown Whitepaper, it is distinct in two different ways:ġ. ![]() Similar to Spectre, Meltdown is another class of microarchitecture attack. Side channel attacks are not new and have been present for a period of time. A malicious program could subsequently read the sensitive data from the cache through a side channel attack ( Spectre Whitepaper). The state of the microarchitectural parts of the CPU are not reverted and sensitive data could be stored in the cache. However, not all the changes from the incorrect speculative execution are reverted. In the event of an incorrect prediction, the CPU is designed to revert the results of an incorrect speculative execution on their prior state to maintain correctness, these errors were previously assumed not to have any security implications ( Spectre Whitepaper). The branch prediction function of the CPU predicts the decision and perform speculative execution of operations ahead of time to maximize performance. The CPU may be unable to evaluate and determine which decision to take due to insufficient data available. Spectre attacks induce a victim to speculatively perform operations that would not occur during correct program execution and leaks the victim’s sensitive information via a side channel to the adversary.ĭuring the normal execution of a program, operations are expected to be executed in a linear fashion until a decision needs to be taken. Thus, this post aims to provide a risk profile of the vulnerabilities and the considerations to strategize and manage the risks from an independent perspective. Organizations would need to protect themselves from such potential attacks, and provide safety assurance to their customers. The first impression of the scale and implications of the vulnerabilities can be terrifying as these are flaws on the hardware - stemming from the CPU which affects computing systems that resides in many mundane electronics such as personal computers, smartphones ,and even on Internet servers that are running various services and applications. As the white papers ( Spectre, Meltdown) have only recently been published and the research work is not fully matured, there will likely be future updates. Meltdown was independently discovered, and subsequently reported by researchers from three teams : Google Project Zero, Cyberus Technology and Graz University of Technology. Spectre was reported by two independent people - Jann Horn from Google Project Zero and Paul Kocher. This includes passwords, credit card numbers and other sensitive data like social-security numbers. On the first week of 2018, the Spectre ( CVE-2017–5753 and CVE-2017–5715) and Meltdown ( CVE-2017–5754) attacks were publicly released on the Meltdown Attack site that discloses major vulnerabilities affecting nearly all modern CPUs that would allow applications to read sensitive data processed on a computer. Image taken from under Creative Commons 1.0 (CC0)Īt the heart of a computing system, the Central Processing Unit (CPU) executes code required by applications that are used by billions of people.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |