How the Meltdown Vulnerability Fix Was Invented

Researchers in Austria came up with a countermeasure before they even knew the attack existed

3 min read

Samuel K. Moore is IEEE Spectrum’s semiconductor editor.

An orange shield melting.
Illustration: Natascha Eibl

This post was updated 5 January to include links to AMD’s and Apple’s statements.

A major security flaw has surfaced that’s thought to affect all Intel microprocessors since at least 2011, some ARM processors and, less so, AMD processors. Unusually, the exploits, called Meltdown and Spectre, take advantage of the processors’ hardware rather than a software flaw, so they circumvent security schemes built into major operating systems.

Makers of those operating systems are racing to roll out a fix to Meltdown, which is the easier exploit to pursue, according to The Register, which first reported the effort Tuesday. The operating system redo will almost certainly lead to performance reductions in some systems during certain uses. But the fact that there’s a fix at all is largely due to security researchers at the Graz University of Technology, in Austria, who were unaware of the vulnerability until last month.

Daniel Gruss and his Graz colleagues specialize in side-channel attacks, ways to exploit systems using the data gleaned from the physical implementation of a system rather than a software flaw. In 2016 they examined ways to harden the core of an operating system—the kernel—against such attacks, and came up with a scheme they called KAISER. KAISER prevents the computer processes of user applications from managing to get at kernel memory spaces—which might, for instance, give someone access to your log-in information or a cryptographic key you’d like to keep safe. It does so by strictly separating kernel memory spaces in the processor cache. That might sound simple, but the peculiarities of the x86 architecture, on which most PC and server processors are based, make it a nontrivial task. They published a paper on it in July 2017.

“We thought it would be a good countermeasure for generally hardening systems,” Gruss tells Spectrum. But there was no particular exploit it was defending against. “It’s good design, and if you have a good design for something, it will protect you.”

Then things got weird. “Starting in October we heard of some effort by Intel to merge a KAISER patch into the upstream kernel, which surprised us,” he says. “We weren’t aware of any attacks.” They then got wind of Amazon working on an implementation and became more suspicious. “We thought there must be something.”

At some point they stumbled across a posting by Anders Fogh. He had attempted to read protected kernel data using a quirk of how modern processors keep busy while waiting for slow compute processes to get their data. In such situations processors perform speculative execution. That is, they start working on what they expect should be the next task, discarding the result if they guessed wrong. Fogh couldn’t get the attack to work, but Gruss’s colleagues Michael Schwarz and Moritz Lipp did.

Together with researchers from Rambus, University of Adelaide, University of Pennsylvania, and Cyberus Technology, they formalized the attack, calling it Meltdown. On a website devoted to the attack they say: “Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.”

A related attack, which they call Spectre, is potentially wider reaching because it “breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets,” according to the website.

Unfortunately, KAISER is not a general fix for Spectre, which thankfully is trickier to pull off than Meltdown.

There’s been some concern about whether KAISER will slow computers down and by how much. Gruss and his colleagues tested it on an Intel Skylake processor and saw less than a 1 percent performance loss. However, they’ve seen bigger numbers on older processors, and the performance varies depending on what the processor is doing. For example, a program that needs to deal with large amounts of small files will likely see a slowdown because it has to interface with the kernel frequently, says Gruss.

Intel seems to agree, saying, “Any performance impacts are workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.”

Emails seeking comment from AMD were not returned by press time. But it has since posted a statement saying that architectural differences make its processors immune to Spectre. (AMD refers to it by its more official names “branch target injection” and “bounds check bypass.”) It says OS patches will keep its products safe from Meltdown.  

Google, which discovered the issue independently, has listed what’s vulnerable, what’s not, and how to fix things in a blog post.

ARM says some of its high-end Cortex A processors are vulnerable, but that its Cortex-M products—heavily used in low-power IoT systems—are not. The full list and some technical details are here.

Intel’s statement is here.

Apple weighed in here. 

The Graz group’s website has a paper devoted to Meltdown, Spectre, and KAISER.

And here, thanks to the gang at Graz, is Meltdown in action:

And here it is stealing passwords:

This post was updated 5 January to include links to AMD’s and Apple’s statements.

The Conversation (0)