The Meltdown and Spectre vulnerabilities shook the world when they were revealed earlier this month. Since then, the cybersecurity workforce has become very familiar with the part of the CPU architecture impacted by the vulnerabilities.

There have been numerous articles, proof-of-concept codes and wild speculations of just how far hackers can go. So, just how far can they go?

Speculative execution
A CPU may execute some code ahead of time in a program to save time. Consider the pseudo-code below.

if a < b {

array c[illegal memory location]

}

Bloomberg Photo

During speculative execution, normal operation restraints that would prevent this program from accessing this memory are not in place, so this line of code is called and the results are stored in the processor’s cache memory. Once the processor realizes that this code will not be executed, it discards everything but the cache changing the micro-architectural environment and opening up the way for a side channel attack to exfiltrate the illegally accessed information.

Side channel attacks
Because the cache is not flushed, information held within it will be recalled faster. By using timing and specific block sizes of the array, a second program can be utilized to discover what is held within the cache.

What’s accessible?
It is theorized that most modern CPUs are susceptible to these attacks, but what exactly does that entail? If a hacker has access to kernel, physical, or user space memory, what information can be leaked?

The short answer is, most things. A kernel temporarily stores passwords, encryption keys and a variety of sensitive data at some point in its lifecycle. User programs such as web browsers and mobile apps process a cornucopia of personal information at any given time. All of these processes utilize data that touches physical memory at some point – which is to say, almost everything that modern devices do is susceptible.

However, for hackers to utilize this exploit, they would have to first gain access to the device via a primary exploit (physical or remote) and utilize Spectre or Meltdown as a secondary exploit for escalation of access.

As with most vulnerabilities, the best way to know if it works and how well is to test it on your system.

Our test setup included the following:

  • OS: Linux Kernel 4.10.0-42 KASLR Enabled
  • Processor: Intel i7-6500U
  • Code: Institute of Applied Information Processing and Communications (IAIK) POC Code

Part of this POC code consists of executing a binary that created a string of characters and stored it in a location of memory. This memory address is then presented to the user. A second program is run to attempt to utilize the Meltdown exploit in order to read this location of memory.

The results were mixed and unsettling. Sometimes the exploit code was able to read complete strings from memory, and sometimes it was not. The process can be slow and inaccurate, but it was able to effectively access memory that it should not have.

It should be pointed out that this attack is highly technical and requires specific timing and knowledge of the victim’s device. A special kernel module was needed to supply the exploit code with the specific memory space before a successful attack could be competed. This, of course, required root privilege on the devices beforehand.

If an attacker is after a specific piece of data from a device, the attack can be done, but it’s not easy. As with most vulnerabilities, one is taking something that is inherently broken and attempting to purposefully break it more and bend it to do what we want it to do. But hackers, whether nefarious or not, are incredibly intelligent, patient and creative people. Where there is a will, there’s a way.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access