5W1H: Speculative Side Channel Vulnerabilities De-mystified

Pablo Ramos

<p>The classes of vulnerabilities that brought us Meltdown and Spectre are not going away anytime soon. Here’s what you need to know about Speculative Execution vulnerabilities, with our guidance on steps you can take to reduce your risk.</p>
<p>Spectre and Meltdown generated a lot of confusion and discussion in the security world when they first hit the news. Understanding the risks associated with speculative execution vulnerabilities will help organizations prioritize and communicate effectively about their exposure. In this post, we present what it is known, how it affects companies and ways to stay ahead in the game.</p>
<h2>Start from the beginning…</h2>
<p>Speculative Execution is a technique used to enhance processor performance by anticipating which instructions will be required in advance. <a href="https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Ana... to Intel</a>, this helps minimize latency and extract greater parallelism, thereby leading to performance gains.The boost in performance comes with a tradeoff: results will be discarded if they are not needed. The technique is used by various microprocessor vendors including Intel, AMD and ARM.</p>
<p>While academic papers dating back to 1985 have covered theoretical attacks on CPU caches and translation lookaside buffers (TLBs), <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1519780#c0">rumors</a> about the existence of vulnerabilities in the wild that leveraged Speculative Execution began surfacing in late 2017. However, the real saga began publicly on January 3, 2018 when a blog post from <a href="https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory...’s Project Zero Initiative</a> detailed their findings. <a href="https://www.tenable.com/blog/the-first-major-security-logos-of-2018-spec... ">Spectre and Meltdown were unleashed to the public</a> just as people were coming back from their New Year holiday. The reports included three variants of the vulnerabilities: CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2) for <a href="https://spectreattack.com/spectre.pdf">Spectre</a> and CVE-2017-5754 (Variant 3) for <a href="https://meltdownattack.com/meltdown.pdf">Meltdown</a>. </p>
<p>This mega-event sparked a huge discussion in the community for various reasons: the impact of the vulnerabilities themselves; the number of vendors affected directly and indirectly at various levels of the supply chain; the sheer number of systems impacted worldwide; and the mammoth task of getting these systems updated (if at all possible). Clearly, Pandora’s box had been opened and there was no going back. Pundits predicted (accurately!) we would see more of these in the months and years to come. </p>
<p>In late May 2018, two more vulnerabilities were discovered and reported by <a href="https://www.intel.com/content/www/us/en/security-center/advisory/intel-s... and Google</a>. These were tagged Variant 3A (CVE-2018-3640) and Variant 4 (CVE-2018-3639). The <a href="https://www.tenable.com/blog/spectre-and-meltdown-still-haunting-intelamd ">fourth variant</a> presented a new method for leaking information from a system and could be exploited from a browser, thereby enhancing the ease of exploitation. These variants are part of eight additional Spectre-class flaws provisionally named Spectre-NG. </p>
<p>Soon to follow were other flaws from the Spectre-NG class: Lazy FP State Restore (CVE-2018-3665); Bounds Check Bypass Store (BCBS) aka Spectre 1.1 (CVE-2018-3693); Spectre 1.2; ret2spec (aka Spectre v5); and SpectreRSB (Return Stack Buffer).</p>
<p>In July 2018, <a href="https://mlq.me/download/netspectre.pdf">NetSpectre</a> surfaced and changed the scope in terms of exploitability of the Spectre family: a remote attack was now possible. By virtue of this new vulnerability, reported by researchers of the Graz University of Technology, an exposed Network Interface or API would be enough for an attacker to execute the remote side-channel attack. NetSpectre is capable of leaking information from the target system and even though the rate of transmission is low (around 15 to 60 bits per hour in a local network) it is still proof that novel variations of speculative execution can target a broad range of devices.</p>
<p>Most recently, on August 14, a new set of vulnerabilities dubbed <a href="https://foreshadowattack.eu/">Foreshadow</a> and Foreshadow-NG were made public. The new set of vulnerabilities exploiting a <a href="https://www.tenable.com/blog/foreshadow-speculative-execution-attack-tar... attack causing a L1 Terminal Fault</a> could affect processors, Virtual Machines and Cloud environments. These vulnerabilities can be triggered when accessing a linear or logical address that is not mapped to a physical location on the hardware resulting in a Terminal Fault. </p>
<h2>So what difference does it make?</h2>
<p>Spectre and Meltdown opened a broad discussion in regards to the current state of security and their implications. With the remarkably large number of systems vulnerable to speculative execution attacks, and the closing gap between Proofs of Concepts and <a href="https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectr..., it’s imperative for security teams and companies collaborate to keep an eye on and be aware of the evolution of these threats.</p>
<p>Speculative Execution vulnerabilities not only affect microprocessor manufacturers, but the whole security community. Some of the discovered vulnerabilities will not be fully patched until new architectures are developed and deployed, which will take a few years to happen. More vulnerabilities will be discovered in the upcoming months and years expanding on the current attack vectors. </p>
<h2>Why is this important?</h2>
<ul><li>The Spectre and Meltdown vulnerabilities affect a very large number and wide range of devices, including computers, mobile devices and servers. Given the widespread nature, it is certain all affected systems will never be actually patched. </li>
<li>These classes of vulnerabilities are not going away anytime soon. While some of these vulnerabilities have been mitigated by software patches provided by different vendors, this has come at the cost of performance, and, in some cases, holistic fixes have required architectural changes.</li>
<li>New, but related vulnerabilities will be discovered, unveiling novel types of attacks that might not be possible to patch via software alone.</li></ul>
<h2>What you can do…</h2>
<p>Keeping up to date with information on new vulnerabilities and mitigating them via software patches or microcode provides a first line of defense. </p>
<p>Knowing how you are exposed can help to manage and mitigate risks associated with vulnerabilities. By visualizing, analyzing and measuring cyber risk, one can confidently manage and reduce it to an acceptable level. </p>
<p>Security teams must become proactive to close the gap between the publication of a new vulnerability and becoming aware that it is present in their ecosystem. As per <a href="https://www.tenable.com/cyber-exposure/attackers-advantage">Tenable Research’s report</a> on the Attacker’s Advantage, 34% of the analyzed vulnerabilities had an exploit available on the day they were disclosed. Teams willing to protect their organization’s infrastructure can be a step ahead of the curve and reduce the seveday window of opportunity attackers have to exploit a given vulnerability. </p>
<p>On our part, we will keep you updated on the saga of speculative side channel vulnerabilities as things evolve. Stay tuned! </p>
<h2>Learn more:</h2>
<ul><li><a href="https://www.darkreading.com/attacks-breaches/new-side-channel-attacks-ta... Side-Channel Attacks Target Graphics Processing Units</a></li>
<li><a href="https://www.zdnet.com/article/intel-cpus-impacted-by-new-portsmash-side-... CPUs impacted by new PortSmash side-channel vulnerability</a></li></ul>
<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

Read more >

Published on Nov 15, 2018

People also viewed

Customer Success Manager - ANZ

North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Customer Success Sales
Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

Finance & Investor Relations Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Internships
Your Role:Tenable has a Finance and Investor Relations Intern opportunity for college students entering their senior year or actively enrolled in an MBA program. If you're looking for a chance to apply what you're learning in your degree program, ...

Field and Channel Marketing Manager, Nordics and Benelux

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Field & Channel Marketing Marketing
Your Role:Tenable seeks an experienced field and channel marketing manager to generate demand for Tenable products and solutions across our Scandinavia and Benelux territories.  The successful candidate will have demonstrated experience creating, ...

Senior Data Engineer

Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Research Engineering
Your Role:Data Engineers here are involved in designing, developing and maintaining systems for data analysis, transformation, modelling and visualisation. We work directly with the data scientists to develop cutting edge uses of the data we colle...

Technical Support Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
Your Role:Tenable is seeking a high energy, results oriented customer advocate capable of motivating an already exceptional support team to even higher levels of customer satisfaction. Our current global rating is over 93% satisfaction and we expe...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security Internships
Your Role: The Cloud Security Intern will help the Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for cloud that assess risk, keep Tenable data safe and bake in secu...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.