Understanding the Meltdown Attack

Jan 5, 2018 security 2018
Share on:

This month, security researchers released a whitepaper describing the Meltdown attack, which allows anyone to read the full physical memory of a system by exploiting a vulnerability in Intel processors. If that sounds bad, that’s because it is. It means that if you’re running workloads on a public cloud provider, and you don’t have a dedicated server, an attacker can read what your workloads are putting into memory. This includes passwords, private keys, credit card numbers, your cat’s middle name, etc.

How Meltdown works

As a way of eking out every ounce of speed, modern processors perform out-of-order execution. Rather than executing a program one instruction at a time, the processor fetches multiple instructions at once and places them in an instruction queue. It then executes each instruction as soon as possible (and usually out-of-order) and stores each instruction’s output (if there is any) in a cache.

Now here’s the kicker. An instruction can do nasty things. Out-of-order execution runs instructions that the program isn’t allowed to run. Take the following assembly instruction:

1; rcx = kernel address
2 mov al, byte [rcx]

This copies one byte of data from the kernel memory and places it in a temporary portion of CPU memory, called a register. With in-order processing, the CPU would not allow this instruction to execute.

But with out-of-order execution, the CPU does execute the instruction, and it stores the resulting byte value in a temporary cache. The CPU then raises an exception and terminates the program.

But the byte value is still stored in the cache. This is where the flaw in Intel’s microcode lies. The CPU should clear the cache as soon as the exception is raised. But it doesn’t. It leaves it there, vulnerable to another type of side-channel attack called a cache attack.

Cache attacks have been around for years, and there are several different types which an hacker can use in conjunction with Meltdown to figure out the data stored in cache. For a great explanation of how these attacks work, check out Bert Hubert’s article on Spectre and Meltdown. It’s trivial for an attacker to pull one off, quickly.

Only Intel Processors were Shown to be Vulnerable

The researchers were not able to duplicate the results on AMD or ARM processors, which also use out-of-order execution. They speculate that they theoretically could, but they were not able to at the time they released the paper. You certainly shouldn’t assume that all non-Intel processors are immune to Meltdown.

Disabling out-of-order execution isn’t the answer

In order to be effective, the Meltdown attack depends on out-of-order execution as a necessary but not sufficient condition. Thus, simply having out-of-order execution enabled is not enough to make Meltdown possible. Disabling out-of-order execution does prevent Meltdown, but the performance impact is substantial.

What about Spectre?

Spectre is not the same as Meltdown. Although Spectre works against all CPUs, including Intel, AMD, and ARM, pulling off a Spectre attack is trickier. But both are equally bad and rely on out-of-order execution, which is why you usually see them lumped together.

You don’t need to replace your hardware

You don’t need to replace your hardware, and anyone who says you do is probably trying to tell you something. Now for the obvious part. To mitigate Meltdown and Spectre, install the latest security patches for your operating system, BIOS, and CPU firmware — after sufficient testing, of course.