spectre, meltdown, and the impact of security ... · spectre: what is it? • vulnerabilities are...
TRANSCRIPT
Spectre, Meltdown, and the
Impact of Security Vulnerabilities
on your IT Environment
Orin Thomas@orinthomas
Jeff [email protected]
• Vulnerability types
• Spectre
• Meltdown
• Spectre Vs Meltdown
• Impact on IT Operations
In this session …
• Application vulnerabilities
• Application can be exploited
• Fixed by vendor update
• OS vulnerabilities
• OS & applications can be exploited
• Fixed by vendor update
• Hardware vulnerabilities
• May require OS fix
• May require firmware update to hardware
• May be unfixable
Types of vulnerabilities
• Given the name because
• The root cause is “speculative execution”
• Isn’t easy to fix
• Will haunt the industry for some time
Spectre: What is it?
• Class of vulnerabilities that impacts Intel, AMD, ARM-
based and IBM processors
• CVE-2017-5753 (Bounds check bypass, Spectre V1)
• CVE-2017-5715 (Branch target injection, Spectre V2)
• Spectre NG
• CVE-2018-3640 (Rogue system register read)
• CVE-2018-3639 (Speculative store bypass)
• CVE-2018-3665 (Lazy FP state restore)
Spectre: What is it?
• Vulnerabilities are based on exploiting side effects of
speculative execution
• Common method of hiding memory latency to speed up
execution in modern processors
• Related to branch prediction, a special case of speculative
execution
Spectre: How it works
• Tricks an application into accessing arbitrary locations
in the program’s memory space
• Allows attacker to read content of accessed memory
and perhaps access sensitive data
• Does not rely on a specific feature of a specific
processor’s memory management and protection
system
Spectre: How it works
• Just-In-Time engines used for JavaScript can be
vulnerable
• Allows a website to read data stored in the browser’s
memory for another website, or the contents of the
browser memory
• Remotely exploitable through unpatched browsers
• Local malicious code can also exploit Spectre
vulnerabilities
Spectre Exploits
• CVE-2017-5754. Rogue Data Cache Load
• Hardware vulnerability impacting Intel x86, IBM
POWER processors and some (not all) ARM
processors
• Does not impact AMD processors
• Allows rogue process to read all memory regardless of
whether process is authorized to do so
Meltdown: What is it?
• Exploits race condition in modern CPUs that occurs
between memory access and privilege checking during
processing of instructions
• Allows process to bypass privilege checks that isolate
data belonging to the OS or other processes running on
the host
Meltdown: How it works
• Unauthorized process can read data from any address
mapped to the current process’s memory space
• Most OS map RAM, kernel processes and other
running processes to the address space of every
process
• Means that memory from almost everywhere can be
read by a rogue process exploiting meltdown
Meltdown: How it works
• Attackers can use Spectre to manipulate processes into
revealing data
• Attackers can use Meltdown to read privileged memory
which the process itself may not normally be able to
access
Spectre Vs Meltdown
• No single patch for Spectre, it is a class of attack
• Mitigations for Spectre and Meltdown have
performance impacts
• Spectre: 2-14%
• Meltdown: 5-30%
Impact on IT Ops: Mitigation
• Windows
• 2017-5753. Recompile with new compiler, harden browser to
prevent JavaScript exploit
• 2017-5715. New CPU instructions that remove branch
speculation assigned through firmware update
• 2018-3640, 2018-3639, 2018-3665. CPU firmware update
• Latest versions of browsers are hardened
• Chrome, Edge, Firefox
Impact on IT Ops: Spectre Mitigation
• Mitigate by isolating kernel and user mode page tables
• Requires update to OS kernel code
• Patches on Windows OS incompatible with 3rd party AV
software that uses unsupported kernel calls
• OS won’t update unless 3rd party AV sets special registry key
indicating that update will not break system
• Does not require CPU firmware update
Impact on IT Ops: Meltdown Mitigation
• CPUs being redesigned so that these exploits are
mitigated
• Speculation that these CPUs will not perform as well as
vulnerable CPUs because of the mitigations
• Existing systems and hardware vulnerable unless
patched
Spectre & Meltdown: The Future
Netwrix Auditor
A visibility platform for user behavior analysis and risk
mitigation that enables control over changes,
configurations, and access in hybrid IT environments.
It provides security intelligence to identify security holes,
detect anomalies in user behavior and investigate threat
patterns in time to prevent real damage.
Netwrix solutions
• Data Access Governance
• Privileged User Activity Tracking
• Alerts on Suspicious Activity
• Using Behavior Anomaly Discovery
• User Activity Video Recording
• Restore of Deleted Active Directory Objects
Product Demonstration
Brought to you by
Thank You
for Attending
Sponsor Logo