Meltdown/Spectre and other chip-related resources

As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only.

David Harley, 15th April 2020

This was originally a one-off blog article relating strictly to Meltdown/Spectre-related issues: now  expanded and to be maintained (when time allows) here as a ‘live’ resource. While those vulnerability issues aren’t likely to go away immediately and apply across a wide range of platforms, I’ve also been adding chip/CPU/GPU info that are of interest but not directly related. However, I don’t promise any in-depth commentary: rather, links to articles and resources that might be useful. Where I can’t resist commenting at length, it will be in an article on this site, though it may be reproduced or just linked to on this page. NB: as I’m no longer working in the security industry, additions to this page will be the exception rather than the rule.

Index

  • News and General Resources
    • Webkit
    • PoCs (Proofs of Concept)
    • Skyfall/Solace
  • Security Company Commentary
    • ESET Resources
    • G-Data Resources
    • Checkpoint Resources
    • Trend Micro Resources
  • Affected Companies
    • Apple
    • Google/Android
    • IBM
    • Intel
    • AMD
    • Microsoft/Windows
  • ICS/SCADA

News & General resources

[19th February 2019]

TechBeacon: Google: ‘Spectre can’t be fixed.’ Panic now?

Software alone can’t save us from Spectre-class vulnerabilities in modern CPUs. That’s the scary conclusion from a bone-dry research paper penned by Google engineers.”

Commentary curated by Richi Jennings.

[11th December 2018]

The Register: In case you’re not already sick of Spectre… Boffins demo Speculator tool for sniffing out data-leaking CPU holes – “First proof-of-concept, SplitSpectre, requires fewer instructions in victim”

[18th November 2018]

The Register: Another Meltdown, Spectre security scare: Data-leaking holes riddle Intel, AMD, Arm chips – “CPU slingers insist existing defenses will stop attacks – but eggheads disagree [….] “‘Speculative execution’ is often falsely used as an umbrella term…” they explain in a paper distributed through ArXiv on Tuesday.””

Danny Bradbury for Sophos: PortSmash attack steals secrets from Intel chips on the side – “The proof of concept code, called PortSmash, comes from researchers at Finland’s Tampere University of Technology and the Technical University of Havana, Cuba. It uses a category of exploit called a side channel attack, in which one program spies on another as it runs.”

[19th October 2018]

The Register: Decoding the Google Titan, Titan, and Titan M – that last one is the Pixel 3’s security chip – “Chocolate Factory opens lid, just a little, on secure boot and crypto phone coprocessor”

[10th October 2018]

Thomas Claburn for The Register: Intel’s commitment to making its stuff secure is called into question – ‘In an email to The Register in response to our report about the problems posed by the Manufacturing Mode in Intel’s Management Engine (ME), which if left open leaves processors vulnerable to local attack, Kanthak called Intel’s statement “a blatant lie.”‘

[4th October 2018]

Thomas Claburn for The Register: Apple forgot to lock Intel Management Engine in laptops, so get patching
“In a blog post on Tuesday, researchers Maxim Goryachy and Mark Ermolov, involved in the discovery of an Intel ME firmware flaw last year, reveal that Chipzilla’s ME contains an undocumented Manufacturing Mode, among its other little known features like High Assurance Platform mode.”

[28th August 2018]

The Register: Linux 4.19 lets you declare your trust in AMD, IBM and Intel – “Wave the the CPU trust flag if you’re feeling safe enough….When random number generation is insufficiently random, encryption based on such numbers can be broken with less effort.”

[21st August 2018]

The Register: Fix for July’s Spectre-like bug is breaking some supers – “RDMA-Lustre combo swatted, HPC admins scramble”

[20th August 2018]

Foreshadow web page resource:

[17th August 2018]

Dave Lee for the BBC: Foreshadow’ attack affects Intel chips – “Researchers have found another serious security flaw in computer chips designed by Intel…Nicknamed Foreshadow, this is the third significant flaw to affect the company’s chips this year.”

For more details, see the advisory on Intel’s web site. Also:

The Register: Three more data-leaking security holes found in Intel chips as designers swap security for speed “Apps, kernels, virtual machines, SGX, SMM at risk from attack…The operating system and hypervisor-level flaws – CVE-2018-3620 and CVE-2018-3646 – were discovered by Intel’s engineers after they were tipped off about CVE-2018-3615, the SGX issue, by the university researchers.”

Thomas Claburn for The Register: The off-brand ‘military-grade’ x86 processors, in the library, with the root-granting ‘backdoor’ – “Dive into a weird and wonderful ‘feature’ of Via’s embedded hardware chips … A forgotten family of x86-compatible processors still used in specialist hardware, and touted for “military-grade security features,” has a backdoor that malware and rogue users can exploit to completely hijack system

[27th July 2018]

  1. A paper from the University of Graz offers a disquieting alternative view, suggesting that Spectre attacks aren’t necessarily dependent on code being executed locally. The paper NetSpectre: Read Arbitrary Memory over Network demonstrates “a generic remote Spectre variant 1 attack … the first access-driven remote Evict+Reload cache attack over network”.Admittedly, a side-channel attack that leaks 15 bits an hour doesn’t sound all that impressive, though the researchers also claimed that “Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system.”  For the Register, Thomas Claburn points out that this might not be as bad as it sounds, in that “it could take days to find and gather privileged information such as an encryption key or authentication token.”According to Claburn, Intel are playing it cool: “”NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate…” Claburn interprets this as meaning that “Essentially, if you’ve updated your code and applications to mitigate previous Spectre exploits, you should be safe from NetSpectre.”
  2. Researchers in the US also have a new Spectre attack to pique our interest. Here’s the research in question: Spectre Returns! Speculation Attacks using the Return Stack Buffer from the University of California, Riverside. “In this paper, we introduce a new Spectre-class attack that we call SpectreRSB. In particular, rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses.”Commentary from Bleeping Computer (Catalin Cimpanu): Researchers Detail New CPU Side-Channel Attack Named SpectreRSB.
  3. The Register cites an instance where the medicine could do with a spoonful of sugar: Spectre/Meltdown fixes in HPC: Want the bad news or the bad news? It’s slower, say boffins – “MIT Lincoln metalheads broke big iron so you don’t have to… oh, you still have to, don’t you?…network connections, disk accesses, and computational workloads can all be affected by the fixes, whether in the operating system or the microcode.”
  4. Also from Bleeping Computer: Academics Announce New Protections Against Spectre and Rowhammer Attacks – “Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer.”
  5. Maybe the sky is falling after all. In a paper dramatically entitled Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers, Eurecom researchers they present “a new side channel that affects mixed-signal chips used in widespread wireless communication protocols, such as Bluetooth and WiFi. … the radio transmitter may unintentionally broadcast sensitive information from hardware cryptographic components or software executing on the CPU. The well-known electromagnetic (EM) leakage from digital logic is inadvertently mixed with the radio carrier, which is amplified and then transmitted by the antenna.”Commentary by Richard Chirgwin for The Register: Boffins: Mixed-signal silicon can SCREAM your secrets to all – “‘Screaming Channels’, a side-channel baked into off-the-shelf Wi-Fi, Bluetooth silicon.”

[15th July 2018]

John Leyden for The Register: Google’s ghost busters: We can scare off Spectre haunting Chrome tabs – “Site Isolation keeps pages fully separate on Windows, Mac, Linux, Chrome OS … Rather than solely defending against cross-site scripting attacks, the technology is now positioned as a necessary defence against infamous data-leaking Spectre CPU vulnerabilities, as a blog post by Google explained this week…”

[11th July 2018]

The Register: Another Spectre CPU vulnerability among Intel’s dirty dozen of security bug alerts today – “Chipzilla preps for quarterly public patch updates”

[29th June 2018]

Catalin Cimpanu for Bleeping Computer: Some Spectre In-Browser Mitigations Can Be Defeated “According to research published by Aleph Security … researchers were able to put together proof-of-concept code that retrieves sensitive data from a browser’s protected memory … their PoC bypassed Spectre mitigations and retrieved data from browsers such as Edge, Chrome, and Safari.” (But not Firefox, apparently.)

[27th June 2018]

Ars Technica: Hyperthreading under scrutiny with new TLBleed crypto key leak – “A new attack prompted OpenBSD’s developers to disable hyperthreading by default…developers on OpenBSD—the open source operating system that prioritizes security—disabled hyperthreading on Intel processors.

The Register: Meet TLBleed: A crypto-key-leaking CPU attack that Intel reckons we shouldn’t worry about – “How to extract 256-bit keys with 99.8% success…Intel has, for now, no plans to specifically address a side-channel vulnerability in its processors that can be potentially exploited by malware to extract encryption keys and other sensitive info from applications.”

Bleeping Computer: Changes in WebAssembly Could Render Meltdown and Spectre Browser Patches Useless – “Upcoming additions to the WebAssembly standard may render useless some of the mitigations put up at the browser level against Meltdown and Spectre attacks, according to John Bergbom, a security researcher at Forcepoint. WebAssembly (WA or Wasm) is a new technology that shipped last year and is currently supported within all major browsers, such as Chrome, Edge, Firefox, and Safari.”

[16th June 2018]

1.

Lawrence Abrams for Bleeping Computer: New Lazy FP State Restore Vulnerability Affects All Intel Core CPUs – ‘According to Intel this new vulnerability affects all Intel Intel Core-based microprocessors and is a bug in the actual CPU, so it does not matter what operating system the user is running. It could be Windows, Linux, BSD, or any other operating running an an Intel Core-based CPU and using “Lazy FPU context switching”.’

2.

The Register: Intel chip flaw: Math unit may spill crypto secrets to apps – modern Linux, Windows, BSDs immune – “Malware on Cores, Xeons may lift computations, mitigations in place or coming … In short, the security hole could be used to extract or guess at secret encryption keys within other programs, in certain circumstances, according to people familiar with the engineering mishap.”

3.

The Register: Boffins offer to make speculative execution great again with Spectre-Meltdown CPU fix – “Good thing too because Intel’s planned chip changes may break Google’s Retpoline”

“In a paper distributed this week through the ArXiv preprint server, “SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation,” computer scientists from University of California, Riverside, College of William and Mary and Binghamton University describe a way to isolate the artifacts produced by speculative execution so that they can’t be used to glean privileged data.”

[6th June 2018]

Mark Pesce for The Register: ‘Moore’s Revenge’ is upon us and will make the world weird – “When everything’s smart, the potential for dumb mistakes becomes enormous”.

[1st June 2018]

The Register: Arm emits Cortex-A76 – its first 64-bit-only CPU core (in kernel mode) – “Apps, 32 or 64-bit, will continue to run just fine as design biz looks to ditch baggage … Linux and Android, Windows, and other operating systems built for this latest Cortex-A family member are being positioned, or are already positioned, to work within this 64-bit-only zone.”

Also from The Register: Spectre-protectors: If there’s something strange in your CPU, who you gonna call? “Ghostbusters in Chrome 67 stop Spectre cross-tab sniffs and more … Enhanced Spectre-protectors will soon come to the Chrome browser … and upgrades for Windows, Mac and Linux have started to flow.”

[May 30 2018]

Interesting paper: Post-Spectre Threat Model Re-Think

[26th May 2018]

[12th May 2018]

[5th May 2018]

The Register: Fresh fright of data-spilling Spectre CPU design flaws haunt Intel – “Chipzilla checking fresh set of CVEs in chip side-channel flaw”

And ESET’s resource article has been updated again: Meltdown and Spectre CPU Vulnerabilities: What You Need to Know

[3rd May 2018]

Hilbert Hagedoorn for The Guru of 3-D: Eight new Spectre Variant Vulnerabilities for Intel Discovered – four of them critical

The Register: Hands off! Arm pitches tamper-resistant Cortex-M35-P CPU cores – “Sneaky processors look to keep lid on sensitive IoT data”

ESET: further updates to Meltdown and Spectre CPU Vulnerabilities: What You Need to Know

[27th April 2018]

Kaspersky Threat Post: MICROSOFT ISSUES MORE SPECTRE UPDATES FOR INTEL CPUS – “Microsoft has released additional Windows 10 mitigations for the Spectre side-channel flaw revealed in January, with an expanded lineup of firmware (microcode) updates for Intel CPUs that include the Broadwell and Haswell chipsets.”

ZDnet: A patch for Meltdown created an even bigger flaw for 64-bit Win7 and Server 2008 R2. Now, it’s freely available. Commentary on Exploiting CVE-2018-1038 – Total Meltdown

[25th April 2018]

Kyle Orland for Ars Technica: The “unpatchable” exploit that makes every current Nintendo Switch hackable [Updated] “Newly published Tegra bootROM exploit could be a big headache for Nintendo and others.” Commentary from The Verge: Nintendo’s Switch can be hacked to run custom apps and games.

[23rd April 2018]

Security Explorations: THE ORIGIN AND IMPACT OF SECURITY VULNERABILITIES IN ST CHIPSETS SE-2011-01 [Security weaknesses in a digital satellite TV platform]

[17th April 2018]

Help Net Security: Rambus launches fully programmable secure processing core – “At RSA Conference 2018, Rambus announced the availability of the CryptoManager Root of Trust (CMRT), a fully programmable hardware security core built with a custom RISC-V CPU.”

The Register: Microsoft has designed an Arm Linux IoT cloud chip… – “Microsoft has designed a family of Arm-based system-on-chips for Internet-of-Things devices that runs its own flavor of Linux – and securely connects to an Azure-hosted backend.”

Paul Ducklin for Sophos: Could an Intel chip flaw put your whole computer at risk? – “Well, the spectre of CIH is back in the news following a recent security advisory, numbered INTEL-SA-00087, from chip maker Intel.”

[1st April 2018]

Webkit

Webkit.org: What Spectre and Meltdown Mean For WebKit

PoCs (Proofs of Concept)

Skyfall/Solace

Security Company Commentary

ESET resources

Wait, don’t go! This resource is not run for or by ESET, and of course lots of other security companies are providing sound information on these issues. However, as I’m on several ESET mailing lists (I work with the company as a consultant) I see a wider range of material from there than I do from other companies. If time allows, I’ll try to include vendor info from other major companies too.

G-Data resources

Inside Meltdown and Spectre: Interview with Anders Fogh

Checkpoint resources

How The Spectre/Meltdown Vulnerabilities Work

Trend Micro Resources

Trend Micro: Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters
“We worked on a detection technique for attacks that exploit Meltdown and Spectre by utilizing performance counters available in Intel processors. They measure cache misses — the state where data that an application requests for processing is not found in the cache memory — that can be used to detect attacks that exploit Meltdown and Spectre.”

Affected Companies 

Apple

Google

Android

Chrome OS

IBM

The Register: IBM’s complete Meltdown fix won’t land until mid-February – POWER CPU patches available now or next week, AIX and i OS fixes are more than a month off

Intel

[12th May 2018]

[21st April 2018] The Verge: Intel is offloading virus scanning to its GPUs to improve performance and battery life

[16th April 2018] Also only distantly related. Bleeping Computer: Intel SPI Flash Flaw Lets Attackers Alter or Delete BIOS/UEFI Firmware

[6th April 2018] Only distantly related, but… The Register: NUC, NUC! Who’s there? Intel, warning you to kill a buggy keyboard app – “No joke: another security SNAFU for Chipzilla, this time for a popular remote admin app” (applies to “Intel Remote Keyboard” for iOS and Android).

[4th April 2018] Simon Sharwood for The Register: Intel admits a load of its CPUs have Spectre v2 flaw that can’t be fixed – “And won’t fix Meltdown nor Spectre for 10 product families covering 230-plus CPUs”. For more specific information, see Intel’s document Microcode Revision Guidance, April 2 2018

[16th March 2018]

John Leyden waxes satirical at Intel’s expense in The Register: Intel: Our next chips won’t have data leak flaws we told you totally not to worry about – “Meltdown, Spectre-free CPUs coming this year, allegedly”

[24th January 2018]

  1. Zelkjka Zorz for Help Net Security: Intel testing new Spectre fixes, tells everyone to hold off on deploying current firmware updates

“Shortly after Red Hat stopped providing microcode to address variant 2 (branch target injection) of the Spectre attack, Intel has advised OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current firmware updates that fix the same vulnerability (CVE-2017-5715).”

  1. Intel’s own “News Byte”: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners

“Based on this, we are updating our guidance for customers and partners:

  • We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
  • […]
  • We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.
  1. GBHackers: Intel asks customers to hold off Applying Patches for Spectre and Meltdown

“Intel told now they have identified the root cause of the reboot issue that affected Broadwell and Haswell CPUs and they are preparing a solution to address the issue and asks to hold off applying patches for Spectre and Meltdown.”

[26th January 2018]

The Register: Trebles all round! Intel celebrates record sales of insecure processors – Siri, what’s a monopoly?

[8th February 2018]

Simon Sharwood for The Register: Intel adopts Orwellian irony with call for fast Meltdown-Spectre action after slow patch delivery – For now, have some code that won’t crash Skylakes and stay close to your Telescreens.

He observes:

Sound advice, but a bit hard to swallow given that Shenoy’s “Security Issue Update” revealed that Intel is yet to develop properly working microcode updates for many of the CPUs imperilled by Spectre and Meltdown […] Chipzilla has managed to sort out sixth-generation Skylakes, as a February 7th Microcode Revision Guidance (PDF) document records.

AMD

Microsoft/Windows

[14th April 2018] Help Net Security: AMD users running Windows 10 get their Spectre fix – microcode to mitigate Spectre variant 2, and a Microsoft update for Windows 10 users.

[11th April 2018] Pierluigi Paganini: AMD released patches for Spectre Variant 2 attack that includes both microcode and operating system updates. AMD and Microsoft worked together to issue the updates on Tuesday.

[3rd April 2018] And the sad story of Microsoft’s Windows 7 patch does not yet seem to be over. Shaun Nichols for The Register: Mad March Meltdown! Microsoft’s patch for a patch for a patch may need another patch – “If at first, er, second, ah, third, no, fourth, you fail, sadly, you’re probably Redmond”

[March 31st 2018]

[March 29th 2018]

  • Security|DMA|Hacking: Total Meltdown? (Analysis of the Windows 7 Meltdown patch fiasco)

[March 28th 2018]

[March 23rd 2018]

Microsoft Technet: KVA Shadow: Mitigating Meltdown on Windows

[March 16th 2018]

Richard Chirgwin for The Register: Microsoft starts buying speculative execution exploits – “Adds bug bounty class for Meltdown and Spectre attacks on Windows and Azure”

[March 2nd 2018.]

ICS/SCADA

David Harley