Google details CPU flaws, claims AMD, ARM and Intel all affected

Google has come forward to claim responsibility for discovering a pair of serious security holes in Intel processors that run almost 9 in 10 computers in the world. And worse: the company has echoed a statement by Intel yesterday that the flaws are not specific to that company’s chips.

Contrary to published reports, a blog post on the Google Security Blog by Matt Linton, a Senior Security Engineer at Google and Pat Parseghian, a Technical Program Manager said that flaws dubbed “Specter” (PDF) and “Meltdown” (PDF) are not limited to chips by Intel, but exist in central processing unit (CPU) chips by a wide range of vendors including Intel, AMD and ARM.

Google discovered the flaws

The flaws were discovered by Jann Horn, a researcher for Google’s Project Zero security team, discovered the flaw and showed how malicious actors could game a common CPU feature known as “speculative execution” to access and read parts of system memory that should be beyond their reach.

Meltdown and Spectre
A page set up to explain the different flaws, which affect a wide range of processors.

In a statement, Intel on Wednesday echoed that, saying that the problem was not a “‘bug’ or a ‘flaw'” unique to Intel. “Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits,” the company said. Intel said it is working with competitors AMD, ARM Holdings and “several operating system vendors” to develop “an industry-wide approach to resolve this issue promptly and constructively.”

Intel, Google and other organizations had been preparing to come clean about the security flaws on January 9th in a coordinated disclosure, but were forced to respond before that when media reports describing the vulnerabilities began appearing. The company pushed back against reports that firmware updates and other fixes will impact the performance of its CPUs. “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

A web page set up to explain the two security flaws said that both Meltdown and Spectre are so-called “side channel” attacks. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory, allowing attackers to access system memory. Spectre, on the other hands, tricks other applications into accessing arbitrary locations in their memory.

Proof of concept attacks

Proofs of concept for the holes  showed how researchers were able to read arbitrary data from kernel virtual memory on a system using an Intel Haswell Xeon CPU and (under certain circumstances) from a system using an AMD PRO CPU, among other attacks.

 

The Spectre and Meltdown flaws shouldn’t concern most application developers, because they require access to the local system to execute (for example: by way of a prior compromise).

However, they should be a concern for cloud based systems that allow multiple users to run code on the same CPU, Chris Wysopal of the firm CA/Veracode wrote in an e-mail. For most software developers, the flaws should have little impact, for the most part. “here is nothing to fix at the application layer except for rare applications that run untrusted code,” Wysopal said. That means web browsers that run JavaScript and other executable content from a web server are vulnerable. Browsers can mitigate that risk by isolating the process spaces used by different web pages, he said.

In the long-term, the Spectre and Meltdown flaws will add support for using mechanisms like site isolation for applications that run both trusted and untrusted code, he said.

The Department of Homeland Security’s US CERT urged affected users to apply  Linux kernel mitigations referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages. Patches are also being issued by Microsoft, Apple and other operating system vendors. CERT urged readers to apply any operating system and application updates to mitigate the attacks.