Attivo Networks Blogs

What are Meltdown and Spectre, and How to Mitigate the Risk

Reading Time: 3 minutes  |  Published: January 8, 2018 in Attivo (Company), Blogs

By: Carolyn Crandall

The announcements on the hardware bugs dubbed Meltdown and Spectre, with particularly severe flaws for Intel and some ARM chips, has hit the news hard this week. Meltdown allows low privileged user programs such as database applications or JavaScript in web browsers to access the content in kernel memory. Spectre, which also affects AMD processors, allows an application to access arbitrary memory locations giving access to any information stored there. Both have had a widespread impact on processor companies, operating system companies, cloud providers, and the companies using their technologies.

The use of agent-based solutions that access kernel space has always been tricky for security teams, even before today’s Meltdown and Spectre news. With access to the kernel space, one can manipulate just about anything, enabling the kernel of critical servers and workstations to be exploited by applications and used to provide access to attackers. This backdoor creates an opportunity to access stored passwords, company data, intellectual property and employee, patient or customer information. Typically, the hardware security built into modern processors prevents lower-privileged applications from accessing the kernel space, but Meltdown and Spectre bypass these measures.

For example, a malicious JavaScript in a browser could be used to steal passwords stored in the browser. Information leakage can also be used to undermine protections such as ASLR (address space layout randomization) and enable effective exploitation of buffer overflows.

Meltdown, found in virtually every Intel chip and certain high-performance ARM designs used in mobile phones, is easier to exploit and enables any user program to read the kernel data. The severity of the flaw depends on the way that operating systems share memory between user programs and the kernel. The operating system changes made to fix this bug appear successful for Intel, Apple, and future ARM chips that are susceptible to the attack. The solution, notably with performance penalties, works by putting an end to information sharing.

Spectre, applicable to chips from Intel, AMD, and ARM, is also based on speculative execution and is designed to read memory within a single process. This is then used to attack the integrity of virtual machines and sandboxes, and cross-process attacks. Systemic fixes for some aspects of Spectre appear to have been developed, but they don’t come with a simple fix. This may require modification and/or recompilation of at-risk programs and will likely require manual effort by developers. As a result of this complexity, it is expected that vulnerabilities related to Spectre will be around for a while.

Both Meltdown and Spectre require extensive rearchitecting of current processor design, meaning that it will be some time before the performance penalties in current patches and any lingering vulnerabilities can be fully mitigated. The longer it takes Intel, ARM, and AMD to rearchitect their processors, the longer attackers have to find effective methods that can leverage the vulnerabilities and successfully mount attacks.

As it relates to this and other recent vulnerabilities, the Attivo Networks Deception Platform consists of deception decoys, endpoint credentials, and other lures that will entice the attacker into engaging, in the event they have gained access to the network.

Many believe that catching the attacker at the endpoint is the preferred approach to detection. However, this often comes with an agent-based performance tax. Attivo believes that both strong endpoint detection and the ability to detect in-network lateral movement create the ideal scenario to detect threats. The Attivo ThreatStrike™ Suite provides agentless endpoint deception that is designed to lure an attacker into using deception credentials. Then, the attacker is directed back to an engagement server where their tactics, techniques, procedures and full indicators of compromise can be captured and recorded.

This new set of hardware bugs is widespread, patching Spectre is complex, and with the performance hits being incurred with the patches for Meltdown, there may be situations where risks will be taken to preserve performance and user experience. In general, and for these situations, adding deception can play a critical role in the early detection and discovery of attackers attempting to exploit these vulnerabilities. Contact Attivo now to hear how we are helping our customers navigate the risk of these and other security threats.

* Attivo Networks is committed to the highest levels of quality and customer experience and is actively working to make patches available for effected Attivo Networks solutions. Please email the support team for information on how to patch installed systems or if you have any further questions.

No Comments

Post A Comment

3 × 5 =