Tech Blog: “New Year, New Cyber Crisis” by Ryan Ernst

The ushering of a new year brings with it the promise of change.  Most eagerly look forward to the coming year full of hope.  This year hasn’t started quite as one would wish.  We’ve been greeted by yet another global cyber security crisis and this one is epic.  Security researchers at Google’s Project Zero published their discovery of processor side channel attacks, named Spectre and Meltdown, within days of the final note of Auld Lang Syne.

Computer processors, or chips as they are commonly referred, are at the heart of everyone’s PC, laptop, or phone.  Modern chips utilize an intuitive capability called ‘speculative execution’ designed to complete tasks quicker.  Speculative execution predicts what code a program will use next.  The prediction isn’t always right and the unused data is discarded.  Herein lies the crux of the problem; due to hardware flaws, the unused data can be viewed by programs which should be restricted from doing so.

An attacker is able to leverage these flaws by running malware locally or via Javascript in a browser from a malicious website.  The attack has the potential to read sensitive data, including passwords and cryptographic keys, from memory.  The hacker doesn’t require Administrator access to perform a side channel attack, only standard user level access.  Cloud computing environments, including Amazon and Microsoft Azure, are especially concerning as their shared computing resources create a path to steal information from other customers’ virtual machines.

Let’s consider an everyday analogy to clear things up a bit.  Suppose you phone in a daily order for two chicken shawarmas from your favorite Lebanese restaurant.  The restaurant employee is used to seeing your number come up on caller ID.  When they see you calling, they immediately begin writing your order as they greet you.  To their surprise, you made a New Year’s resolution to eat falafel sandwiches.  The employee dutifully pulls out a new order form and throws the incorrect form in the trash.  This action creates an opportunity for someone walking past to see the discarded order form with your contact information.

Nearly every modern computer chip is susceptible to speculative execution side channel attacks.  Intel processors are vulnerable to all variations of these attacks to include chips manufactured as far back as 1995!  AMD processors are vulnerable to only one of the variants. However, all mainstream chips should be considered at risk unless confirmed otherwise.

Chip manufacturers are offering updates to firmware to resolve the flaws at the hardware level.  However in most situations, updating firmware will be challenging at best and could result in hardware failure if done incorrectly.  Alternatively, software patches to operating systems and Internet browsers are being made available to mitigate the flaws.  These software patches implement very small time delays in the processor to thwart unauthorized data viewing.

There is a downside in taking this approach to patching; millions of tiny delays add up resulting in significant performance impact.  Various online researchers floated initial estimates of 5-30% reduced chip performance.  Equally unsettling, Google first reported the flaws to chip manufacturers in June 2017 – yet vulnerable chip sales continued without issuing consumer warnings.

There are presently no known instances of Spectre or Meltdown in the wild.  However, this is likely to quickly change given the extent of the vulnerabilities. Recommended best security practice is to apply patches as soon as they become available.

I don’t know about you, but this article has made me hungry for a chicken shawarma…

 

Ryan Ernst – Affectionately known as the “Tony Stark of Bahrain” is an Enterprise Security Consultant at Sword & Shield.
www.swordshield.com

Comments

comments

- Advertisement -