Last updated: March 29, 2018
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.1
To put it simply, the trick is to use a processor prediction mechanism that tries to guess what the statement will be done next and retrieves data for it. If the processor guesses wrong, then it must undo the code that was run and run what was actually in the program. However, apparently the undo is not perfect - data fragments remain in the buffers.
Therefore, the attacker tries to assemble such instructions in the normal user process, which will make the processor guess the data from the protected memory area without performing any control over the access rights.
So when a normal attempt to read a memory byte from the kernel memory by a normal process should return an exception, safely handled by the system, then the next instructions have already been made without such control, leaving the contents of the byte in the buffer. Now, clever buffer operations allows discover where the byte has been saved and read it. In this way, allows to read the entire contents of the kernel memory byte.
Who is Meltdown threatening?
This attack is susceptible to all Intel x86 processors manufactured since 1995, using the out-of-order execution technique (except out of order) - except for the old 32-bit Atom processors that did not use it. However, all 64-bit Core processors are certainly vulnerable. Intel has not made any recommendations so far, but Google has demonstrated how to read data from the kernel memory on the Haswell Xeon processor.
ARM processors, commonly used in smartphones, are also susceptible, but not only, they use a lot of embedded devices and the ends of the Internet of Things. The Meltdown attack can be carried out on ARM chips with the latest Cortex-A75 cores, but note: older cores, Cortex-A15, Cortex-A57 and Cortex-A72 are susceptible to Meltdown variation, in which the user’s processes can access not in the kernel memory, but to protected system registers. ARM has already published a security bulletin that describes exactly what can happen and how to deal with it.
How to protect yourself against Meltdown?
This is a hardware vulnerability, the attack can be performed on all operating systems running on vulnerable processors. It protects against it by moving the kernel memory into a separate virtual memory space. This technique is called Kernel Page Table Isolation (KPTI) - and unfortunately it is associated with a significant (up to 30%) slowdown of the system. The more software tries to access hardware and system resources, the greater the slowdown. All those who support large databases have the worst.
On Windows 10 systems, such isolation is introduced by the KB4056892 package - the Windows subsystem for Linux is patched as well. Linux itself got updates to 4.15 kernel, work is underway to backport it to supported kernels, your distributions will deliver them as soon as possible. MacOS was secured in December in the release of the system marked 10.13.2.
- OpenBSD releases Meltdown patch
- Meltdown and Spectre
- Meltdown Research
- Project Zero - Reading privileged memory with a side-channel
- CPUs: information leak using speculative execution
- CVE-2017-5754 Detail
- Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks
- Spectre & Meltdown Checker Script
- Total Meltdown?
A simple shell script to tell if your Linux installation is vulnerable against the 3 “speculative execution” CVEs that were made public early 2018. “Please also note that for Spectre vulnerabilities, all software can possibly be exploited, this tool only verifies that the kernel (which is the core of the system) you’re using has the proper protections in place. Verifying all the other software is out of the scope of this tool.” ↩