Over the past few days, I’ve been digesting the extensive news coverage about the Meltdown and Spectre vulnerabilities that between them affect pretty much every computer and phone in use today. As you’d expect, most of the coverage has focused on what the vulnerabilities are and what the immediate short-term mitigations should be.
But based on what I’ve learned, I thought it might be interesting to share a few predictions.
1) This won’t be a case of “patch and relax”
It’s fairly clear that Spectre is going to grumble on for a long time – mitigating this vulnerability requires quite fundamental changes to the way software is compiled and it will be a long time before every possible piece of software is suitably rebuilt. In particular, watch out for attacks that target vulnerable 3rd party device drivers in order to access kernel memory, and possible cookie-stealing attacks on browsers that wouldn’t be prevented by process-per-tab “tab isolation.”
In principle patches such as KPTI should defend against Meltdown, but some people will roll back these patches to regain performance, on the basis that their systems never run 3rd party code. They may fall prey to lower-severity vulnerabilities that allow an attacker to get unprivileged 3rd party code to run, which in turn will then make use of Meltdown.
2) This won’t be the last processor vulnerability
These aren’t the first processor vulnerabilities, and they won’t be the last.
2017 saw fairly widespread news coverage of the vulnerabilities in the Intel ME subsystem that’s incorporated into most current Intel processors (https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00086&languageid=en-fr). There was less coverage of the fact that, at the same time, Intel admitted and patched critical vulnerabilities in the Intel SPS and TXE subsystems (the latter particularly notable since while ME and SPS are management subsystems, TXE is a security subsystem!)
The good news with the ME, SMS and TXE vulnerabilities was that Intel was able to issue patches for them at the firmware level – something that doesn’t seem to be possible for Meltdown and Spectre. But in many ways they were even more dangerous – while Meltdown and Spectre may allow an attacker to bypass OS protections, the ME, SPS and TXE vulnerabilities allowed an attacker to bypass even hardware virtualisation (Intel VT) protections.
That was all a bit reminiscent really of the work that Invisible Things Lab did back in 2009, particularly their attacks that exploited the Intel SMM subsystem. See http://invisiblethingslab.com/itl/Resources.html which also has links to other fabulous Intel attacks they developed back in the 2009-2011 period.
And of course, don’t think this is an Intel-specific problem. See for example, Di Shen’s work on attacking the Huawei HiSilicon implementation of TrustZone (https://www.blackhat.com/us-15/briefings.html#attacking-your-trusted-core-exploiting-trustzone-on-android) or see the CLKSCREW paper describing a cross-platform attack on ARM TrustZone (https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf).
The reality is that contemporary processors are fantastically complicated platforms. And like any other complicated platform, they have vulnerabilities.
3) The spies will be crying – but not too much
At the time of writing this, there are no known real-world exploits that make use of Meltdown or Spectre. But that doesn’t mean there aren’t any real-world exploits – just that they’re not known. There’s a good chance that nation state attackers have been making use of attacks against these vulnerabilities for some of their more nefarious activities.
Undoubtedly, their jobs will become more difficult with some of the patching that’s about to take place. But the UK press reported the other day that “GCHQ had ‘over-achieved’, creating double the number of new offensive cyber-capabilities expected” (http://www.bbc.co.uk/news/technology-42425960).
They won’t be the only ones – the world’s exploit arsenals are filling up. Chances are, those arsenals include other processor attacks, probably including ones against vulnerabilities like the Intel ME, SPS and TXE ones that provide full platform access bypassing even hardware virtualisation protections.
4) People will continue to deliver security solutions that aren’t secure
Software applications depend on operating systems depend on processors. And it’s vulnerabilities all the way down.
Of course, some of those vulnerable software applications are themselves security solutions. In some cases (for example, Symantec 2016 – https://www.us-cert.gov/ncas/alerts/TA16-187A) those security solutions will turn out to be more vulnerable than the systems they were designed to protect!
5) Strong security needs to depend on simplicity
In the end, vulnerabilities are due to complexity. That means that if you want strong security, you need to look for simple approaches that depend as little as possible on complex subsystems. At the furthest end of that spectrum is complete physical and electrical disconnection – or indeed not using computers at all. There are situations where those are the only options, but they’re a massive blocker to doing effective work.
Here at Garrison, we believe that the key challenge for the technology industry over the coming decade or two is to work out how to embed security through simplicity at the heart of the most complex technology. It’s not a trivial task, but to quote Intel’s Andy Grove (cheekily, and out of context): “only the paranoid survive”.