Having a #Meltdown Over #Spectre?

Confused yet by Meltdown and Spectre? It’s hard not to be! So what should or can you do about it?

Our View

For Meltdown and Spectre it’s security business as usual. Patches exist for Meltdown and half of Spectre (for most machines) although more fixes will be forthcoming. Make sure you apply all these patches and keep your OSes and browsers up-to-date.

• In the cloud (AWS/Azure/Google etc..) you need to patch your own VMs. The major Cloud providers already have or are about to patch their host OSs and hypervisors. Follow guidance from your vendors. As a cloud user you will generally have to patch your VM OSs.
• For your on-prem servers and machines get patching your host and VM OSs and your hypervisors (in the cloud the provider takes care of the hypervisor and host).
• Unusually, you may have to wave goodbye to a small number of older laptops and machines. The reason for deprecating some machines is that no hardware patch will come for some older CPUs (I just had to buy a new Chromebook for this reason).
• If any of your applications run untrusted code within their own process patches don’t yet exist but will hopefully soon be forthcoming (https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html).

To reiterate, where patches exist (“kpti” for meltdown, “retopoline” for the cross-vm spectre issue) applying them to your own VMs or servers is a priority.

What Does This Tell Us About Cloud vs Private DCs?

The Meltdown and Spectre exploits are an interesting example of the pros and cons of the cloud.

• The worst danger of these flaws is they let an application in one VM attack another VM (read its data) . A cross-VM attack is potentially awful in the cloud because you can’t control what might be running on a virtual machine co-located with you. You can’t protect yourself - you’re completely reliant on your provider to defend you!
• However, these vulnerabilities were discovered by a cloud vendor (Google) who then had plenty of time to fix them before the world in general (us) found out about the issue.

On the one hand, Cloud is innately less secure because there is potentially untrusted code running on the same machine as your applications, in another VM. On the other hand, the major cloud vendors have unimaginable resources devoted to keeping their servers and your applications safe. Vastly more than us mere mortals or a smaller cloud provider.

We believe that their huge resources give the big-vendor's public clouds the edge in security over on-prem. But that still leaves plenty for us users to do. The biggest risk to the security of our applications still resides not in evil co-located VMs but in unpatched exploits in our own applications . Keep it patched, follow good security procedures and in our judgement the cloud is still the safest place to put our applications. See more on security processes from Adrian Mouat and Sam Newman

Some Background

The Register has done an excellent writeup on  this issue.

The Meltdown and Spectre vulnerabilities are “features” of intel (Meltdown) or nearly all chips (Spectre 1 & 2) that mean modern OSes like Linux and Windows may reveal the supposedly secure contents of memory on a machine to a bad userspace actor. This breaches 2 fundamental tenets of security:

• One userspace application cannot read what’s in memory for another application of the same or higher permission level or in a different container namespace.
• An application in one VM cannot read the memory of an application in another VM.

That’s why everyone is so freaked out. The scariest part is the cross-VM attacks. It’s still difficult to put a bad actor on a properly secured server to exploit cross-process attacks (note this is harder to protect against on a personal machine). Any attacker who could exploit the cross-process attack vector on your servers could already have done you damage, so it’s bad but it suggests that your security processes were already leaving you exposed.

The ability to attack one VM from another VM hosted on the same machine, however, is more troublesome. The Cloud hosting business model is based on this NOT being possible. Any evildoer could buy a VM and put anything they like on it and use that software to attack VMs hosted on the same machine!!! Having said that, cross-VM vulnerabilities are not unprecedented. There have been potential flaws in hypervisors before; the cloud providers have patched them and civilization has not yet collapsed. Even the classic bane of cloud hosting, the “noisy neighbour” is a form of, usually inadvertent, cross-vm attack that can take out your service.

What’s the good news and the bad news?

• The good news is that an OS patch now exists for meltdown (“kpti”). All the main cloud providers are either in the process of deploying it to their Host OSs and hypervisors or have already done so. That will close the biggest attack vector for meltdown (cross-VM attacks).
• Anyone with machines or VMs (including cloud VMs) of their own should patch them ASAP.
• Unfortunately the fix for meltdown will slow your OS down, so your machines might get 5-30% slower depending on what your applications do, you’ll have to try it to see. Ouch, but there’s no avoiding it.
• For Spectre, the news is more mixed. A patch exists for half of the problem (“Retpoline”, which Google has already applied to its cloud platform). The other half of Spectre is still being addressed but it appears to be a more niche problem that is harder to exploit.

If you are still worried about cross-VM attacks, you can always pay for dedicated instances from your Cloud provider with no neighbours, particularly for security-critical applications.

As we mentioned above, the danger is more acute on laptops and PCs because it is easier to encounter attacking code. For example, if you're using Chrome you might want to turn site isolation on: https://www.chromium.org/Home/chromium-security/site-isolation (although we’ve noticed some significant issues with it ;-(. After applying it, I struggled to get Gmail working correctly).

If you want to read more deeply on the technical aspects of the attacks, we think this is a good description of what's going on: https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

Meltdown and Spectre are a whole new type of attack, which is always scary but we just have to handle it in the same way as normal. It’s a reminder that even in the cloud, we all need excellent security and patch application processes. It's the new business as usual. Good luck and get updating!