The "Meltdown" Story: How A Researcher Discovered The "Worst" Flaw In Intel History

The "Meltdown" Story: How A Researcher Discovered The "Worst" Flaw In Intel History


Daniel Gruss didn't sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel, something we discussed in "Why The Implications Of The Intel "Bug" Are Staggering." And as Reuters describes in fascinating detail, the 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University had just breached the inner sanctum of his computer's CPU and stolen secrets from it.

Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's 'kernel' memory, which is meant to be inaccessible to users, was only theoretically possible.

"When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured.

Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result.

"We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found".

The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995.

Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices and ARM Holdings, a unit of Japan's Softbank.

Both would enable a hacker to access secret passwords or photos from desktops, laptops, cloud servers or smartphones. It's not known whether criminals have been able to carry out such attacks as neither Meltdown nor Spectre leave any traces in log files.

Intel says it has started providing software and firmware updates to mitigate the security issues. ARM has also said it was working with AMD and Intel on security fixes.

Finding a Fix

The discovery was originally reported by online tech journal The Register. As a result of that report, research on the defect was published a week earlier than the manufacturers had planned, before some had time to work out a complete fix.

The Graz team had already been working on a tool to defend against attempts to steal secrets from kernel memory.

In a paper presented last June they called it KAISER, or Kernel Address Isolation to have Side-channels Effectively Removed.

As the name suggests, KAISER seeks to defend the kernel memory from a so-called side-channel attack that exploits a design feature of modern processors that increases their speed.

This involves processors executing tasks "out-of-order", and not in the sequence received. If the CPU makes the right speculative call, time is saved. Get it wrong and the out-of-order task is cancelled and no time is lost.

Researcher Anders Fogh wrote in a subsequent blog  that it might be possible to abuse so-called speculative execution in order to read kernel memory. He was not able to do so in practice, however.

Responsible Disclosure

Only after the December self-hacking episode did the significance of Graz team's earlier work become clear. It turned out that the KAISER tool presented an effective defense against Meltdown. The team quickly got in touch with Intel and learned that other researchers - inspired in part by Fogh's blog - had made similar discoveries.

They were working under so-called responsible disclosure, where researchers inform affected companies of their findings to give them time to prepare 'patches' to repair flaws they have exposed.

The key players were independent researcher Paul Kocher and the team at a company called Cyberus Technology, said Gruss, while Jann Horn at Google Project Zero came to similar conclusions independently.

"We merged our efforts in mid-December with the team around Paul Kocher and the people from Cyberus Technology to work on two solid publications on Meltdown and Spectre," said Gruss.

Gruss had not even been aware of the work Horn was doing.

"Jann Horn developed all of this independently - that's incredibly impressive," he said. "We developed very similar attacks, but we were a team of 10 researchers."

The wider team said patches for Meltdown, based on KAISER, had been readied for Microsoft and Apple operating systems, as well as for the Linux open-source system.

There is as yet no fix for Spectre, which tricks programmes into leaking their secrets but is viewed as a harder exploit for a hacker to carry out.

Asked which of the two flaws posed the greater challenge, Gruss said: "The immediate problem is Meltdown. After that it is going to be Spectre. Spectre is more difficult to exploit but also to mitigate. So in the long run I'd bet on Spectre."


Views: 52

Latest Activity

oldranger_68 favorited Chris of the family Masters's blog post Weightlifting for Your Heart
3 minutes ago
Doc Vega replied to Chris of the family Masters's discussion TERRAFORMING has begun: “Global dimming” is a plot to EXTERMINATE humanity by terraforming the atmosphere with SMOG pollution, killing Earth’s food crops and unleashing ecological collapse
"The USAF admitted a long time ago saying they were releasing aluminum oxide as a reflective medium into the upper atmosphere. They could fuck this up so bad that the smog would cause a Venus type of greenhouse store of solar heat and turn earth into…"
13 minutes ago
Deep Space commented on DTOM's group High Strangeness & General Weirdness
"Man Dies After Being Bitten by Venomous Snake He Used to Rape a Woman https://sputniknews.com/society/201811271070177404-man-rape-woman-snake/"
2 hours ago
Deep Space commented on DTOM's group High Strangeness & General Weirdness
"Many-banded Krait (Bungarus multicinctus)Man Dies After Being Bitten by Venomous Snake He Used to Rape a Woman https://sputniknews.com/society/201811271070177404-man-rape-woman-snake/"
2 hours ago
cheeki kea replied to Chris of the family Masters's discussion TERRAFORMING has begun: “Global dimming” is a plot to EXTERMINATE humanity by terraforming the atmosphere with SMOG pollution, killing Earth’s food crops and unleashing ecological collapse
"True, plants would help. My Govt. thinks a billion trees will do it for them, and are urgently planting them now. They want to look clean and green, but the rest of us know it's really to mitigate all the pollution from the coal they'll…"
3 hours ago
Central Scrutinizer favorited Burbia's video
3 hours ago
dogitydog replied to Chris of the family Masters's discussion TERRAFORMING has begun: “Global dimming” is a plot to EXTERMINATE humanity by terraforming the atmosphere with SMOG pollution, killing Earth’s food crops and unleashing ecological collapse
"I have a solution to this carbon fairy tale. Now this may sound crazy but just bare with me. OK here it is: There's these things that don't cost any money, yet they are willing to remove all of the CO2 from the atmosphere. Not only will…"
3 hours ago
cheeki kea posted a video

EMP (a short film)

Julia and Parker are going on a road trip when their car suddenly stops. They try calling for help but their phones are dead. Unknown to them the US got hit ...
4 hours ago
cheeki kea commented on Burbia's video
Thumbnail

Another Big EMP Training Event Starts Tomorrow, And It's A "Invitation Only" Event

"" While the public could not see what they were doing"- "What's going to happen when the lights go out" First off.... Have enough Water."
4 hours ago
cheeki kea commented on Burbia's blog post The problem is that Huawei kit does not have GCHQ/NSA backdoor capabilities. Hence it has to be banished.
"This sure does explain things, hence all the Huawei bashing of late. 1/3 of my ultra fast broadband has Huawei components, I have been pestered to change it to fibre optic by telecom company 4 times! I Still say No.-nothing they can do about…"
4 hours ago
Burbia posted videos
4 hours ago
Burbia commented on Burbia's video
Thumbnail

Another Big EMP Training Event Starts Tomorrow, And It's A "Invitation Only" Event

"Start prepping! Electric grid ‘prime target’ of terrorists, ‘profound threat,’ says council by Paul Bedard  | December 10, 2018 10:23…"
5 hours ago
Burbia commented on Burbia's group The Comment Section is Closed
5 hours ago
Burbia posted a blog post

The problem is that Huawei kit does not have GCHQ/NSA backdoor capabilities. Hence it has to be banished.

https://news.ycombinator.com/item?id=18617230Don’t use Huawei phones, say heads of FBI, CIA, and NSAThe heads of six major US intelligence agencies have warned that American citizens…See More
5 hours ago
Burbia replied to Diana's discussion Turns out that claiming to be a transgender doesn’t excuse you from murdering your own parents
"clown world A phrase used to describe the current state of affairs in regards to the world (usually socially or politically). The word is employed as to state that something is ridiculous or nonsensical, in a way, "only could this be real, in…"
5 hours ago
Burbia commented on Burbia's group The Comment Section is Closed
"Dominic 14 hrs ago A book for girls only? What about the other 77 genders? Brittany Pettibone 14 hrs ago You got me there. Sayresy Devino. or "What makes us attack helicopters"... N Bor 13 hrs ago. Damn, you didn't include attack…"
6 hours ago

Please remember this website is supported by your donations...

© 2018   Created by truth.   Powered by

Badges  |  Report an Issue  |  Terms of Service

content and site copyright 12160.info 2007-2015 - all rights reserved. unless otherwise noted