When The Chips Are Stacked Against Us

Don't let malware get hold of your chips!


Business today depends on technology. It doesn’t matter if you are a Fortune 1000 company or the local flower shop, technology is at the heart of your business. And at the heart of this technology are computing chipsets that give the technology its smarts—generally a Central Process Unit (CPU). More often than not, these CPUs are based on what is referred to as x86 architecture, which was originally created by Intel and support by Advanced Micro Devices (AMD). It is in this architecture at the center of our computing world that some of the most serious vulnerabilities are being found.1

At the start of the year, the Meltdown and Spectre vulnerabilities were discovered. Meltdown allowed arbitrary system memory access between separate running applications, and the Spectre vulnerability is used to trick running applications to access arbitrary memory locations. Either one of these attacks will leak secrets stored in other applications to the attacker’s application.2

There have been some successful patching of both Spectre and Meltdown vulnerabilities, but they did come at a computing price. In some situations, the performance of the underlying hardware was degraded. The patches were also not simple to distribute, requiring multiple companies to be coordinated to get the patches out. What this showed was the complexity of the CPU and the design decisions made to increase the efficiency of the processors could be turned into avenues of attack. While these two attacks are not new, another similar vulnerability has been recently disclosed. This time it targeted one of the most important secrets to keep confidential: the private encrypting key.

The attack called TLBleed allows for the stealing of cryptographic keys from Translation Lookside Buffer (TLB). The role of the TLB is to assist hyper-threaded processors in serving the memory requirements of two threads running simultaneously. By observing the TLB to refresh for the second thread, along with an understanding of the underlying cryptographic function and some machine analysis, you can recreate the private key with 98% accuracy. For TLBleed, the only real mitigation is turn-off hyperthreading, which would adversely affect the performance of the CPU. OpenBSD has already stated their intention to turn off hyperthreading in their O/S.

The worst part of any of these attacks is not being able to detect the attack in progress or see any artifacts of the attacks after. This leaves modern-day antivirus and malware detection unable to protect against the threat. Further, there is no doubt that, given enough time, money and effort, additional attacks against our underlying technology stack will continue.

For any of these attacks to be effective, the attacker first has to gain a foothold on the machine itself.3 This will require some sort of malware to be introduced to the machine. Often the malware goes undetected until it is activated. The activation is when most malware is detected.

It is now generally recognized that not all attacks can be stopped or detected immediately.  What is now more important is applying risk mitigation—that is, identify the most important assets and watch them more closely. By focusing resources where the greatest risk lies, the threats targeting those resources could be detected sooner.

Interset not only provides the ability to find threats sooner or as they are developing, but also to focus security analytics where the most important assets are. These assets could be VIPs, servers hosting intellectual property, or the administrative accounts in your organization. Knowing the risks and understanding that even today with best efforts we are still vulnerable is the first step to becoming a more secure organization. Using technology that assists in mitigating those risks is the right approach, especially when the chips are stacked against you.

 

1. The threats of Spectre and Meltdown can also be found in some chipsets from ARM. These are not discussed as the focus is on enterprise computing.
2. These two attacks are side-channel attacks. More detail on what a side-channel attack is can be found here.
3. While cloud workloads are susceptible to meltdown attacks on unpatched systems, these are not discussed. In general, most cloud service providers are now patched against this.