Anatomy of A Built-In Hardware Design Flaw
Traditionally, of the three states of digital data, data in-use has been intrinsically safer than data at-rest and data in-transit. New processor architecture vulnerabilities detected by Google Project Zero and others may have changed that. Two scary new hardware design vulnerabilities found in Intel (and possibly AMD) CPU architectures have rocked the data security world.
Meltdown and Spectre take advantage of the fact that data exists in raw, unencrypted form within the kernel and system memory spaces. While CPU designs were thought to have carefully isolated data in-use from other applications to prevent accidental—or malicious—interference with one another’s data, both Spectre and Meltdown exploit speculative execution, a ubiquitous performance enhancing technique that executes instructions based on assumptions considered likely to be true, then places the results in system memory on the processor chip. If the assumptions are valid, execution continues, if not, execution is unwound, and the correct execution path is started. Meltdown uses a side channel attack based on memory access times to break through the barrier that prevents applications from accessing arbitrary locations in kernel memory, thus allowing malicious actors to potentially discern the contents of memory addresses in the CPU cache and gain access to sensitive information, passwords, digital certificates, encryption keys, and intellectual property. According to a scenario outlined by cyber-security experts, hackers could use this approach to steal small chunks of data and piece them together to assemble useful information.
End-to-End Encryption Blunts Cloud Vulnerability
Such hacks could conceivably be launched by processes with normal user privileges on cloud platforms, where networked computers share and transfer data among millions of users and instances. Cloud services customers typically share servers, with hypervisor software keeping their data separate. If a hacker gets access to a cloud customer running on one virtual machine, he may be able to access the physical memory of the host machine and gain read-access to the memory of another customer’s virtual machine on the same host. Cloud service providers will have to step up to a new level of vigilance regarding data pollution and sharing problems.
End-to-end hardware-based encryption technology can protect data stored in the cloud from Meltdown and Spectre attacks since the encrypted contents of the files are useless even if hacked on the servers. Hardware-based encryption keys are never sent to the cloud provider; therefore, attackers are unable to decrypt the data. Even if one customer’s virtual machine is hacked to gain access to a second customer’s, their data is encrypted and protected. In addition, end-to-end encryption of traffic crossing a virtual private network (VPN) ensures that no system residing between network endpoints can be used to expose any data.
Operating Systems Do Need Attention—Stat!
OS vendors were made aware of the vulnerabilities months ago and are releasing patches now. Meltdown can be mitigated by kernel page table isolation (KPTI), which moves the kernel into a completely separate address space not visible to running processes—essentially not there at all. The countermeasure makes less use of fast virtual memory and may reduce Intel CPU performance by five to 30 percent.
Ultimately, says Chris Morales, head of security analytics at Vectra, OSes running on Intel processors would have to be rewritten to completely separate user memory space from the kernel memory space. Fixes for the Spectre bug, which essentially gets programs to perform unnecessary operations, will also take longer to develop. According to Google researchers who found the bugs, “long-term solutions will require instruction set architectures to be updated to include clear guidance about the security properties of the processor, and CPU implementations will need to be updated to conform.”
As Dan Kaminsky, a security researcher who found a critical flaw in the Domain Name System has observed, “It’s clear we’ve been asking more of chip designs than they were ever intended to give. This is the start of a new bug class. We’re all going to be wrestling with this for the next year.”
Bottom Line: Not All Chips Are Impacted
At Cyphre, we’ve heavily invested in hardware-based encryption from a manufacturer unaffected by these vulnerabilities. Since protected keys are never stored in memory unencrypted, even if a malicious agent is able to steal the contents of memory or cache, the keys will be totally unusable. In short: Meltdown and Spectre exploits will not work on Cyphre’s products. However, this does not mean that we are not constantly vigilant for any new exploit that may affect our solutions. Further, we remain in close conversation with our chip provider to provide our customers with the assurance that their keys (and therefore their data) are fully protected.