Spectre, Meltdown, and the

Impact of Security Vulnerabilities

on your IT Environment

Orin Thomas@orinthomas

Jeff MelnickJeff.Melnick@Netwrix.com

• Vulnerability types

• Spectre

• Meltdown

• Spectre Vs Meltdown

• Impact on IT Operations

In this session …

• Application vulnerabilities

• Application can be exploited

• Fixed by vendor update

• OS vulnerabilities

• OS & applications can be exploited

• Fixed by vendor update

• Hardware vulnerabilities

• May require OS fix

• May require firmware update to hardware

• May be unfixable

Types of vulnerabilities

• Given the name because

• The root cause is “speculative execution”

• Isn’t easy to fix

• Will haunt the industry for some time

Spectre: What is it?

• Class of vulnerabilities that impacts Intel, AMD, ARM-

based and IBM processors

• CVE-2017-5753 (Bounds check bypass, Spectre V1)

• CVE-2017-5715 (Branch target injection, Spectre V2)

• Spectre NG

• CVE-2018-3640 (Rogue system register read)

• CVE-2018-3639 (Speculative store bypass)

• CVE-2018-3665 (Lazy FP state restore)

Spectre: What is it?

• Vulnerabilities are based on exploiting side effects of

speculative execution

• Common method of hiding memory latency to speed up

execution in modern processors

• Related to branch prediction, a special case of speculative

execution

Spectre: How it works

• Tricks an application into accessing arbitrary locations

in the program’s memory space

• Allows attacker to read content of accessed memory

and perhaps access sensitive data

• Does not rely on a specific feature of a specific

processor’s memory management and protection

system

Spectre: How it works

• Just-In-Time engines used for JavaScript can be

vulnerable

• Allows a website to read data stored in the browser’s

memory for another website, or the contents of the

browser memory

• Remotely exploitable through unpatched browsers

• Local malicious code can also exploit Spectre

vulnerabilities

Spectre Exploits

• CVE-2017-5754. Rogue Data Cache Load

• Hardware vulnerability impacting Intel x86, IBM

POWER processors and some (not all) ARM

processors

• Does not impact AMD processors

• Allows rogue process to read all memory regardless of

whether process is authorized to do so

Meltdown: What is it?

• Exploits race condition in modern CPUs that occurs

between memory access and privilege checking during

processing of instructions

• Allows process to bypass privilege checks that isolate

data belonging to the OS or other processes running on

the host

Meltdown: How it works

• Unauthorized process can read data from any address

mapped to the current process’s memory space

• Most OS map RAM, kernel processes and other

running processes to the address space of every

process

• Means that memory from almost everywhere can be

read by a rogue process exploiting meltdown

Meltdown: How it works

• Attackers can use Spectre to manipulate processes into

revealing data

• Attackers can use Meltdown to read privileged memory

which the process itself may not normally be able to

access

Spectre Vs Meltdown

• No single patch for Spectre, it is a class of attack

• Mitigations for Spectre and Meltdown have

performance impacts

• Spectre: 2-14%

• Meltdown: 5-30%

Impact on IT Ops: Mitigation

• Windows

• 2017-5753. Recompile with new compiler, harden browser to

prevent JavaScript exploit

• 2017-5715. New CPU instructions that remove branch

speculation assigned through firmware update

• 2018-3640, 2018-3639, 2018-3665. CPU firmware update

• Latest versions of browsers are hardened

• Chrome, Edge, Firefox

Impact on IT Ops: Spectre Mitigation

• Mitigate by isolating kernel and user mode page tables

• Requires update to OS kernel code

• Patches on Windows OS incompatible with 3rd party AV

software that uses unsupported kernel calls

• OS won’t update unless 3rd party AV sets special registry key

indicating that update will not break system

• Does not require CPU firmware update

Impact on IT Ops: Meltdown Mitigation

• CPUs being redesigned so that these exploits are

mitigated

• Speculation that these CPUs will not perform as well as

vulnerable CPUs because of the mitigations

• Existing systems and hardware vulnerable unless

patched

Spectre & Meltdown: The Future

Netwrix Auditor

A visibility platform for user behavior analysis and risk

mitigation that enables control over changes,

configurations, and access in hybrid IT environments.

It provides security intelligence to identify security holes,

detect anomalies in user behavior and investigate threat

patterns in time to prevent real damage.

Netwrix solutions

• Data Access Governance

• Privileged User Activity Tracking

• Alerts on Suspicious Activity

• Using Behavior Anomaly Discovery

• User Activity Video Recording

• Restore of Deleted Active Directory Objects

Product Demonstration

Brought to you by

Thank You

for Attending

Sponsor Logo