Baidu Security Disclosed New Meltdown Variant
Is there a security vulnerability in the world that is widely used in electronic devices and is extremely destructive and difficult to fix? In January 2018, some independent researchers discovered the hardware chip level vulnerabilities Spectre and Meltdown, which created a huge storm across the industry. The world once again ran into the panic of security vulnerabilities, and the chip makers were racing against time to find solutions. Up to now, the protection combination (i.e., KPTI+SMAP+user-kernel isolation) is widely recognized as the de facto defense method.
However, at BlackHat Asia 2019, held in Singapore from March 26th to 29th, Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, and Tao Wei from Baidu Security X-Lab presented an original study on the new variant of Meltdown. The talk explained how the existing Meltdown and Spectre attacks were defeated by the combined defense of KPTI+SMAP+user-kernel isolation, and showed that a new Meltdown variant can completely break this defense. It is the first such variant disclosed to the industry.
The “strongest” defense combination
There are many computing and execution units (e.g., branch predictor and out-of-order execution engine) in the CPU. To increase performance, the CPU uses a technique called Speculative Execution.
After the branch instruction is issued, the CPU with predictive execution capability is able to verify these assumptions. If the assumption is valid, the execution continues. If it is invalid, the execution is cancelled, and the correct execution path is run according to the actual situation. However, it should be noted that when the CPU executes the instructions, it is not strictly following the original order, and is often sequencing the instructions according to their priorities. Therefore, the CPU could run into the scenario of Out-of-Order Execution.
Because the CPU accesses the main memory at a slower speed, a multi-level cache is built to store the most recently accessed data from main memory, and boost CPU data access speed.
In the case of Meltdown, this attack mainly uses the out-of-order execution feature of the CPU, which can read any kernel memory location, including sensitive data and passwords, even the entire kernel address space, without system authorization. The Spectre attack uses the processor’s branch guessing + caching technology.
Theoretically, this set of vulnerabilities can affect the CPU released in 1995. Because they are based on an architectural flaw, no matter what system you use (Windows, IOS, Android), any device (computer, mobile phone, server) could be affected. The degree of the serious destruction from these vulnerabilities should not be underestimated. It will cause information leakage from the CPU operating mechanism, and an unprivileged attacker can exploit the vulnerabilities to remotely disclose user information or locally expose memory information of privileged software.
Essentially the consequences of the Meltdown and Spectre attacks are to “read” the data in any address space of the system. Since most operating systems map all kernel data to the user process space, the only industry-recognized defense is to prevent the user process from mapping the data in the kernel by Kernel Page Table Isolation (KPTI) to protect against “reading” kernel data. The defense has different names on different platforms: KPTI on Linux, kernel virtual address (KVA) shadows on Windows, and dual mapping (DM) on OS X.
At the conference, researchers from Baidu Security explained the defense combination. The KPTI/KVA/DM solution requires the OS to maintain two page-tables, one for the user process and one for the kernel, and to ensure that the page table for user does not map privileged pages, i.e. the kernel page. Switching between the two page-tables will cause CR3 to reload and TLB to refresh, thereby reducing the memory access speed. If some application scenarios require a large number of kernel and user space switches (switches between two page-tables), it will result in higher performance overhead. In order to reduce these overheads, the kernel needs to fully utilize the PCID feature to reduce the refresh rate of TLB.
At the same time, SMAP (Supervisor Mode Access Protection) also makes the Spectre variant (gadget in kernel space) unable to obtain the kernel data. The SMAP mechanism does not allow the kernel to access the user address space. Any illegal access will trigger a CPU exception.
With the strongest defense combination of KPTI+SMAP+user-kernel isolation, it is recognized by the industry that no attack can enable an unprivileged application to obtain kernel data.
Baidu Security Discovers Latest Meltdown Attack Variants
In this year’s Black Hat Asia 2019, Baidu Security presented the latest research that there is a new variant v3z that allows malicious processes to bypass KPTI/KVA/DM and reliably read any kernel data. According to Baidu Security, v3z is the first meltdown variant to beat KPTI/KVA/DM. This means that the only effective defenses recognized in the industry are broken. V3z mainly uses the common memory area between the user page table and the kernel page table (we call this shared memory “bridge”). Probing the “bridge” can indirectly access the data from other parts of the kernel.
The v3z attack include the following steps:
- Offline phase
Run data collection on the “bridge”. The main purpose of this step is to reduce the time cost in the latter probe. This step mainly uses a gadget to put the target data of Meltdown into the l1d cache.
- Online phase
— Establish data dependencies between target kernel data and the “bridge”. This also needs a special gadget.
— Use Meltdown to probe the “bridge”. Without offline phase, 256*256 probes are required in this step. Since the data of the “bridge” is known, the number of probes can be greatly reduced to only 256 probes.
As a result, Baidu Security’s latest Meltdown variant v3z can break through the strongest defense combination KPTI+SMAP+user-kernel isolation. An attacker can easily steal system confidential and private data, such as RSA keys or user password, from an unprivileged user process.
There is currently no good defense against this attack, because the “bridge” cannot be eliminated (the codes in this area handle exceptions and interrupts, system calls, etc., therefore the “bridge” is necessary). At the end of the talk, Baidu Security recommends to minimize the size of the “bridge” and introduce address randomization to raise the attack difficulty. Another possible countermeasure is to eliminate the available gadgets, but there are a lot of third-party codes (such as device drivers) in the kernel, which makes this extremely difficult. To completely fend off v3z attacks, major OS vendors need to do a lot of upgrade work to minimize the damage caused by v3z.
About Black Hat
BlackHat is a global security technology conference founded by legendary geek Jeff Moss in 1997. It is held in Asia, Europe and the United States three times a year. To ensure the technical advancement and objectivity of the conference content, BlackHat has a very strict review process on the submissions. Its acceptance rate is less than 20%.
At BlackHat Asia 2019, held in Singapore from March 26th to 29th, three research papers from Baidu Security are accepted, presenting innovative work on Deep Neural Network (DNN) model security, Rowhammer’s new attack method, and Meltdown new variant. This also shows that Baidu Security is maintaining world-leading technology in critical security fields such as AI security, system security, and software security. The talks were highly praised by many researchers from Europe, Australia, Asia and the Americas.
Meanwhile, Baidu Security also aims to influence the industry to increase the priority and investment in security issues, starting from the base of the kernel, integrating security from architecture and development, and consolidating the cornerstone of next-generation network security.