Meltdown: considerations on the impact on classified systems

(To Alessandro Rugolo)
04/04/18

Meltdown, a term whose meaning is synonymous with "disastrous collapse", or "nuclear catastrophe" has entered the common use because of the security problems highlighted on some types of processors including virtually all Intel processors, part of the AMD processors and so on, made from 2010 to today. Very few processors are not affected by this vulnerability (or from Spectre, in some ways very similar), among them a good part of the ARM, the SPARC and the Raspberry.

But, what's it about? What is it really Meltdown? And above all, what impact can it have on IT systems and in particular on classified systems used in the military environment?

With this article I will try to clarify this vulnerability and its potential impact in the security world.

To begin with, it is useful to reiterate that the vulnerability is hardware and not software. This makes a bit of a difference to what we are used to hearing. In practice, to make a comparison with the world of automobiles, it is as if in (almost) all the cars in the world it was discovered that an engine detail due to a design defect is subject to breakage, probably in such a case the houses manufacturers would be forced to withdraw the offending model from the market and compensate the consumer, or to recall the cars to the factory for a free replacement of the part.
With Meltdown this has not happened, perhaps because there is still no real awareness of consumer rights and perhaps because despite the clamor aroused by the news are still too few those who are able to understand the real dimension of the problem.
In any case, I repeat that Meltdown affects certain families of processors of different brands, regardless of the operating system installed on it!

The malfunction

To understand how it works Meltdown we need to know how an operating system works, at least in its essential lines.
First of all it is useful to say that the main task of an operating system is to provide a series of security services and guarantees so that the programs that run above it behave like the security designer wants.

The design approach to safety is particularly felt for military systems or, more generally, for systems that deal with information that has a high value.

One of the main characteristics of the Operating Systems consists in the ability to guarantee the "separation of memory" between different processes and users as each user or process must be able to access only the memory that is reserved for it.
The modern operating systems, so that they can be used, also in order to make the most of the features of new generation CPUs, have introduced some features that speed up certain operations, theoretically without reducing their security.

1. The first of these features is the ability to run multiple processes in parallel, or to perform different tasks or for different users or programs, giving them the impression that they are the only ones who have access to the full potential of the computer. To do this it is necessary to use special memory allocation techniques that go under the name of "virtual page memory".

2. To prevent users or processes from disturbing each other and causing damage by writing data in a memory space already used, perhaps by the Operating System, the concept of "protection domain" has been introduced. In practice, the Operating System assigns each user or process a level to which the possibility of using a certain memory area is associated. When a process tries to access an area of ​​memory for which it is not authorized, it is generally "terminated".

3. The third characteristic linked to the architecture of the new processors, normally equipped with several computing units, consists in the possibility of executing instructions or operations in parallel or, in certain cases, of executing the same instruction on different values ​​to speed up certain operations. These are features known as "instruction pipeline" and "speculative execution". This is the basis of the concept of "Out-of-order execution", ie the execution of program instructions that are not yet necessary but which will probably have to be executed.

4. Finally, to take advantage of the enormous calculation speed of modern processors, particular types of memory have been introduced, whose access in writing and reading occurs in much shorter times than the memory present in a normal hard disk. The presence of these memories called "caches", associated with the analysis of the most used data, allows the processor not to remain unemployed too often waiting for the necessary data that is on the hard disk to be provided.

Well, the question is simple. If it is true that the aforementioned characteristics were introduced to exploit the characteristics of the new processors, it is equally true that what has been done has significantly increased the complexity of the systems and consequently the possibility of introducing non-trivial vulnerabilities, and this is the case of Meltdown.
Now, we need to know that one of the users of the computer is the Operating System, it is considered "privileged user" and can perform particular operations, not granted to a generic user.

Meltdown it allows to overcome the concept of "separation of memory", allowing an unauthorized process or user to become aware of the data present in non-memory space exploiting a type of attack called "side channel attack", in particular a type of side channel attack called "chache side channel attack" which consists in deducting the contents of the cache by measuring the loading times of the data by another running process.

Meltdown manages to do this using to its advantage the features of the modern 64 bit processors seen above to achieve its goal or steal data from the memory area allocated to the operating system kernel processes.

Given the purpose of this article and the complexity of the argument it makes no sense to continue describing the details of operation of this type of attack, but rather to try to understand the security implications of this attack in relation to military information systems.
A first consideration must be made on the concept of verification and certification of the systems.
This is because, as I hope is now clear, almost all the processors in combination with the most used Operating Systems are subject to attack MeltdownThese include the Windows 7 client and the 2008 R2 64 bit server operating systems, which if you visit the site of the Common Criteria certified systems are certified for use in the classified systems of most of the nations of the world .

Is it possible that during the tests nobody noticed the insecure behavior of the systems?
Is it necessary to rethink how the Centers of Validation perform the tests, perhaps too focused on testing what was declared by the manufacturers, without investigating (much) beyond?
Yet there are clear indications of possible problems on processor architectures since the distant 1995, by the National Security Agency.

A second consideration concerns the possibility of applying security patches.
As soon as it became known of Meltdown, the leading software companies have tried to remedy software changes to the architectural hardware problems.
Among these the Microsoft who immediately released the patch, but with what result? The hacker news in an article a few days ago he published the study by independent researcher Ulf Frisk which showed how the patch only made the situation worse, allowing data theft now to be even faster than it was without applying the patch.
This is another point to consider carefully: the application of a patch, even if it is possible (and it is not always without recertifying the system!), Could be even more harmful than leaving things as they are.

So how should we deal with problems so deeply inherent in systems architecture?

What certainties, such as guarantees, can give us military systems that have potentially been the subject of attacks similar to Meltdown For years?

We know Meltdown publicly since July of the 2017 but we do not know if any organization knew and exploited previously this vulnerability, potentially inherent in the new generation processors starting from 2010. I do not have an answer, but only a suggestion: in today's world nothing is safer, perhaps because a person, even a trained person, can hardly manage the complexity of the systems.

In any case, since this is national security, perhaps it would be advisable to strengthen the structures involved in the analysis of information systems and vulnerabilities, also by making use of the universities, rather than trusting the declarations made by the companies producing hardware and software.

Can Artificial Intelligence help us ... or perhaps, more likely, complicate the problem further?

 
To learn more:

- https://meltdownattack.com/meltdown.pdf
- https://thehackernews.com/2018/03/microsofts-meltdown-vulnerability.html
- Introduction to INTEL processors: https://www.tomshw.it/differenze-i-processori-intel-75496
- Overview of ARM processors: https://www.ilsoftware.it/articoli.asp?tag=Differenza-tra-processori-ARM...
- Introduction to SPARC processors: http://www.pcpedia.it/Il-Processore/ultrasparc.html
- Overview of Raspberry processors: https://opensource.com/resources/raspberry-pi
- https://www.commoncriteriaportal.org

Events

Click on the days highlighted in red and find out what's in evidence.
Tales of military life
Send us your story
Tribute (due) to the 80th "Roma" infantry who takes leave with honor

Well, yes, we are now used to witnessing the closure of the barracks and perhaps even a little to burying the long history of the departments, a phenomenon which however does not erase the memories. It also touched...

Read the story
"Il Signor Parolini" (ninth part)

The baked chicken, as expected, had lived up to its reputation, consolidating, where needed, the undisputed culinary mastery of Gastone, chief ...

Read the story