Meltdown and Spectre: To patch or to concentrate on attack detection?
Patching to protect machines against Meltdown and Spectre attacks is going slow, and the provided patches, in some instances, lead to more problems than just slowdowns.
In fact, Intel has admitted that they have “received reports from a few customers of higher system reboots after applying firmware updates.”
“Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center,” Navin Shenoy, general manager of Intel’s Data Center Group, confirmed.
“We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue.”
The statement came as a confirmation of The Wall Street Journal’s report that Intel is quietly advising customers to delay installing patches that address the flaws because they have bugs of their own.
End-users, on the other hand, were again told to “continue to apply updates recommended by their system and operating system providers.”
Attack detection and prevention
While organizations are evaluating which systems to patch and how soon, some security firms are coming up with initial, tentative solutions for detecting Meltdown and Spectre attacks.
Endgame and Capsule8 took a similar approach: they take advantage of specific CPU performance counters, use their outputs to determine deviations pointing to attacks in progress, and force interrupts which trigger the enforcement of security policies on high-sensitivity workloads.
As security researcher Kenneth White succinctly and helpfully explained:
Attackers: CPU, please beat the crap out the cache and tell me how long it takes.
Defenders: CPU, please issue a hardware interrupt every 10,000 times someone beats the crap out of the cache, and notify the kernel
CPU: 👍— Kenn White (@kennwhite) January 11, 2018
Endgame’s Cody Pierce made sure to note that this initial research and solutions, while promising, are far from complete, and that his new class of vulnerability will continue to develop for several years.
But the Capsule8 team believes that, for many, detection (or detection AND vulnerability mitigation) can be the right way to go.
“None of the existing mitigations are complete mitigations to the problem,” they noted, and performance hits and disruption due to (buggy) updates could have a very detrimental effect on a service or organization.
“While it was inspirational to see cloud providers able to move so quickly, there is going to be a massively long tail on upgrades. Most organizations will never be able to upgrade their fleet that quickly. Their production environments often run old software on old OSs, where any upgrade comes with a tremendous amount of risk. It’s likely more cost effective to focus on detection and response strategies, rather than full mitigation, particularly when the probability of a practical attack is low for the environment,” they noted.
Check Point researchers concentrated on anomalies – in the flow of speculative and out-of-order execution, as well as those in the process behavior when trying to exfiltrate secret data using a side channel – as relatively accurate indicators of attack.