With recently identified major flaws in modern CPUs, all major software and (CPU) hardware companies rushed to provide as quick solutions as possible to their systems. For more detailed information checkout this site and for a programmer’s view or to test on a linux system try this.
Since the computer OS (Operating System) kernel space is highly protected (as well as any other process space) and isolated from other processes interference, any breakdown in this will lead to major issues. Quote from the (Meltdown) paper – “The attack is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security assumptions given by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation”
And paper also provides the details on the scope of the issue which affects all modern computers/ phones!! Quote – “On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer”
(PS: Bold highlighting added my me)
Reading through the paper and looking at the example code snippet below took me back to the days when I did some assembly level programming on Intel 8086 series. It was fun, challenging and interesting.
1 ; rcx = kernel address
2 ; rbx = probe array
4 mov al, byte [rcx]
5 shl rax, 0xc
6 jz retry
7 mov rbx, qword [rbx + rax]
Anyway, since I had also read other articles where they mentioned that the patches would reduce the performance by almost 30% wanted to check little bit more on this. Apple patches can be found here. Downloaded the corresponding security patch and ran the following Geekbench benchmarks before and after applying the patch.
Though there was some performance degradation it wasn’t much nor very conclusive (depending on the type of benchmark). Some details in the Meltdown paper provides how the countermeasure solution might have been implemented by Apple in it’s solution. Quote on page 14 – “Meltdown is some form of race condition between the fetch of a memory address and the corresponding permission check for this address. Serializing the permission check and the register fetch can prevent Meltdown, as the memory address is never fetched if the permission check fails. However, this involves a significant overhead to every memory fetch, as the memory fetch has to stall until the permission check is completed.” (Solution 1 that may slowdown the perf.)
“A more realistic solution would be to introduce a hard split of user space and kernel space. This could be enabled optionally by modern kernels using a new hardsplit bit in a CPU control register, e.g., CR4. If the hardsplit bit is set, the kernel has to reside in the upper half of the address space, and the user space has to reside in the lower half of the address space. With this hard split, a memory fetch can immediately identify whether such a fetch of the destination would violate a security boundary, as the privilege level can be directly derived from the virtual address without any further lookups. We expect the performance impacts of such a solution to be minimal. ” (Solution 2, no substantial perf. hit. So, Apple patch may have taken this route.)
With Compute-Benchmark I got the following scores.
Scores before applying the patch:
Score after applying the patch:
Similarly for CPU benchmark (Single-Core Performance). Scores before applying the patch:
After patch applied:
Knowing the criticality of this flaw, I applied iOS patch to my iPhone and to family’s phones and systems or asked them to do so immediately. These flaws and patches have gotten well deserved coverage including articles in NY Times , Washington Post, The Verge, etc. Wired.com put out an excellent article.
Sobering insights from the paper. Quote – “As hardware is not as easy to patch, there is a need for software workarounds until new hardware can be deployed.” and “Without requiring any software vulnerability and independent of the operating system, Meltdown enables an adversary to read sensitive data of other processes or virtual machines in the cloud with up to 503 KB/s, affecting millions of devices”