Meltdown: Reading Kernel Memory from User Space

Link: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-lipp.pdf

Summary:

Modern computer systems depend on the kernel being non-accessible, however this paper written by a multitude of authors and teams turns this conception on its head proving that their Attack "meltdown" can exploit side effects of out of order attacks in order to get private data. The prevalence of out of order attacks in modern systems makes this paper even more relevant, given the vulnerability exists in almost every computer in the world. Thankfully however this paper explores mitigation techniques that were developed for other reasons such as the Kaiser defense, which inadvertently can defend against these types of exploits to some degree.

What I liked:

  1. The paper details meltdown which is a vulnerability that doesn't go after a vulnerability in software

  2. The paper looks into mitigation techniques such as the KAISER defense mechanism for KASLR

  3. The paper presents a really interesting end to end attack which looks at the different facets of how an attack would  really happen out in the wild.

  4. The paper goes into not only a raw attack but also talks about ways they can optimize the attack

  5. The explanation of why Kaiser defends against aspects of Meltdown was a very interesting addition

 

What I didn't like:

  1. This attack is very specific to out of order execution programs - which is starting to become a common vulnerability as we saw in the last paper

  2. This attack doesn't work on all windows machines, only a subset of them

  3. The mitigation techniques aren't novel ie, we've already deployed them for a different reason

  4. The paper doesn't explain at all why this attack doesn't attack ios - does it have to do with the fact that apple builds their chips differently

  5. When it comes to asking questions there's a lot of people and teams who worked on this paper - so it might be a challenge finding the right person to get in to contact with

 

Points for Discussion:

  1. How did the discovery of KASLR differ from the discovery of Meltdown

  2. Why is out of order prevalent in modern cores from an architecture level as opposed to older cores

  3. What have virtual environments done in the aftermath of Meltdown disclosures in order to secure their services

  4. Why is there a difference in the vulnerability when it is run on Linux as opposed to Windows

  5. Has there been any documented Meltdown attacks on Android

 

New Ideas:

  1. Compare the architecture of Apple chips to intel ones specifically in the context of attacks such as KASLR and Meltdown - why didn't apple fall into the same pitfall as intel

  2. Is there an alternative way in order to segment enclave memory to prevent these attacks

  3. Map other CPU's that might share similar designs and see if they fall into similar attacks

  4. Study the prevalence of Meltdown attacks in android and compare to systems that had timely patches

  5. Is there a way to attack the supervisor bit on the processor to get access to restricted areas?