Ian Pratt, Bromium Co-Founder, Discusses an Enterprise Response to Spectre and Meltdown [Video, Part 2]
- The Intel chip vulnerability triggered Spectre and Meltdown – information leakage vulnerabilities.
- Spectre and Meltdown require an attacker to run code on the target system.
- Micro-virtualization can really help mitigate the effects; even when dealing with kernel vulnerabilities.
We asked our founder, Ian Pratt, to talk to us about Spectre, Meltdown and what this means to the industry and to Bromium customers. He also wrote up these notes to accompany the video. This is part two of a three-part series (see part one and part three). We have a blog with information for Bromium customers – the most important thing is to make sure you get the Bromium upgrade before you patch Windows – and we’re here to help if you have additional questions.
Fans of virtualization-based security, have little to worry about.
Suppose an attack intended to steal secrets from the OS kernel using Spectre or Meltdown was delivered as a payload in a Word document. If a user opened such a document on a Bromium machine, the document would open within a micro VM, and the attack would execute against the guest kernel. On a Bromium system, the guest kernel contains no real secrets — there’s none of the host’s password hashes or secret keys, so there’s nothing to steal.
Bromium protects against the key vectors which attackers are likely to use to try and get code execution on a system in order to be able to run an attack such as Spectre or Meltdown to steal secrets or otherwise try to escalate their privilege. However, we do have to worry about the situation where someone explicitly creates a custom exploit targeted at the Bromium hypervisor to try and access secrets on the host from the guest.
Fortunately, the CPU virtualization extensions provide strong isolation that fully defeats the ability of Meltdown to access host memory, regardless of whether the guest kernel is vulnerable.
The situation with Spectre is more nuanced.
As the CPU’s branch prediction logic is shared between guest and host, it would certainly be the case that someone would have to create a specially targeted exploit aimed at trying to read host memory using Spectre from inside a guest. The presence of the hypervisor provides a level of indirection which makes things more challenging.
We are working with Intel and AMD to add some mitigations to the Bromium hypervisor which would further close of this avenue of vulnerability, which can additionally work in conjunction with new microcode for further protection. Since the difficulty of this attack is so high, we do not regard it as a critical Bromium update, and we expect the available mitigations to improve over the next few weeks as the security community works together.
Longer term, future Intel CPUs will avoid Meltdown altogether, and CPU prediction logic will be tagged to make Spectre indirect branch attacks much harder. The Spectre bounds check bypass will be something that OS and compiler vendors will likely always need to heed.
The bottom line is that micro-virtualization helps with Spectre, Meltdown and much more.
Most importantly, micro-virtualization a huge help with the far more common application, OS bugs, and human behavior that are the bane of enterprise security teams on a regular basis. Read more about how Bromium protects you from malicious email attachments, phishing and malicious downloads that get through traditional security solutions.