Speculating about Speculative Execution

A couple of days ago there were rumours swirling about a proposed change to the way the Linux operating systems handles memory. Today we had the first confirmation that there really is a problem. Intel released a press release telling us that “software analysis methods … have the potential to improperly gather sensitive data from computing devices that are operating as designed” however they haven’t released the full details yet. We will most likely see a full disclosure early next week.

In the mean time, we can have a go at speculating what the issue might be. Intel has given us some cryptic hints: that the vulnerability is not unique to Intel products and that its not really a flaw at all. Essentially they are telling us that the processor is working as designed but the design was flawed from a security perspective.

Lets look at the other evidence, there are fixes in the works for Linux for both ARM CPUs and Intel CPUs, Microsoft and Apple have also patched their systems with similar code. Both relate to something called KAISER which stands for Kernel Address Isolation to have Side-channels Efficiently Removed although this has now been renamed KPTI or Kernel Page-Table Isolation. Essentially it relates to a paper written in early 2017 about how newly invented side channel attacks can be used to mitigate a common security defence used by operating systems called ASLR or Address Space Layout Randomisation.

ASLR is a technique that is used to prevent memory corruption vulnerabilities (which are not particularly uncommon) from being used to fully exploit a device (for example through privilege escalation). Essentially it moves around important code randomly within the memory space of the device in order to prevent an attacker from knowing where it is.

Whilst ASLR certainly helps secure a system, it is well known that it is a relatively weak protection. In fact ASLR was only properly implemented in the Linux kernel in 2014. So why the big deal around finding out that something we knew was an ineffective security defence? And why the sudden rush to get it fixed given we knew all this almost a year ago?

The reason is probably because another more serious vulnerability was found which is in some ways related to the side channels used to get around ASLR. The vulnerability was probably found as a result of some research produced by Anders Fogh (who has worked with with Michael Schwarz and Daniel Gruss, the authors of the KAISER paper).

At this point in my writing I looked up Michael Schwarz on twitter and found out he had just published details of the vulnerability so I’m going to check if my speculation was right!

And of course the vulnerability (actually one of two) is called Spectre so my speculation about speculation was right. And you can read about it here.