3

I don't deeply understand Meltdown and Spectre -- all I know is that they are basically keylogging-like vulnerabilities within the CPU, which bypass any application layer stuff; correct me if I'm wrong.

I want to know the following:

  1. Why is application sandboxing ineffective against Meltdown and Spectre? In other words, (based on my understanding above) why is the application layer bypassed?

  2. Let's say the Meltdown and Spectre vulnerabilities are used by some malware and the malware sends keylogged information to a remote host. If I have a firewall, such as Iptables, and I restrict outgoing traffic, will that be enough to prevent the malware author from stealing information?

    In other words, will a firewall be able to prevent the 2 vulnerabilities from passing information to a remote destination?

Community
  • 1
izb3st
  • 39
  • 1
  • 3
    Plot twist: The firewall has an Intel CPU – David Apr 02 '18 at 08:17
  • After reading that post, I understand now that no applications can really save you from this vulnerability; however, if a malware author wanted to send stolen data (via these vulnerabilities) remotely, they would have to go through the firewall because stealing the information is something and sending it remotely is something else, correct? – izb3st Apr 02 '18 at 08:20

1 Answers1

0

Meltdown and Spectre are hardware vulnerabilities. They actually reside in your processor and are interested in sensitive information.

Meltdown is specific for Intel Processors.

Spectre is for processors other than Intel (not Intel).

  1. Meltdown bypasses the 'protection mode' that is present when you want to access sensitive data that is stored in your processor. The attack imitates the role of a normal user that is accessing the data. The reason sandbox is useless is because the operating system thinks it is a normal user not an attacker.
  2. It could be possible that firewall will detect the malware. This will require software patches (updating your Operating System version).

In conclusion

Most computer providers have released software patches to overcome these issues. Since these are hardware related, it means that the hardware is what needs to be improved. Software can help, but not fully.

UPDATE

Built-in Firewalls are updated along with the Operating System (OS), since Firewalls are human programmed, they need to know how malware activity behaves. So, if the most recent version of OS is running on you device, the likely hood that your Firewall will know that this malware is carrying out Meltdown or Spectre 'activity' is high. This is because they are now aware of how these vulnerabilities will act.

As for outgoing traffic, and in terms of Iptables, it is unlikely that you know which IP address is trying to access your data.

I would also like to emphasise, again: Software can help, but not fully.

Hope it is clear now.

End of UPDATE

References:

Kocher, Paul, et al. "Spectre Attacks: Exploiting Speculative Execution." arXiv preprint arXiv:1801.01203 (2018).

Meltdown and Spectre. (2018). Meltdownattack.com. Retrieved 1 April 2018, from https://meltdownattack.com/#faq-fix

Kosovic
  • 19
  • 6
  • Can you explain _"It could be possible that firewall will detect the malware. This will require software patches (updating your Operating System version)."_ – multithr3at3d Apr 02 '18 at 02:13
  • 1. By 'application sandboxing', I mean, for example, Firejail for Linux. So your answer that the "reason sandbox is useless is because the operating system thinks it is a normal user not an attacker" didn't really answer my question. 2. I have the same request as multithr3at3d above. – izb3st Apr 02 '18 at 07:59
  • Please check the answer for the update. – Kosovic Apr 02 '18 at 10:34
  • @izb3st Please be aware that Firejail is a cure worse than the disease. It makes privesc rather trivial. – forest Apr 02 '18 at 10:58
  • I think you are confusing firewalls with other antimalware solutions. Also your claim that Spectre does not affect Intel is horribly wrong. – Ben Voigt Apr 02 '18 at 14:44
  • @BenVoigt I have referenced my 'claim'. You might want to attempt giving a 'right' answer then. – Kosovic Apr 02 '18 at 15:15
  • @forest I am unaware of Firejail being worse than the disease. Can you point me to where I can read about this more? What do you recommend, then, for sandboxing? – izb3st Apr 03 '18 at 10:35
  • @izb3st Well the issue is that it is setuid yet handles such a privilege poorly. There was a thread on oss-sec where some guy found bug after bug after bug, then just gave up (even though there were more security bugs) because there were just too many. I would recommend AppArmor for sandboxing. – forest Apr 03 '18 at 11:05
  • @forest If you used AppArmor in conjunction with Firejail, would that be any better? Or is there no need? – izb3st Apr 03 '18 at 12:15
  • There is really on need. Firejail makes it easy for any program to get root due to its buggyness. AppArmor simply isolates individual applications (at least the ones with a policy set) so they can only access files they are supposed to access, so e.g. your browser can access its configuration directory and program files, but not your music files or passwords. Also, looks like [this](http://seclists.org/oss-sec/2017/q1/20) is the seclists thread I mentioned. He just kept dropping 0day after 0day and left with "there is still much low hanging fruit." – forest Apr 03 '18 at 12:18
  • Sorry to interrupt. Thought this might be useful. Virtualisation could be useful in terms of isolation, check this: https://linuxcontainers.org/ – Kosovic Apr 03 '18 at 12:57