How Meltdown & Spectre Impacts AWS Users

meltdown spectre

As you have undoubtedly heard, Google Project Zero (and other collaborators) released information about two vulnerabilities in modern processors: Meltdown and Spectre. This article is a brief overview of these bugs, the security risks in the cloud as we understand them, and the next steps.

Disclaimer: This is a simplified take on these very complex bugs, and isn’t intended to be a complete analysis. The academic papers on the bugs are available here.

What is Meltdown and Spectre?

These are two vulnerabilities in modern processors. Meltdown impacts Intel CPUs since the Pentium II, and Spectre impacts those Intel chips, plus AMD and ARM chips. The bugs enable an attacker to bypass memory protection, allowing access to memory that shouldn’t be accessible to the attacker. In both cases, the bugs are caused by CPU optimizations that have unintended side-effects.

What’s the Difference Between Meltdown and Spectre?

Meltdown uses a flaw in out-of-order execution optimizations in Intel CPUs to enable access to all kernel-mapped memory from a user-space process. In most cases, *all* physical memory is mapped into kernel space, and as such, Meltdown effectively allows any user-space process to access all of the physical memory on the machine.

Spectre uses a side-channel and timing attacks in predictive branching and speculative execution that allow an attacker to trick a process into accessing arbitrary memory locations, and revealing such data to an attacker.

How Does this Impact AWS Users?

While we know from the various announcements that Meltdown can escape virtual machine sandboxes in certain circumstances (particularly, in Xen paravirtual environments), AWS immediately patched their entire EC2 fleet against the hypervisor vulnerabilities.

Given this, the virtual machine sandbox is secure. Regardless of any OS-patches, other instances on the same physical hardware as your instances cannot access any data inside your instances, and the isolation between virtual machines remains completely intact.

The remaining exposure for Meltdown is primarily in the form of local exploits inside the virtual machine. While this is important, it is not as significant as the virtual machine sandbox escape, or as a remote exploit. Assuming that all of the applications running on the instance are trusted, then there’s less immediate concern. That said, Meltdown is fixed with a recent kernel update which enables KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed), which patches even the local exploit path.

Spectre is an entirely new class of vulnerability. We expect to see more patches in the coming weeks or months as more is learned about the attack vectors enabled by Spectre. For now, the primary focus is on software that executes untrusted code and sandboxed code (notably: web browsers).

What’s Next: AWS Meltdown & Spectre Patches

Onica’s team of security experts can help you apply emergency patches for Meltdown. We’ve worked with numerous companies in highly regulated markets, including medical and financial industries. We’ll identify security risks and take steps to ensure compliance across multiple mandates.

Contact us for a comprehensive security assessment to uncover vulnerabilities and security threats in your AWS environment. 

Hidden layer

Share on linkedin
Share on twitter
Share on facebook
Share on email

Onica Insights

Stay up to date with the latest perspectives, tips, and news directly to your inbox.

Explore More Cloud Insights from Onica

Blogs

The latest perspectives on navigating an ever-changing cloud landscape

Case Studies

Explore how our customers are driving cloud innovation in their industries

Videos

Watch an on-demand library of cloud tutorials, tips and tricks

Publications

Learn how to succeed in the cloud with deep-dives into pressing cloud topics

Subscribe to Onica Insights