Anti-Malware Research Whitepapers

Yet Another Meltdown – A Microarchitectural Fill Buffer Data Sampling Vulnerability (CVE-2018-12130)

Advanced Test Reactor, Argonne National Laboratory via the Wikimedia Commons

More than one year ago, security researchers at Google Project Zero have disclosed a series of hardware vulnerabilities affecting Intel® x86 microprocessors. Leveraging a feature of modern processors called speculative execution, as well as timing responses, this family of flaws in hardware defeats the architectural safeguards of the processor and allows unprivileged user-mode applications to steal kernel-mode memory information processed on the affected computer.

Bitdefender Senior Researchers Dan Horea LUȚAȘ and Andrei Vlad LUȚAȘ, who spearhead the company’s threat research efforts as part of the Exploit Detection and Mitigation technologies for Bitdefender, and Hypervisor Introspection and Memory Protection program, respectively, have uncovered in August 2018 a new vulnerability that shares similarities with Meltdown.

This new vulnerability found by Bitdefender can be used by determined hackers to leak privileged data from an area of the memory that hardware safeguards deem off-limits. This flaw can be weaponized in highly targeted attacks that would normally require either system-wide privileges or deep subversion of the operating system to achieve similar results.

Of particular importance is the impact of this vulnerability on cloud service providers and multi-tenant environments, where virtualized instances sharing the same hardware can be used to read sensitive data belonging to other customers.

The proof of concept code shared privately with the vendor at the time of discovery has proven effective on several Intel® CPU microarchitectures. A technical demonstration of the vulnerability is described in a whitepaper available for download below

Read more about the vulnerability on the Intel Security Center.

We will update this post as more related work is currently documented.

About the author

Avatar

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

About the author

Avatar

Dan Horea LUȚAȘ

Senior Research Lead, GEMMA (Generic Exploit Mitigations for Mainstream Applications)

In 14+ years of experience in Information Security (all with Bitdefender), Dan tried to grasp many aspects of this complex topic – technical (operating systems internals, networking, hypervisor technologies), non-technical (auditing of information systems, security management), defensive (malware analysis, development of advanced detection and prevention technologies) and offensive (penetration testing, vulnerability analysis) – in order to have a holistic view of the domain. He obtained several InfoSec certifications (CISSP, CEH, CISA, OSCP, OSCE). Since 2016 he holds a PhD from Technical University of Cluj-Napoca (TUCN). His current role with Bitdefender involves developing dynamic exploit detection techniques which are incorporated in all Bitdefender products. He teaches Information Systems Auditing and Incident Response & Forensics courses at a Master program in TUCN. He is the author / co-author of 5 scientific papers and 5 US patents regarding low-level hypervisor security.

About the author

Avatar

Andrei Vlad LUȚAȘ

Senior Team Lead, Hypervisor Introspection and Memory Protection Program
Andrei joined Bitdefender in October 2008, as a junior virus researcher; Initial responsibilities included reverse engineering of malicious samples, adding signatures for malicious files, developing disinfection routines and developing code-similarity methods and systems. He joined the R&D team in November 2011, as an Introspection Research Lead, and started developing today's cutting edge Hypervisor Memory Introspection engine. During his work on this project, he was involved in the writing of several academic papers, he spoke at several industry-leading conferences such as CERT-RO, USENIX, IDF or ISecCon, he demoed the HVMI solution at events such as Citrix Synergy or VMworld, and he worked at more than 10 patent applications. Currently, Andrei is a PhD student at the Technical University of Cluj-Napoca, and he leads the team responsible for the developing of the HVI solution, which grew from 3 people 5 years to ago to almost 20 today. His main interests are everything low-level related, such as reverse-engineering, hypervisor and hardware based security, side-channels, and security-oriented ISA extensions.

Add Comment

Click here to post a comment