Spectre and Meltdown

Eric Altman
Sales Engineer at Vodia Networks
Vodia PBX Spectre Meltdown

Spectre and Meltdown are bad news for the cloud business. If I understand this correctly, it is possible that one process can accidentally see the data of another process, even if that process is in another virtual machine? In the media there was talk about speculative execution which we all remember from university; but here I really have a hard time figuring out how that could be a security hazard?! Anyway, it seems someone was able to leverage the different execution times somehow and use it to figure out things about other processes. What seems to be a clear is that sharing CPU and memory resources across different and potentially hostile services can result in leaks.
In other words, if you are running a server for example on Amazon cloud, you have no idea who else is running services on that same physical CPU. Practically everybody with an Amazon account and a credit card could end up on the same server running that special program that triggers lots of page faults and then when the page is available, scans for useful content, like private X509 keys or bitcoins (which would redefine the term "mining"). That could be a real problem if your server is processing some really sensitive information like banking information or if that person stores a lot of bitcoins there. After theft of such information, you do not get an email about it (this might be the time to check if the bitcoins stored in your cloud bitcoin bank have been used already).
Of course on your iPhone one App might be trying to cause the same effect be causing page faults or whatever exactly triggers the leak. Considering that many users lost overview on what is running on their smart phones and the craze for free apps, this could be another way of mining valuable information; though I have problems imagining that people would really store bitcoins on their smart phones and the value of a private key on a smart phone is not the same like on a server. My feeling is that the damage on clients is less than on the shared servers in the cloud.
Now, what does that all mean for running our Vodia PBX?
The PBX also stores sensitive information in memory. This includes X509 private keys, but also SRTP keys and of course the passwords for users. If that information leaks out, someone could listen to otherwise encrypted phone calls, could intercept the SIP and HTTP traffic. The damage would depend on who is talking: If it is just Joe Doe or the President could make a huge difference. If you know passwords, you can make phone calls with those credentials. The damage could be in the thousands, considering that Cuba rates are still expensive and seem to be a part on how the country gets foreign currency.
I was always a big proponent of bare metal for hosting the PBX, mostly for performance reasons. Now we can add security as well. If there is no other service running on the same physical instance, no matter how big the damage is with Spectre and Meltdown, this way there will be no information leaking out unless you allow a hacker running services on that machine. If that would be the case, well that hacker could as well just explicitly map the memory and read everything our much easier.
But also when running virtual machines, if you reserve dedicated CPU resources to the virtual machine that hosts the PBX, it should lower the risk (unless the exploit really uses memory). Again, this recommendation came from performance considerations, but it now might also come from security considerations.
My feeling is that on Linux machines, there are very few other programs running on the same host that could be from unknown sources. If you open SSH only for certain IP addresses and make sure than only the PBX opens other ports, this should be pretty much close down the PBX from anything that has to come in through the network.
From our experience looking at how our PBX is run in Windows, in the Windows server world there are a lot more services running there that I would consider a risk. In other words, if you install that free remote access tool on Windows server, I would double check where that free tool comes from and how the company (if there is a company) makes money.
It seems that the compilers will be updated soon to insert additional code that will blur the execution times. That means after we have received those updated compilers, we can make new versions of the PBX that will reduce the risk another hostile process will receive any useful information.
All in all, there is nothing better than running the PBX on a bare metal, without any other service running on it. This way you get the best service, and you don't have to worry too much that someone else is looking.