[German]What about test tools for Meltdown and Spectre mitigations under Windows at February 2018? Within this blog post I take a look at several test tools for Windows and introduce two more test tools from Germany.
Advertising
It is now a month since the Spectre and Meltdown attack methods became public. These vulnerabilities allow attacks to access information from the systems.
While Meltdown refers (mostly) to Intel CPUs, the Spectre 1 and Spectre 2 attack methods work with a wide range of CPUs from various manufacturers, including AMD, ARM, IBM, Intel, MIPS, etc. There are no known attacks so far, but it's a question of time, until we see the first malware using these attack methods (see my blog post Malware using Meltdown and Spectre attacks under develoment – Windows Defender quarantines PoC tools).
However, Microsoft and its partners have rolled out updates for Windows, BIOS and browsers. This raise the question: What about the tools for testing the system on mitigations for Spectre and Meltdown? Here is a short overview of what I know so far.
Test with PowerShell
Microsoft has provided a PowerShell extension for Windows that allows you to check whether actions need to be taken. In the blog post Meltdown and Spectre: What Windows users need to know, I've outlined a solution from Microsoft using PowerShell. Here is a command line output.
Advertising
But this solution is just for cracks – and I can't get the extension loaded on my Windows 7 SP1 platform. Something is missing in the PowerShell environment. The outputted values are also quite cryptic, although the PowerShell provides hints what to do in the results.
Side note: The PowerShell extension shows missing updates on all systems, that does not support the new "system information classes". Otherwise it shows the status of the mitigations.
The Ashampoo Spectre Meltdown CPU Checker
Manufacturer Ashampoo released the Spectre Meltdown CPU Checker at the beginning of January 2018. The tool can be run under Windows, and provides information on whether the system is vulnerable (see screenshot below).
I've introduced this tool within my blog post Tool tip: Ashampo Spectre Meltdown CPU-Checker. Many people commented within my German blog, that the tool isn't reliable, and it caused also issues (refused to run on several systems). A reader noted, that he got this messages:
After updating the Management Framework 5.1, he got the following message:
He wasn't able to run the checker, so in this case the tool is useless.
Test tool InSpectre
Then Gibson Research Corporation, founded by Steve Gibson, has launched the InSpectre tool. I introduced this tool within the blog post InSpectre: Test your machine against Meltdown/Spectre flaw. When the initial blog post was made, I had uploaded the tool to Virustotal and received a message from many virus scanners that it contained a Trojan horse. Although I assumed a false alarm, I warned against its use for the time being. Meanwhile, Steve Gibson has reworked the tool and Virustotal considers it safe.
The InSpectre tool is available for Windows for free download on this website. The program is only 160 KByte in size and does not need to be installed. If you only want to have the results displayed, you can run the tool without administrator rights (see above picture). I think it's great that you can disable protection against meltdown and spectre, if available, if the tool runs with administrator privileges.
And the Show System Summary command within the system menu (see the figure above) can now be used to display technical details.
SpecuCheck from Alex Inonescu
Alex Ionescu has created a small tool called SpecuCheck, that's available with source code at Github.
The screenshot above shows a result of such a test, which appears in the command prompt windows and is somewhat cryptic for my taste.
Meltdown-/Spectre check by Stefan Kanthak
A few days ago, German security specialist Stefan Kanthak (Microsoft enlists him in the Top 100 MSRC 2017 ) sent me a mail. Stefan had linked a tool for me, that he has developed and which runs with normal user privileges and performed a check. He wrote: 'the used functions of the Win32-API are available from NT 3.1 upward, i. e. the program can run on ALL versions of NT!'.
After discussing the first version of his program, Stefan modified it slightly, including some suggestions I pointed out. There are now two tools Meltdown and Spectre available for download. Here are the dialog boxes with test results.
The tools indicating whether a protection against meltdown and spectre has been found. The programs also provide detailed information on what flags are supported by the CPU in Speculation Control. This means for the normal user: At first glance he sees whether a protection against the attacks is installed. If he need more detailed information, he may take a look at the values for KVAShadowFlags and SpeculationControlFlags. The values 1 or 0 indicate whether the flag in question (in the status word returned by Windows) is set or not.
If you are interested in the flags or CPU options, you may want to check this Intel document or the source code of the tools mentioned below. Stefan wrote in a mail:
Alex Ionescus SpecuCheck. exe also runs without administrator rights, but it's bigger than my 4 KB or 6,5 KB small programs. Unfortunately, he uses the[MSV]CRT-function swprintf () instead of the Win32-function wsprintf () and thus the MSVCRT, which I avoid in all my programs or replace with my own NOMSVCRT (see).
Stefan Kanthak states that the two test programs linked above do not access the Win32 API, i. e. they don't have references to KERNEL32.DLL and USER32.DLL. He uses only the (undocumented) NT-API alias "native" API, whose NtQuerySystemInformation () is the sole source for the required information, and still don't need administrator privileges. Stefan Kanthak also offers the following:
If you want to rebuild it yourself as well, get the "makefile" (here), plus the two icons (meltdownattack.com icon, spectreattack.com icon) which he called MELTDOWN. ICO and SPECTRE.ICO. Put them in the same directory as GIMMICK.MAK. Then open the command prompt window of a Windows development environment (for example, the "Platform SDK") and executes NMAKE. exe /F GIMMICK.MAK.
Stefan provides also a program on this web page, which performs both tests on Meltdown and Spectre and displays the results in two separate dialog boxes. It uses the Win32 API and displays the appropriate icon in the dialog boxes. If you intend to build your own version of BTI_RDCL. EXE there is the file BTI_RDCL.MAK.
At this point I would like to thank Stefan Kanthak for the two tools and the additional explanations. Maybe the tools will help some admin or blog readers who want to get deeper into the topic.
All in all, however, the article shows that the whole situation is very confusing. We have almost a handful of tools, and some of them have a lot of fun. Regarding the updates for Meltdown and Spectre it doesn't look much better.
Similar articles
Design flaw in Intel CPUs set operating systems at risk
Meltdown and Spectre: What Windows users need to know
How to mitigate Spectre in Google Chrome
Tool tip: Ashampo Spectre Meltdown CPU-Checker
Test: Is my browser vulnerable for Spectre attacks?
InSpectre: Test your machine against Meltdown/Spectre flaw
Malware using Meltdown and Spectre attacks under develoment – Windows Defender quarantines PoC tools
Advertising
Pingback: Rogue Tech Talks: November, 2019 – Rogue Tech Talks <sup>©</sup>