Spectre and Meltdown

Finjan TeamBlog, Cybersecurity

Finjan Spectre and Meltdown

2018 has just begun – and already we’ve seen the year’s first major cyber-security crisis. It concerns two vulnerabilities with the capacity to affect the majority of computers, smartphones, laptops, and tablets developed since 2011 – and it’s got individual citizens and businesses (including some of the world’s most heavyweight commercial organizations) scrambling to make sense of the issues, and avoid the potential damage.

The crisis in question concerns the Spectre and Meltdown vulnerabilities – which will be the focus of our discussion in this article.

What Are Spectre and Meltdown?

Spectre and Meltdown are security flaws in the central processing units (CPUs) of a wide range of computing devices. They can allow malicious software code to gain access to information on a device that should otherwise be inaccessible. They both take advantage of “speculative execution” – a performance optimization technique used by most modern processors.

In the architecture of modern (late 20th and early 21st-century) CPUs, there are places where information passes in an unencrypted form. These include the processor kernel (the software unit central to the architecture), and the system memory reserved exclusively for the operating system CPU. Under normal circumstances, this data is protected by powerful mechanisms which prevent it from being observed or interfered with by other processes and applications.

The Spectre and Meltdown exploits are able to bypass these protections, exposing nearly any information that the CPU processes – including passwords, intellectual property, sensitive records, proprietary information, or encrypted communications. Worse, this data can then be made available to malware – with potentially catastrophic consequences.

Meltdown operates by breaking through the barrier that’s meant to prevent applications from gaining access to arbitrary locations in kernel memory. Spectre takes a different approach, fooling applications into accidentally disclosing information that would normally be safely inaccessible inside their protected memory area.

Intel processors in particular are vulnerable to Meltdown – but Spectre is known to affect a much wider spectrum of processor chip-sets, including those manufactured by AMD and ARM.

Between them, the two vulnerabilities effectively expose weaknesses on all devices constructed within the last decade, adding file and web servers, virtually anything with an embedded processor chip (think smart IoT sensors and baby monitors), and the infrastructure underlying cloud services to the list of personal and corporate devices and systems.

What’s the Damage?

Security researchers have found vulnerabilities to Spectre and Meltdown in processor chips going back to 2011 – but the weakness could potentially be “backwards compatible” to CPUs from 1995. Since the exploits work at CPU architecture level, they’re also operating system independent – so it doesn’t matter whether you’re running Windows, Linux, Android, iOS, or OS X.

It’s being assumed that any untested device is vulnerable.

There’s potential too, for Meltdown in particular to spread like wildfire across cloud platforms, affecting vast numbers of inter-linked computers, users, and processes.

Actually “weaponizing” and deploying Spectre or Meltdown isn’t necessarily an easy task. Remote attackers face the difficulty of having to execute the code being run on the targeted machine itself – but given the cunning, resourcefulness, and resources available to modern cyber-criminals, its likely only a matter of time before more workable exploits are developed.

And the Cost?

It’s probably fair to say that huge amounts of money have already been spent in dealing with this problem – particularly when you consider that the Spectre and Meltdown issues have been known about for several months.

Choosing to ignore the standard courtesy protocol of “responsible disclosure” (where security investigators discovering a flaw habitually give manufacturers and developers a grace period to make a fix before releasing the news publicly), The Register broke the story early – effectively forcing the hand of several multi-billion dollar corporations.

Big names like Apple, Google, Microsoft, Intel, and Linux have been scrambling to produce effective patches and updates, ever since.

Remedies for Corporate Systems

Patches for all operating systems are currently being developed, with some already available for download and deployment by corporate users. Organizations with effective patch management systems in place may have resolved some of the issues through automated patching/updating.

As well as operating systems, firmware also requires updating to mitigate the effects of Spectre and Meltdown – so corporations are advised to contact their hardware vendors, to get the appropriate details and updates.

Once patched, system hardware will interact with the operating system in a different manner than previously – an effect which has the potential to set off false alarms or interfere with the workings of anti-virus software. So businesses are also advised to update their anti-virus and security software installations.

Consumer-Level Protection

Private users are advised to set their computer and mobile device operating systems to automatically update. Consumers should also check the websites of their device and hardware manufacturers for the latest firmware updates. For Windows users, there’s an online resource detailing the first steps to take in Spectre and Meltdown mitigation, and other platforms may soon follow suit.

Cloud Ecosystem Patches

Most of the big names in cloud (including Amazon, Microsoft, and Google) have already begun patching their systems. Anyone running cloud services on these platforms will however need to update the “guest” operating systems on any virtual machines that they’re operating.

Performance-Related Anxieties

Since the available fixes for Spectre and Meltdown require the use of more computational resources, there are fears that patching may lead to a deterioration in overall system performance. There are no definitive figures, but it’s been estimated that the Meltdown fix may reduce the performance of Intel chips by anywhere from 5% to as much as 30%. Performance hits on the Windows platform have also been noted.

Concerns still remain about the Spectrum vulnerability, which has its roots in a process that’s been hard-wired into CPUs pretty much since their inception. It’s likely that mitigation will come in dribs and drabs, as specific fixes for various software hacks are issued as they’re discovered.

Share this Post

Summary
Finjan Spectre and Meltdown
Article Name
Spectre and Meltdown | A Closer Look at a New 2018 Security Flaw
Description
2018 has just begun - and already we've seen the year's first major cyber-security crisis. It concerns two vulnerabilities with the capacity to affect the majority of computers, smartphones, laptops, and tablets developed since 2011. The crisis in question concerns the Spectre and Meltdown vulnerabilities.
Author
Publisher Name
Finjan
Publisher Logo