Helping to Define Spectre and Meltdown
Computer Security Risk
In the past few weeks, you may have heard rumors about new risks to computer security. Intel is at the heart of much of the risk, but other chip manufacturers and almost all of the major corporations at the heart of the internet are affected.
You may have also heard the names Meltdown and Spectre thrown around. And you may also have heard that the bug was discovered months ago before being leaked in early January. So what exactly is going on? How do you define Spectre?
Meltdown and Spectre
Well, Meltdown and Spectre are the codenames for two types of computer vulnerabilities. They were discovered and reported independently by computer security experts from across the world starting in the summer of 2017.
Meltdown works by acting as a normal application and then breaking into system memory that would normally be protected. It’s called Meltdown because it “melts” traditional security boundaries.
To define Spectre is slightly more difficult. It highjacks other applications to get access to system memory in a similar move to Meltdown. Spectre is a hardware-level issue and affects processors across the board.
Jann Horn of Google Project Zero was one of the individuals who discovered both, and apparently discovered them first. His June 1st email to Intel, AMD, and ARM – the largest chip manufacturers in the world – explained Spectre and suggested that steps would need to be taken.
They’re named at least partly after the doomsday schemes in the recent bond movies Casino Royale and Spectre. Major computer processor manufactures like Intel, AMD, and ARM have known about the vulnerabilities for months. The name helps define Spectre and Meltdown.
They were kept quiet to give manufacturers and tech companies a head start on solving them. Before hackers or other criminals could try to exploit them, they were hoping for a fix.
And they have it, sort of.
At the time Horn wrote his email, not even other parts of Google knew. It’s standard procedure for affected companies to get a heads up about discovered vulnerabilities. The idea is to give the company time to respond and fix the problem before it becomes public. Once public, it can be exploited. Before they define Spectre or Meltdown for the public, they want a fix.
There’s definitely a tension between the need for public disclosure and the need to give companies a head start on criminals. Often, the standard is a 90-day window before public disclosure.
But with Spectre and Meltdown, the 90-days heads up turned into seven months. Dozens more companies became involved, including Microsoft, Apple, and Amazon. Patches were slowly deployed over that time, piece by piece. Eventually, people familiar with computer security began to notice.
The problem stems from something called speculative execution. Basically, chips are built with the ability to guess at the work they might need to do later and then do some of it in advance. This makes them considerable more efficient.
It works just like meal prepping. If you meal prep for the week, you’ve saved yourself time, effort, and energy. Better yet, you used up some of your otherwise down time to free up time you might need later.
Essentially, for these security flaws (Spectre involves two different types of attacks) this speculative execution is used improperly. Basically, by getting access to one program (or one part of a computer, or server), a hacker can get access to other programs on the same computer or server. Spectre involves the hardware which can define Spectre as opposed to Meltdown.
What kind of information? Passwords and personal information. Credit cards. A lot more.
So how does each of these vulnerabilities work?
How It Works
Generally, programs are not allowed to “read” data from other programs. Your calculator app can’t read passwords stored in your browser or your photos, messages, documents, and so on. In additional to working on personal computers and mobile devices, these vulnerabilities can work on the cloud. This is particularly concerning.
If someone were to rent perfectly legitimate server space on the cloud, they might be able to use these vulnerabilities to access the information of all other users on the same cloud server, and it would be exceedingly difficult to tell they were doing it.
They do this by getting into the so called kernel memory.
Basically, kernels are invisible processes inside your computer that perform important tasks necessary for your computer’s function. They’re able to do this by talking directly to the hardware and by having complete access to your operating system. Basically, they can see anything in your computer. Hackers abilities to access this way define Spectre.
Concerns About The Solution
One of the problems with any solution, at least for Spectre, is that the issue is a fundamental vulnerability in the way CPUs are built. A problem in the very hardware is not an easy one to fix, and may take years.
Many of the solutions that are being rolled out in the form of updates come with their own problems. Namely, they slow down your device. For most users with consumer grade products, this may not be significant. It could be a drop of 4-10% that wouldn’t drastically effect your ability to use your device as you do now.
The bigger concern is for cloud-based systems that are heavily dependent on speculative execution. Estimates have ranged widely, but it’s clear that there will be slowdowns across the board as a result of these patches. Some of them could be significant.
That being said, processor performance has been decreasing anywhere from 5% to 30% depending on a variety of factors.
Are You Affected?
It’s hard to say, but you almost definitely could be. Computer experts don’t know if it’s been exploited. It doesn’t leave any traces in traditional log files and it doesn’t function like normal malware.
It’s best to go with the updates. It could be years before new chips go to market that have the flaw worked out, so the best bet for the time being is software patches.
A class action lawsuit was filed against in the U.S. district court in San Jose last week. The lawsuit was filed by Anthony Bartling and Jacqueline Olson alleging Apple should have told people sooner.
The lawsuit also argues that the fixes will be inadequate and cause slowdowns. A group of Israelis have also filed a request for a similar lawsuit against Apple, Intel, and ARM.
It’s bad news for the already legally embattled Apple. Apple is currently fending off at least 45 lawsuits across multiple countries for its battery manipulations.
So What Should You Do?
Keep your software up to date and wait. It’s not the most comforting advice, but it’s the most real advice. Apple, Google, and Microsoft have all released updates and explanations to help users of their products, both software and hardware, stay protected. As these companies continue to work to define Spectre and Meltdown, patches will get better.
The most vulnerable groups will be those that don’t update. The links provided will take you to their sites so you can stay up to date and protect yourself. Chrome offers a technical fix called site isolation that be helpful as well.
Again, the best option is to make sure you stay up-to-date on the latest security patches as the major players in the industry work to close as much of the vulnerability as they can.
Take a look at our other articles for more technology news!
- Will Fusion Energy Power The Future? - February 16, 2018
- Immersive Experience Technology: The Future of VR? - February 14, 2018
- Why Is Everyone Talking About the Fermi Paradox? - February 9, 2018
- Could A Space Elevator Be Coming Soon? - February 7, 2018
- What is Emergence? Ask the Ants - February 2, 2018
- The Modern Day Supercomputer - January 31, 2018
- Quantum Entanglement: Emerging Tech - January 26, 2018
- Extreme Weather: Bomb Cyclone - January 19, 2018
- Helping to Define Spectre and Meltdown - January 18, 2018
- The SpaceX Launch - January 15, 2018