Meet The Side-Channel Vulnerabilities: Meltdown and Spectre
If my doctor told me I had a side-channel vulnerability, I think I would immediately sit down. In a way that’s reflective of the whole IT industry after two side-channel chipset vulnerabilities were unveiled by Google’s “Project Zero” computing security team. These vulnerabilities take advantage of how modern processors are designed and operated, and there is no easy fix. Both operating systems and firmware, or BIOS, need to be updated, across a huge number of devices from servers, desktops, laptops down to smartphones. Here, because there is not one software vendor providing the security fix but multiple companies, it is not clear how efforts to resolve what is a widespread and complicated issue are going. We’ve seen ARM, AMD, Intel, Qualcomm working with the “box builders” incorporating these chips into devices, and as I write just this morning Microsoft is blaming AMD for improperly documented chipset features, which is why computers with the latest security patches are not booting back into Windows.
What, exactly, is the discovered vulnerability? According to AMD, the vulnerability is associated with an attack on the “speculative execution functionality used by multiple chip companies’ products.” The security glitches potentially allow hackers to steal data currently being processed by the computer. According to Wired, the Meltdown vulnerability “allows malicious programs to gain access to higher-privileged parts of a computer’s memory,” and Spectre “steals data from the memory of other applications running on a machine.” Currently, the Meltdown vulnerability is limited to Intel, Apple and the latest ARM chips based or using the ARM Cortex-A75 (right now this means just the Snapdragon 845). Most modern chips are vulnerable to Spectre attacks. The Meltdown vulnerability may be exploited by a technology known as speculative execution – this is where a modern Intel chip guesses the next instruction. If the guessed instruction is correct, the chip gains a performance advantage, but if not used it is disregarded. Meltdown takes advantage of the fact that Intel chips do not securely separate different process threads, meaning a hacker can theoretically use one process to spy on others in the chip. There are complexities associated with retrieving any information from a pre-processed instruction, as this information is only stored in the processor’s cache for a limited amount of time. A malicious application could interpret if requested data is in the cache or not, and if so, gain access. Ultimately, this means high privilege memory is vulnerable, which in turn means means sensitive information, passwords, and more could be stolen.
One potential issue for the fix is that it means securing up flow of information around the processor and between applications. This could have a performance impact, and depending on where you look this might be as high as 30%. So far, this hasn’t happened, but it’s early days yet. Again, depending on where you look, most users won’t notice a difference in performance if there is one – other than those customers relying on high performance processors, such as server managers, and video editors. It remains to be seen how the Meltdown and Spectre fixes impact performance going forwards, but as websites are claiming that older generation Intel chipsets stand to lose the most performance, it could force these customers to upgrade their machines early.
What does this mean for Android customers? Many of our devices are vulnerable to Spectre, and it will take a software update to shore up the weakness. Customers using the Google Nexus 5X, Google Nexus 6P, or later smartphone already have the vulnerability covered. Customers with other devices will need to wait for their manufacturer to release the security patch. For Chromebook users, here most Chromebooks are not patched but will be very shortly.