By: Clayton Bonigut | Writer
January 17, 2018
Over the span of just the last few months, four independent research teams privately reported to Intel about the existence of “industry-breaking” vulnerabilities in their processors. It’s common practice for security researchers to keep these things hidden from the public: they’d rather see companies fix the issues they find than watch dishonest people exploit them.
However, these reports were slightly different than most— they concerned processor hardware rather than software, meaning that the fundamental problem could only be fixed by replacing all affected machines physically. As if this weren’t scary enough, the researchers were quickly able to figure out that exploits allowed by these vulnerabilities could be applied to nearly all modern processor architecture manufactured since around 1990.
The two vulnerabilities found, coined “Meltdown” and “Spectre”, allow processors to access pretty much any data they can interact with. Normally, there are a system of permissions and restrictions for processors so that they can’t access all data on the computer. Both of these exploits effectively skip those steps and allow the processor to interact with any data. The exploits work at such a low level inside of processors that the only real software updates companies could provide have terrible side-effects, most notably significant performance hits while running. Nearly all processor manufactures rushed to deploy fixes as fast as possible, forcing everyone to update their software.
The problem with this approach is that they didn’t really inform anyone about what happened. A few weeks ago, Amazon, owner of the largest web hosting service in the world, released its findings with its customers that their servers were hit with a range of performance impacts caused by these security updates. Amazon’s situation isn’t entirely resolved, but this is just an example of how far-reaching the two security exploits are, even though they’ve been “fixed” via software updates.
Technical Overview of Meltdown and Spectre
Modern processors use a technique called “speculative execution” to process instructions given by programs: they do what the program tells them to do first, but then they “make guesses” as to what they will have to do next. This has the potential to save a significant amount of time, since processors are often idle for longer than necessary during program execution.
Independent researchers that discovered Meltdown and Spectre thought to take advantage of this fact and try to “make guesses” in such a fashion that they would reveal important data from locations that the processor wasn’t supposed to be dealing with. Both vulnerabilities are pretty similar in that they take advantage of speculative execution, but Spectre is a lower-level exploit that’s both harder to take advantage of and more difficult to work around.
While the exploits do technically give access to more data, the way in which it can be accessed is both complicated and tedious to make useful— this is most likely the reason that it took researchers about 18 years to learn about the true potential of these vulnerabilities.
What can you do to stay safe?
Unfortunately, there are only really two options to protect your devices against both of these exploits. You could download the latest security updates for your software, which will likely employ fixes for Meltdown and Spectre at the expense of performance. Alternatively, an almost comical response from most of the tech giants tells you to simply “replace your hardware”.
The scariest thing about all of these discoveries is that the less honest hackers of the world might have known about them for a long amount of time before they became apparent to protective security researchers. For the majority of us, it’s probably a good thing that we didn’t hear about these problems until just a few weeks ago— it’s likely that no groups were able to take full advantage of the exploits before they were patched away.