So what's the deal with Metldown and Spectre?

Written by Chay Donohoe on 09/01/2018

"So, what's the deal with Meltdown and Spectre?"

Excellent question. Let’s find out.

Unless you've been living under a rock, the chances are that you've read about Meltdown and its evil twin, Spectre. Most mainstream news sources don't really go into much detail – just that the consequences are far reaching and that everyone should be worried. In this blog I hope to give a brief summary about what these issues are and what you can do about them.

In much the same way that concrete walls separate a block of flats into separate residences, a computer separates its memory into private areas for each process that is running on the system. A process could be defined as a program, (such as a web browser), or a service (such as the thing that deals with user logins on the system).

Similar to how one neighbour in a flat couldn't normally enter another person's flat without the right keys, one process is normally unable to read from, nor write to, another process' memory. This all becomes an issue when a vulnerability such as Meltdown appears, which enables a malicious process to read memory belonging to another (especially when one process is vulnerable in itself). Say there was an insecure web browser on the system - this could be exploited to execute arbitrary code, which in turn could leverage the Meltdown and Spectre vulnerabilities to access the memory of the aforementioned login manager service and steal usernames and passwords. Needless to say, this is not a good thing.

At this time, the two vulnerabilities haven't been exploited by anyone for evil purposes in the wild (that we know of), but that day is not far off. Despite people installing the necessary updates, there will always be legacy systems languishing under people's desks and hidden away in datacentre cabinets that remain vulnerable.

I won't go into technical detail (although I'll link the relevant research articles at the end of the blog for those of you who want the warts-and-all technical info on these bugs). In short, they use what's known as a side-channel attack - that is, they don't use a direct access method to capture private data, but use a side-effect of a processor design flaw to deduce the contents of private memory. In this case, a malicious exploit will extract and store this data within its own memory area for later analysis.

"How does this affect me?"

Due to increased public awareness of these bugs, and the much more expedited update processes used by modern operating systems (here’s looking at you, Windows 10), most people who keep their systems up to date are unlikely to be directly affected. Good news? Yes. However, there is likely to be a performance penalty incurred as the security updates would need to perform additional checks on the way the operating system handles process' cache and memory access.

Spectre is an interesting bug affecting any processor that performs what is called speculative execution. Put simply, every time a processor needs to make an if-this-then-that decision, it will try to predict the most likely parameters and execute those, ahead of knowing what they actually were going to be. If successful, the program will effectively run a bit quicker as the instructions were executed ahead of time (the answer would have been available before the question was known). If this prediction fails, it will backtrack, and execute the instructions again, but this time with the actual known parameters. This timing difference will give a malicious process a clue as to what the parameters the target process would've been using.

“In English, doc”

A more human-scale analogy would be you ordering the same sandwich at the same shop, at the same time every day, to the point where the person making the sandwich knows what you'd want and has it ready before you get there. Subsequently, a bad guy disguised as you starts going to the same shop, but they ask for a different filing each time. Eventually they’d see the Sandwich Maker didn't to throw away the pre-prepared sandwich, meaning the baddie would be able to deduce that it was the chicken and avocado salad you'd been ordering all along!

Anyway, back to computing - In the interests of performance, a lot of CPUs use speculative execution, such as the x86 processors that are used in PCs, Macs and in servers, for which operating system vendors should be putting out updates soon (if they’re not here already). Of more concern are the widely used ARM-based CPUs that are found in a stunningly large volume of IoT and handheld devices. Of particular cause for alarm are Android mobile phones, vast numbers of which are no longer maintained by their manufacturers, and for which updates to fix this bug won’t be available. We'll have to see how this pans out. Needless to say, it's imperative to keep your mobile devices up-to-date.

"What can I do to prevent this from being a problem? What do you recommend?"

As mentioned briefly in the previous section, ensure that you keep your operating systems on both mobile and dekstop devices up to date. It has been claimed that some x86 chips made by AMD are not directly affected by this issue, however, the mitigation steps being implemented may still affect performance. Exactly how much of an effect this will have remains to be seen, with some parties stating only a 1% performance hit, and others, all the way up to 15% (with other news sources quoting 30%) – ultimately, this will be down to how OS and hardware vendors address the issue, and the type of work your CPU does. Browsing and gaming, for example, won’t see much of a performance hit, but data is already coming in from AWS that shows certain workloads are up noticeably as a result of the patches.

For new systems coming out within the next few years, I suspect the CPU manufacturers will be feverishly redesigning their devices to fix the issue in hardware, without the performance hit.

I hope that casts some light on the problem and we always welcome your comments and questions.

---

References:
Original Research - https://meltdownattack.com/

OS And hardware vendors:
Apple - https://support.apple.com/en-us/HT208394
Microsoft - https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
Intel - https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/
AMD - https://www.amd.com/en/corporate/speculative-execution

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.