January 7, 2018 – If you have a feeling that someone is looking over your shoulder these days when you are using your computer, you may be justified to a degree. It appears that the core of computer chips, once seen as invulnerable, are not and that more than one manufacturer is to blame. I’ve always recommended Intel processors when advising friends on buying a new computer. But now it appears it doesn’t matter who supplies the chips at the core of your new machine. All are suspect.
Previously unknown flaws have made almost every current device insecure. Whether it’s a smartphone in your pocket, a laptop, tablet or desktop system, hackers can exploit these flaws to extract personal information you thought was protected by your normal security protocols.
It was the Google Project Zero engineering team that first identified the flaws giving them the names Spectre and Meltdown.
Common to Intel, AMD, and ARM processor architecture, the engineers traced the vulnerability back nearly two decades. These processors are the artificial brains found in billions of devices including the computers that store information in the Cloud, and sensors deployed in vehicles, machinery, and other equipment.
Processors are designed to predict and execute tasks. They store instructions that include user IDs, passwords, and vital data associated with credit, and banking. But so far Intel and Google have indicated they have yet to see an exploitation of the flaws. And the Computer Emergency Readiness Team in the United States concurs. Carnegie Mellon University’s Software Engineering Institute has provided a complete description of Spectre and Meltdown. In both flaws, kernel memory is exposed.
The following table compares Spectre and Meltdown.
Spectre | Meltdown | |
CPU mechanism for triggering | Speculative execution from branch prediction | Out-of-order execution |
Affected platforms | CPUs that perform speculative execution from branch prediction | CPUs that allow memory reads in out-of-order instructions |
Difficulty of successful attack | High – Requires tailoring to the software environment of the victim process | Low – Kernel memory access exploit code is mostly universal |
Impact | Cross- and intra-process (including kernel) memory disclosure | Kernel memory disclosure to userspace |
Software mitigations | Indirect Branch Restricted Speculation (IBRS) Note:Â This software mitigation also requires CPU microcode updates and it only mitigates Spectre variant 2 |
Kernel page-table isolation (KPT) |
The solutions proposed include updates to the microcode within the processors and updates to applications that have been deemed vulnerable.
Technology providers affected besides Intel, AMD and Arm include:
- Amazon,
- Android’s Open Source Project,
- Apple,
- CentOS,
- Cisco,
- Citrix,
- Debian GNU/Linux,
- Fedora Project,
- Fortinet,
- FreeBSD Project,
- Google,
- and IBM.