Meltdown and Spectre exploits: Cutting through the FUD
There is lots of information circulating about the new Meltdown and Spectre exploits of computer chips from Intel and others announced in the past few days. Some of it has been accurate, and some has been sensationalist and overblown. There is much technical information with high level of details available for both Meltdown and Spectre, so I won’t get into a lot of technical detail here. Rather, I’ll focus on the higher-level issues affecting business and personal computer users.
First, to be clear, these exploits affect all the major computer chip architectures. The major chip makers — AMD, ARM and Intel — have decided to work together to mitigate the potential effects of a common enemy that affects most modern computer chips — a good sign for future industry collaboration. And all the major software vendors of Linux, Microsoft for Windows, Apple for macOS, and virtualization software suppliers such as VMware and Citrix have all collaborated to mitigate this threat.
But what are the threats? There are potentially three different threats exposed in the disclosure, collectively described by Meltdown and Spectre.
Meltdown and Spectre are not exactly the same, but they are related and use a similar exploit mechanism to gain access to computer data. Nearly all modern chip architectures from the major suppliers (Intel, AMD, ARM) are affected, and this includes nearly all modern computer systems from data center to PC to smartphones. The problem affects nearly all operating systems, such as Windows, Linux, macOS and even Android, as well as virtualized environments such as VMware and Citrix. But it doesn’t affect lower-level or real-time operating systems (like QNX) that don’t use this particular feature, nor in lower-level controller chips used for the Internet of Things (IoT).
Basically, the exploit involves reading memory locations that are supposed to be protected and reserved for use by the computer kernel. It exploits an architectural technique known as “speculative execution” which is a key feature of things such as look-ahead instructions and data, which significantly improves computer performance.
With a potential to read kernel data, what’s the real threat level behind Meltdown and Spectre? Let’s look at what it is, what it’s not, and what you should do about it.
What are Meltdown and Spectre
- Meltdown and Spectre are exploits, not chip design flaws, operating against computer architecture that’s been designed into chips for decades. They access protected areas of memory to potentially decode and read. While this may contain sensitive information such as passwords, it also may simply be variable instructions and data from application processes that are not of much value.
- They have the potential to read protected memory locations used by the device and applications (including browsers) that store information in the kernel memory, including potentially sensitive data. They do not read memory in mass storage devices such as disk drives. But it may not be possible to even read the captured data in real time, as it requires understanding the relationship between data locations, which are highly variable and actual data content, and requires a good amount of processing/decoding.
- They must be run locally on the machine and must be loaded through some form of application. Therefore, it’s not easy to do this via a “drive by attack” that does not launch a machine-specific application targeted at this vulnerability.
What they aren’t
- They do not allow takeover or modification of machines and operating systems, so it is not a traditional malware actor. This is important, as it does not expose the machine to any modifications of its operations or “hijacking.”
- It is not an easy thing to do, as some have suggested. It takes a good deal of effort to access and discover the actual content of memory and make it meaningful, as mentioned earlier. For this reason, this is likely not a “high volume” approach to malware like more traditional approaches that take over the operation of the machine for nefarious purposes.
- They do not allow data access and retrieval of stored data sets on disk drives, (e.g., databases) like many normal malware attacks would, nor do they allow machine takeovers for DDoS attacks. So, the actual risks to corporate or personal data are much more limited than typical of malware attacks that capture full content of mass storage systems.
- These aren’t things smaller-scale computers, like PCs and smartphones, need to worry much about, as the amount of effort involved would highly favor exploitation at large data center machines rather than personal machines. It’s about “bang for the buck” for the hacker.
What’s the risk?
To date there are no known uses of the exploits in the wild. And it’s not as easy to deliver a payload to a machine to use these exploits, as it is with more common malware that’s sent via an email or errant application download.
Further, all of the major OS vendors are patching their software to dramatically limit the ability of these exploits to cause harm, and firmware is being updated by the chip and machine vendors. So, while there is a potential real risk, in my opinion, it’s not as great as many of the more traditional malware attacks we’ve seen in the recent past.
What should you do?
All the major OS and cloud companies are working on fixes for this vulnerability and have, or are in process of, providing software updates. It may be impossible to eliminate all risk without turning off some of the fundamental features of modern computers, such as look-ahead functions, which isn’t practical.
Even with the software patches, most users won’t see a major impact on their programs, as they affect only memory access to the kernel system, and many apps use that feature only occasionally. Speculation that the patches will cause a 30 percent decline in performance is, in my opinion, highly overstated. I estimate for the average user on a PC, the performance degradation may not even be noticeable or will likely be in the 3 to 5 percent range.
For large data centers where there are many operations to the kernel memory, the impact may be somewhat greater, but I still estimate it will be well under 10 percent. Although for very large data sets, that may be negatively impactful.
While these new exploits are troublesome, as are all potential security risks, users and organizations affected should not panic. Many of the fixes are already being implemented as software/firmware upgrades and should mitigate the vast majority of any potential exploitation.
Future chips will also incorporate more protections against these exploits. But as with all major current and future architectures enhancements, there is no guarantee that everything will be 100 percent secure even though the chip, OS and app vendors do all they can to protect systems.