My Take On Meltdown and Spectre Computer Security Flaws
Spectre and Meltdown allow a non-privileged user (non-root/non-Admin) to access memory they aren’t supposed to essentially dissolving the majority of computing security and privacy barriers. This could be a guest user collecting sensitive information/passwords for an entire database, group of users, network etc..
If you are using any computing device whether it be an ARM based device, Intel CPU (although Intel is the worst offender at this point), AMD CPU this issue affects you and billions of other devices and users around the world. Whether you are on Linux, Unix, Windows, Mac this applies to you. It is really an unmitigated scandal and disaster for both privacy, security and even safety with long lasting and wide ranging ramifications that will continue to playout for years.
I’ve made a comment in the past about security, IOT and how there are many devices that are now unsupported or can’t be updated leading to huge security issues. We are now unfortunately there and have been since 1995.
This issue was first reported by Google Project Zero and they are known as the Meltdown and Spectre Vulnerabilities that affect all microprocessors made since 1995 (the modern computing era).
To make it worse there are 3 known “variants” or attack vectors known (I suggest there may be more that are undisclosed or not yet known to the public). With variants 1,2 being very similar (known as Spectre) and variant 3 known as Meltdown.
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
The attack is possible due to “speculative execution” where CPUs (computer chips) essentially try to predict future work needed and will actually do sometimes unneeded work as the performance hit for doing this is less than waiting to execute the instructions later. This means the computer sometimes performs work that isn’t needed and not used to increase performance, where things have gotten bad is through this feature, it’s possible for a normal user/process to gain unrestricted access to memory that you shouldn’t have access to.
What is Spectre?
The primary variants (1,2) that make up Spectre rely on the user exploiting the speculative feature of the CPU to write to memory under their control. This allows a normal user to read basically all memory processes allowing keys, passwords and confidential data to be intercepted. AMD Claims that Variant #2 does not impact them as well.
What is Meltdown?
Meltdown is the third and more serious and nasty variant that still relies on the speculative execution exploit/flaw but actually allows the attacker to read arbitrary memory (so basically anywhere at will). The key feature of Meltdown is that it is the easiest attack to perform and it has been demonstrated on the Intel platform already.
The only good news is that apparently this Meltdown attack only affects Intel and not AMD.
Redhat has also done an excellent writeup about the issue here:
How To Protect Yourself
First and foremost you should update your devices as soon as patches become available. In Linux enabling KPTI can protect you. However for some major distributions of Linux users are still waiting for a patch.
If you are vulnerable and performing critical operations it’s time to make tough choices including possibly turning off your machines or denying all non-admin users access to a server/services if possible.
Ensuring rotation of keys and passwords can also mitigate your risks even if passwords have been compromised.
It comes down to good security practices all around such as segregating services to different physical machines, restricting physical and virtual user access.
If possible remove all non-essential or untrusted applications from your device/computer/server.
Dedicated Servers Will Become More Popular
There has been a huge trend to put everything into the Cloud, one that I have reservations with despite owning companies that offer our own private Cloud.
Fortunately we haven’t been impacted by Spectre and Meltdown and are not vulnerable but it does raise questions from our clients that we’ve mentioned before.
I’ve always advocated for physical segregation, which means that if possible you should have your own physical dedicated server that is encrypted and running a minimum set of services with as a few users as possible. By doing this you significantly reduce your risk in a scenario like this by putting your company database, e-mail, VPN, websites, file server on physically different servers.
Serious Questions and Concerns Raised
I would raise the question that is it really possible that such a wide-ranging exploit was completely unknown for this long until a team from Google discovered it? Considering the budgets of major intelligence agencies around the world who are constantly looking to find exploits of their own it is conceivable that this vulnerability may have been exploited for far longer than it was publicly known by specific groups.
Another one is Intel’s response to it by apparently being accused of singling out AMD when as of now, Intel is far more vulnerable.
Since these chip makers are all US based is it possible they were mandated by law to introduce speculative execution in such a similar way that this vulnerability would be possible? Considering recent revelations I don’t think it would be inconceivable.
Are there more than 3 variants and if we assume that no one else really knew about Variants 1-3 is it not possible that a well-armed team could find new ways to exploit them?
Long-term Value for Intel, AMD and ARM
At the time of writing Intel’s stock was down about 3% but this could get worse for either of these companies if one’s vulnerabilities keep increasing and/or one of them is hit with a larger exploit.
It’s hard to give an honest conclusion as we’re just getting started and this is all we know about the Variants 1,2 (Spectre) and Meltdown. So far it looks like we were lucky to choose AMD. The key issue that will come out of this is how many devices and users will remain vulnerable by being unable to patch or if they have a device that cannot be easily patched or there is no longer any support from the vendor? This would increase the amount of zombies and data security breaches several fold.
This is also a good time and a wakeup call for all companies to do a security audit and if they don’t have dedicated security staff, to bring in some good IT and security auditors to assess and mitigate these risks before they become costly losses.