Two security issue so big that both of them getting an own logo? Yes it’s real and the entire world is talking about but now everyone is asking, what can we do about it?
I have to admit this story is really big and it affects everyone and that’s maybe a reason they’re hyped right now. Serious security flaws that could let attackers steal sensitive data, including passwords and banking information, have been found in processors designed by Intel, AMD and ARM.
The flaws, named Meltdown and Spectre, were discovered by security researchers at Google’s Project Zero in conjunction with academic and industry researchers from several countries. They affect virtually every modern computer, including smartphones, tablets and PCs from all vendors and running almost any operating system. Meltdown is “probably one of the worst CPU bugs ever found”, said Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw.
Meltdown is currently thought to primarily affect Intel processors manufactured since 1995, excluding the company’s Itanium server chips and Atom processors before 2013. It could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory. Meltdown, therefore, requires a change to the way the operating system handles memory to fix, which initial speed estimates predict could affect the speed of the machine in certain tasks by as much as 30%.
The Spectre flaw affects most modern processors made by a variety of manufacturers, including Intel, AMD and those designed by ARM, and potentially allows hackers to trick otherwise error-free applications into giving up secret information. Spectre is harder for hackers to take advantage of but is also harder to fix and would be a bigger problem in the long-term, according to Gruss.
Intel and ARM insisted that the issue was not a design flaw, although it will require users to download a patch and update their operating system to fix, which Microsoft in the meantime (for Intel CPU’s) rolled out. Other fixes for Apple’s MacOS, Linux, and Android are following. These fixes could slow down some computers, particularly older ones, however Computerbase already did a ‘real world’ benchmark on this and there wasn’t any performance impact noticable.
Spectre is particularly nasty — there’s no real fix for it, and it exploits a fundamental part of how processors work.
Intel is badly hit by Meltdown because its speculative execution methods are fairly aggressive. Specifically, Intel CPUs are allowed to access kernel memory when performing speculative execution, even when the application in question is running in user memory space. The CPU does check to see if an invalid memory access occurs, but it performs the check after speculative execution, not before. Architecturally, these invalid branches never execute — they’re blocked — but it’s possible to read data from affected cache blocks even so.
AMD and ARM appear largely immune to Meltdown, though ARM’s upcoming Cortex-A75 is apparently impacted.
Unlike Meltdown, which impacts mostly Intel CPUs, Spectre’s proof of concept works against everyone, including ARM and AMD. Its attacks are pulled off differently — one variant targets branch prediction — and it’s not clear there are hardware solutions to this class of problems, for anyone.
Google said that exploiting Meltdown and Spectre “has shown to be difficult and limited on the majority of Android devices.” The fixes for ARM chips were part of the Android January 5 security patch level, so Pixel/Nexus users are already safe.
Intel-based Chrome OS devices are already patched, as long as they use versions 3.18 or 4.4 of the Linux kernel. You can check which version your Chromebook has by going to chrome://gpu, then scrolling down to ‘Version Information.’ The kernel version which introduce the fix is 3.18.0 (or higher).
Google notes that the current stable version of Chrome v63+ already includes a feature called Site Isolation, which forces websites to use different address spaces. This can be turned on by switching the #enable-site-per-process flag (copy and paste that link into Chrome’s address bar) to ‘Enabled.’
Google says the feature may have performance issues on Android, and it’s not available at all on Chrome for iOS (because Chrome on iOS uses WKWebView to render pages). Chrome 64, which will be released on January 23, will contain more protection features. A page on the Chromium site includes full details about mitigating possible attack techniques.
The Google Home, Google WiFi, and the various OnHub routers are not affected by the vulnerabilities. Google’s online sites/infrastructure, including Search, YouTube, Blogger, and other services are already protected. Some of Google’s professional/enterprise tools, like e.g. Cloud Datalab and Compute Engine, have been patched but may require an update for end-users.
A demonstration can be found here.
And now — what happens next?
When reached for comment on the matter, Linux creator Linux Torvalds responded with the tact that’s made him legendary.
“I think somebody inside of Intel needs to really take a long hard look at their CPU’s, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed,” Torvalds writes. “And that really means that all these mitigation patches should be written with ‘not all CPU’s are crap’ in mind. Or is Intel basically saying ‘We are committed to selling you shit forever and ever, and never fixing anything? Because if that’s the case, maybe we should start looking towards the ARM64 people more.”
It does appear, as of this writing, that Intel is disproportionately exposed on these security flaws. While Spectre-style attacks can affect all CPUs, Meltdown is pretty Intel-specific. Thus far, user applications and games don’t seem much impacted, but web servers and potentially other workloads that access kernel memory frequently could run markedly slower once patched.
My point of view
AM I surprised? No not really, I was one of these paranoid tin-foil hats which predicted that hardware based attacks are a more significant attack vector since this isn’t easy or impossible to patch. Of course when I wrote something about this 1995 no one took me serious on this because everyone was believing in the big ones aka Intel and AMD. However I not want to judge anyone here but it’s ridiculous that Intel want to excuse this instead of accepting the truth. I totally understand Linux Torvalds here and this time he got my attention because what he wrote is true.
At the end all you can do is to monitor the entire story, and choose the product which comes with as little as possible cancer, but this also could have one good thing in common we learned (the hard way) a bitter lesson of experience. You have to inspect every new hardware and software very carefully before you can talk about ‘trust’.