Understanding the Massive Security Concerns of Meltdown & Spectre

Posted on the 23 January 2018 by Techloot @tech_loot

2018 already has a sour track record with computer safety.

By now, you’ve probably heard about the dual threats of Meltdown and Spectre, the two latest and potentially largest threats to any computer’s security in quite a few years. In fact, it’s wide-reaching enough that nearly every CPU produced in the last few decades is potentially vulnerable without any immediate signs of recourse and public response to quell the tide has been unbearably slow.

Meltdown: Intel’s newest woe

Of the two, Meltdown is the lesser of two evils in a lot of ways; It’s easier to mitigate and primarily affects Intel-based processors, which does help lessen its reach. Summing it up in a few words is simple, even if those few words are difficult to parse to some: It breaks down the barrier that keeps programs from arbitrarily accessing data. In the wild, these barriers are used to ensure data is kept contained to the process running it to ensure no programs overlap one another’s processor space, so to speak, as well as to add a layer of security to running processes.

Breaking it down further requires a bit of analogy work. The Verge offers several breakdowns of the bug and how it might work if translated to the real world. In the simplest terms, it tricks your processor into leaking information from unrelated programs through a channel it believes to be secure. The posted analogies go into more detail, but at the base level that’s all you really have to know: It’s a kernel exploit and that isn’t something to be sneezed at.

Fortunately, defence against Meltdown more or less requires nothing more than increased security at the kernel level. Patches have already been released with the hopes of squashing Meltdown before it sees actual use, but the downside to all of this is that processors will no longer be operating at full capacity. In essence, they assume the kernel will work a certain way, which leaves them susceptible to Meltdown, and routing around that faulty set of assumptions causes a performance hit. Patches for both Spectre and Meltdown together could have little effect or chop off as much as 25 percent of a CPU’s performance.

Thankfully, private PCs aren’t the real performance losers. Unless you’re running a system with multiple PCs chained together, don’t expect to see massive hits outside of extremely specific CPU cases.

Spectre: Everyone’s looming threat

On the topic of bad news is Spectre which is nowhere near as simple to mitigate as Meltdown. Spectre targets speculative execution that allows memory access outside of intended means, much like how Meltdown can incidentally lead to memory access, but without the benefit of simply being a security flaw.

Speculative execution essentially tries to guess what the processor will be doing next. It’s not a new innovation by any means and forms some of the foundation for modern computing, which is why it hits nearly every PC that has been manufactured in the last few decades. It’s not something that can simply be patched out without slowing every machine with a processor in it to an absolute crawl in the very best of cases, short of reprogramming everything that has been developed since the dawn of the personal computer.

If it runs Intel, AMD or ARM processors, it’s vulnerable, short and simple. On the upside its execution is much more difficult and may only apply to data loss within the program inside which arbitrary code is executed; For comparison, Meltdown could lead to loss of security for any program running on a compromised machine.

Stemming the tide of data loss

Thankfully, both exploits were discovered by researchers in a controlled environment and patches have been in the works for some time, although their deployment has met a very rocky start, to say the least. If you’re absolutely concerned about security, patching is recommended. Otherwise, you’re better off waiting for things to stabilize before leaving yourself with a computer that won’t stay turned on for more than a few minutes at a time.

It’s bad enough that the prime developer for the Linux kernel, Linus Torvalds, is very unhappy with the proposed fixes and has been quite vocal about how poor the initial response has been to such massive security problems.

Expect developments to come fairly rapidly over the next few weeks. Meltdown probably won’t be more than a small speed bump when it comes to processor speeds and general security, but Spectre could be a very real threat for years to come if it doesn’t require rethinking how we produce processors entirely.