Meltdown and spectre
Gareth Halfacree analyses the recent security news that’s rocked the processor industry
The processor market has recently been rocked by the disclosure of two of the biggest security vulnerabilities in history: Meltdown and Spectre. Stemming from hardware design choices made to boost performance, the flaws affect almost every processor on the market going back to the mid- 1990s, and potentially allow thieves to grab the contents of arbitrary supposedly-protected memory locations, using nothing more than a malicious webpage.
The root of both Spectre and Meltdown lies in speculative execution, a performance-boosting technique that forms part of the out-of-order execution (OOOE) employed by the majority of modern processors.
Under speculative execution, the processor is free to go ahead and start pulling data and instructions before they’re required; when the program actually requires them, they
Nearly every CPU from the past 20 years is affected by Spectre or Meltdown in some form
appear instantaneously. If they turn out to not be required, they’re silently discarded.
This boon for performance has turned out to be a major issue for security, however. Using a quartet of different but related attack vectors – known as Spectre Variants 1 and 2, plus Meltdown Variants 3 and 3a – researchers discovered that it’s possible to use speculative execution’s performance-at-all-cost approach to infer the contents of otherwise protected memory – an area to which the program exploiting the flaws should never have access.
The most obvious impact is a complete loss of memory protection across almost all modern computing systems. When you’re typing a password, you rely on memory protection to be sure that only the program to which you’re authenticating has access to those keystrokes; using Meltdown or Spectre, a malicious program is free to ignore those restrictions and gain access as you type, with no warning to the user.
An issue arguably bigger than the flaws themselves, though, is that both Meltdown and Spectre aren’t software bugs but hardware bugs. As effectively design flaws in the processor architecture itself, there’s no actual ‘fix’ that doesn’t involve physically replacing the parts with more secure equivalents – just ‘mitigations’ in software that can work around the problems, protecting the processor from the four known attack vectors.
For processor manufacturers, it’s a nightmare scenario. While flaws in processor hardware aren’t uncommon – from the famous FDIV bug that affected Intel’s early Pentium chips in the mid-1990s, through to the pages upon pages of relatively minor errata that accompany any modern microprocessor – to have one that’s so widespread, devastating in scope and easily exploited is a perfect storm, the effects of which will be felt for years.
The researchers who originally discovered Meltdown and Spectre back in mid-2017, led by Google Project Zero staffer Jan Horne, had originally set a disclosure date of 9 January, 2018 – a date before which, it was hoped, software mitigations for the flaw would have already been distributed to customers to protect against malicious exploitation. Press analysis of publicly available patches for the Linux kernel, though, led to companies going live ahead of the original disclosure date, as well as a lot of miscommunication, including reports that the flaws were exclusive to Intel processors, which is only true of Meltdown Variant 3.
The process of fixing the vulnerabilities, which at the time of the writing was still ongoing, hasn’t been smooth. Initial patches for
An issue arguably bigger than the flaws themselves, though, is that both Meltdown and Spectre aren’t software bugs but hardware bugs
Windows from Microsoft turned out to cause older AMD hardware to fail to boot, while microcode mitigations released by Intel have been found to crash systems at random-an issue so severe that Intel has been forced to withdraw the patches, with no replacement yet available at the time of writing.
‘We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions,’ warned Intel’s Navin Shenoy of the patches, more than two weeks after they were publicly released, ‘as they may introduce higher than expected reboots and other unpredictable system behaviour’
Linux too has been hit hard. ‘All of this is pure garbage,’ wrote Linux founder and maintainer Linus Torvalds of the patches provided by Intel for Meltdown and Spectre mitigation. ‘Is Intel really planning on making this shit architectural? Has anybody talked to them and told them they are f*cking [sic] insane?’
Speaking of Intel’s approach to the problem, in which the flaw remains exploitable unless and until the operating system makes the decision to activate the performance-sapping mitigation, Torvalds was clear: ‘The whole IBRS_ ALL feature tome very clearly says,
“Intel is not serious about this, we’ll have an ugly hack that will be so
The Meltdown and Spectre vulnerabilities affect almost all modern processors on desktop and portable devices, thanks to the use of performance-boosting speculative execution. This technique has been in common use since the 1990s, leaving uncountable systems at risk of attack – and many without software patches, with manufacturers concentrating solely on their latest product families. To ensure you’re protected, check for the following:
Windows: Windows 10 Build 1709 with the KB4056892 update, Windows 8.1 with KB4056898 and Windows 7
SP1 with KB4056897 or KB4056894, all include Meltdown and Spectre mitigations.
macOS: macOS 10.13.2 Supplemental Update (and iOS 11.2.2) include Meltdown and Spectre mitigations.
Linux: Linux 4.14.14 and 4.9.77 include Meltdown and Spectre mitigations. Operating system protections are only part of the equation, however, and software vendors are being advised to recompile their software with the so-called ‘return trampoline,’ or ‘retpoline’ feature enabled. In addition to the operating system, browsers must be patched against exploitation too.
‘As we saw with Samsung’s recall of their Galaxy Note 7, these mistakes can cost billions of dollars’
expensive that we don’t want to enable it by default, because that would look bad in benchmarks.” So instead, they try to push the garbage down to us. And they are doing it entirely wrong, even from a technical standpoint.’
Even when the patches are available, applied and working as intended, the situation is far from golden. Intel has admitted that application of the patch set impacts certain workloads with up to a 35 per cent loss of performance – an impact so severe the company has warned its customers that they will need to think hard about the tradeoff between security and performance.
While the impact is felt hardest by server-centric workloads, and only impacts Custom PC‘s performance tests to a negligible degree, it doesn’t leave gamers unscathed. Epic Games is among the publishers pointing to severe issues from the Meltdown and Spectre security patches on its multiplayer servers, publishing performance figures that show a doubling of the CPU demand on its Fortnite servers after patching.
Worse may be yet to come, however. ‘To fix these exploits, it will re-uire the complete re-architecture of future CPUs at a hardware level, something many vendors are failing to acknowledge due to the mammoth costs associated,’ claims Vishal Rai, chief executive and co-founder of software development firm Acellere. ‘As we saw with Samsung’s recall of their Galaxy Note 7, these mistakes can cost billions of dollars.’
So far, no company affected by the flaw has gone on record to say when the first processors with the architectural issues removed – rather than simply mitigated through optional and only partly functional software updates – will be available. It’s likely because the impact would affect current-generation CPU sales.
It’s certain that the first generation of processors to have the speculative execution issue fixed in hardware will have lower performance than their predecessors, at least for selected workloads. However, the wider impact remains fuzzy.
Intel, for its part, has pledged to be more transparent about how it deals with security issues, a rather ironic promise given that chief executive Brian Krzanich is to be investigated for selling the maximum number of Intel shares permissible by law after the company was informed of the Meltdown and Spectre vulnerabilities, but before they had been disclosed to the general public.
Intel, AMD and Apple, whose custom ARM-based processors are affected, are also at the centre of various class action lawsuits from disgruntled customers.
During the original disclosure, researchers detailed three vulnerabilities. Firstly, Variant 1 and Variant 2, dubbed Spectre and applicable to processors from Intel, AMD and ARM. Meanwhile, Variant 3, dubbed Meltdown, is only applicable to Intel processors. Further investigation uncovered Variant 3a, a new approach to exploitation of the Meltdown flaw, which allowed it to be extended to selected ARM processors as well.
Each variant, bar the ARM-specific Variant 3a, has its own entry in the Common Vulnerabilities and Exposures (CVE) database (https://cve.mitre.org), which can be searched for more information.
■ Variant 1: Bounds Check Bypass, CVE-2017-5753
■ Variant 2: Branch Target Injection, CVE-2017-5715
■ Variant 3: Rogue Cache Data Load, CVE-2017-5754
■ Variant 3: Rogue Cache Data Load (ARM variant), no CVE yet assigned
Some in the industry, though, are calling for a more radical shift, rather than a transparency pledge and a few legal rulings. The RISC-V Foundation, a non-profit group that leads the development of the open source RISC-V instruction set architecture (ISA), was quick to trumpet its own immunity from the flaws, and that its open nature makes it easier to catch and mitigate such issues.
‘The RISC-V community has an historic opportunity to “do security right” from the get-go with the benefit of up-to-date knowledge,’ the Foundation claimed in a statement attributed to chair Krste Asanovic and executive director Rick O’Connor. ‘In particular, the open RISC-V ISA makes it possible for many different groups to experiment with alternative mitigation techniques and share results.’
It remains to be seen whether Meltdown and Spectre will contribute to a shift away from monolithic ‘black box’ processor design, where the inner workings are opaque even to their designers and only self-optimizing compilers have a chance of taking full advantage of the hardware’s capabilities, to an open and collaborative approach that RISC-V embodies. If it does makes this shift, however, it could be one of the very few positives the industry could draw from the current mess.