The history of personal computing has been marked with potential or actual exploits that can be used by hackers to steal data from devices or take over their functions. Luckily, these are often found by security researchers, who report their findings publically.
This leaves the companies that manufacture the hardware and software in question to address these critical programming flaws. However, a recent high-profile report may be much harder to fix permanently than most, and also affects a particularly wide range of electronic devices.
This release concerns two major defects, one of which is hardware-based; the other may be more likely to operate in a software-based manner. They are known as Spectre and Meltdown respectively, and may be quite difficult to patch completely. However, companies such as Intel maintain that their software patches can protect against these exploits.
How Would Spectre or Meltdown Work?
Both exploit types have been reported to be associated with a computing function known as speculative execution. This development allows microprocessors to ‘hold’ some types of information in reserve, in the anticipation that it will be the next piece of data required by the user. This information may come in the form of what code should run next or probable queries; alternatively, it may be of a sensitive nature, for example passwords or card numbers.
Information that is ‘lined up’ in this way may therefore be predicted through inference-based analysis. Executive function is one of many adaptations that promote processing speed and economy over the years, and have been further emphasised by manufacturers responding to demands for ever more responsive and efficient chipsets. However, this has resulted in the potential for attacks on device properties such as executive functions, which are collectively known as ‘side channels’.
Executive Function Exploits: The Potential Consequences
Meltdown is a potential exploit that may allow an attacker to glean sensitive information such as passwords, payment details and identifiers. This flaw is thought to apply to practically all chipsets in existence; it may apply to chips on the ARM architecture as well as those found in PCs (e.g. Intel chips).
Therefore, Meltdown could be used to attack personal devices such as phones or tablets. More importantly, however, it could also be applied to the processors that run servers such as those that uphold services such as clouds and online space providers. Fortunately, large MNCs such as Google and Amazon claim that they have taken steps to combat the potential vulnerabilities already.
However, those using personal devices may have to wait a little longer for protection against the new vulnerabilities. Intel’s CEO, Brian Krzanich, released an open letter in which he detailed the company’s plan to roll a software update, which should be installed by all target devices by January 15. However, this only applied to chipsets released in the last five years. Those who use older processors do not have a concrete date for their updates. This is not the only bad news: some experts have projected that the necessary patches may slow computers down by as much as 30 percent. This is bad news, especially (again) for those with older devices.
The new protective updates will be distributed through the operating systems of each device; Apple and Linux are said to have released partial fixes for Meltdown. On the other hand, an attack using Meltdown can be avoided through careful use of the OS and the Internet. For example, file downloads and installations are thought to be the main access routes for hackers hoping to use Meltdown-based exploits.
An attack that uses Spectre may require more direct access to a PC – or rather the processor that runs it. In addition, Spectre may also affect more chip types from a greater range of manufacturers. For example, there are some reports that claim patches for this problem have resulted in rebooting issues in devices with certain AMD chipsets.
The updates intended to protect against Spectre or Meltdown have mostly been applied to the OS or browsers of potentially at-risk devices. However, hardware manufacturers such as Dell maintain that many more aspects of the typical user interface should also be patched against executive function-related security defects. These include Java environments, virtualisation engines and BIOS. The latter is particularly important as Spectre is relevant to a computer’s firmware rather than software.
This association is what may have led to fears that updates protecting against it may result in detriments to performance and successful booting. Intel has released the results of tests run on processors running on anti-Spectre patches that indicate a 5 percent loss in processing speed. However, these tests only included post-Haswell CPUs, leaving consumers running older technology in the dark as to how Spectre may affect them.
Ironically, there have been no reports on confirmed attacks using either of the two new exploits to date. Nevertheless, Spectre and Meltdown have had a profound impact on personal and business computing in their absence. These crucial flaws have exposed the downside to the race to be the fastest and best in the field of microprocessor electronics that has been run for the last few decades. However, users may be able to protect themselves through making sure to allow new updates for their important software that relates to interfacing or information-transfer.
There may also be important OS and BIOS patches to look out for. Their effects on personal devices may be regrettable, but may be necessary and preferable to a side channel-mediated attack. Hopefully, software and hardware manufacturers will work to avoid the risks of similar exploits in the next generation of microprocessors.
Top image: A side-by-side comparison of the integrated heat-spreaders common on AMD (left) and Intel (right) microprocessors. (CC BY-SA 3.0). The logo used by the team that discovered the vulnerability (CC0). Spectre with text (CC0)
References
Brandom R. Intel’s Spectre patch is causing reboot problems for older processors. The Verge. 2018. Available at: https://www.theverge.com/2018/1/12/16884750/meltdown-spectre-intel-patch-reboot-problems
Dell. Meltdown and Spectre Vulnerabilities. Dell Support US. 2018. Available at: http://www.dell.com/support/contents/ie/en/iebsdt1/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre
Krzanich B. Security-First Pledge. Intel Newsroom. 2018. Available at: https://newsroom.intel.com/news-releases/security-first-pledge/?cid=em-elq-33525&utm_source=elq&utm_medium=email&utm_campaign=33525&elq_cid=2826121
No comment