Two bombshell research papers recently revealed a pair of crippling security flaws, called Meltdown and Spectre, that are present in practically every modern computer processor running today.
Meltdown affects almost all manufactured Intel chips and some Arm chips, whereas Spectre likely affects all major brands: Intel, AMD, and Arm. Intel and AMD chips are used in personal computers, while Arm chips are used in smartphones. As a result, most devices are vulnerable.
Both flaws abuse an advanced processor feature known as speculative execution. As your device runs an application, it also looks ahead at decision points in the code, guesses which direction the application is likely to follow, and runs the code preemptively. Modern processors are surprisingly good at guessing in which direction the application will go.
If the application follows the predicted path, valuable processor time is saved, as the results will have already been computed. If not, the results are discarded.
The speculative execution feature does not have an effect on the outcome of an application’s task if it follows a different path than predicted. However, the application can detect that it took slightly longer to perform certain instructions.
From this information, the nature and content of data in a device’s memory can be deduced. For example, JavaScript in your browser could steal saved passwords using this method.
This has implications for institutions like U of T. “If an attacker successfully gets malware on a U of T device, that malware could use these vulnerabilities to steal passwords or keys being used on that device,” said David Lie, a software security expert and professor in the Department of Electrical and Computer Engineering.
The studies’ researchers actually discovered the flaws last year and privately told large technology firms to start preparing for software patches before the release of their findings.
Fortunately, software companies are now rolling out security updates at the operating system (OS) level, which users are highly advised to install in order to protect against these vulnerabilities. Meltdown is reasonably simple to patch in software, although Spectre is much more difficult.
Unfortunately, these OS patches come at the cost of performance. Most programs will be hit with a slight slowdown, with the theoretical worst-case scenario being a 50 per cent reduction. Operations such as disk access may be significantly affected as well.
Older processors, unfortunately, do not have the ability to selectively disable features as specifically as recent models. “There is collateral damage as the patches have to disable… features that are [not at risk] to ensure that the vulnerable features are also disabled,” said Lie. Therefore, older processors will see a more significant slowdown as a result.
U of T’s Enterprise Infrastructure Solutions (EIS), which operates the campus network backbone, also manages servers for cloud computing. EIS informed its users via email that it has “actively taken steps to secure our cloud services.” Most of their servers have already been patched, although “customers will also need to update the OS as soon as possible.”
Aside from certain technology firms, it appears that no other organizations were warned ahead of time. “There was no advance knowledge besides the public release of the information,” said Michael Wiseman, Acting Director of Information Security at U of T.
According to Wiseman, U of T will be following all recommended procedures to fix the security flaws, including installing patches.
While the world is now aware of these vulnerabilities, and organizations are taking the steps to fix them, there remains a lingering fear. Since researchers have been aware of Meltdown and Spectre since last year but only released this information in 2018, it is possible that malicious exploits have taken advantage of these flaws already.
Lie dispelled these fears, noting that although the vulnerabilities are powerful, exploiting them is not easy, nor could it be done quickly. “If an attacker has several vulnerabilities they could use, Meltdown or Spectre may not be the first one they reach for unless the other vulnerabilities have been patched.”
Wiseman agreed, noting that the sophistication of Meltdown and Spectre suggests that it is unlikely that an attack involving these vulnerabilities has occurred as of yet.
“Now that the information is out, we all have to be a bit more concerned,” said Wiseman.