Modern computer processors have severe security flaws

Malicious exploits Meltdown and Spectre could abuse speculative execution to steal data

Modern computer processors have severe security flaws

Two bombshell research papers recently revealed a pair of crippling security flaws, called Meltdown and Spectre, that are present in practically every modern computer processor running today.

Meltdown affects almost all manufactured Intel chips and some Arm chips, whereas Spectre likely affects all major brands: Intel, AMD, and Arm. Intel and AMD chips are used in personal computers, while Arm chips are used in smartphones. As a result, most devices are vulnerable.

Both flaws abuse an advanced processor feature known as speculative execution. As your device runs an application, it also looks ahead at decision points in the code, guesses which direction the application is likely to follow, and runs the code preemptively. Modern processors are surprisingly good at guessing in which direction the application will go.

If the application follows the predicted path, valuable processor time is saved, as the results will have already been computed. If not, the results are discarded.

The speculative execution feature does not have an effect on the outcome of an application’s task if it follows a different path than predicted. However, the application can detect that it took slightly longer to perform certain instructions.

From this information, the nature and content of data in a device’s memory can be deduced. For example, JavaScript in your browser could steal saved passwords using this method.

This has implications for institutions like U of T. “If an attacker successfully gets malware on a U of T device, that malware could use these vulnerabilities to steal passwords or keys being used on that device,” said David Lie, a software security expert and professor in the Department of Electrical and Computer Engineering.

The studies’ researchers actually discovered the flaws last year and privately told large technology firms to start preparing for software patches before the release of their findings.

Fortunately, software companies are now rolling out security updates at the operating system (OS) level, which users are highly advised to install in order to protect against these vulnerabilities. Meltdown is reasonably simple to patch in software, although Spectre is much more difficult.

Unfortunately, these OS patches come at the cost of performance. Most programs will be hit with a slight slowdown, with the theoretical worst-case scenario being a 50 per cent reduction. Operations such as disk access may be significantly affected as well.

Older processors, unfortunately, do not have the ability to selectively disable features as specifically as recent models. “There is collateral damage as the patches have to disable… features that are [not at risk] to ensure that the vulnerable features are also disabled,” said Lie. Therefore, older processors will see a more significant slowdown as a result.

U of T’s Enterprise Infrastructure Solutions (EIS), which operates the campus network backbone, also manages servers for cloud computing. EIS informed its users via email that it has “actively taken steps to secure our cloud services.” Most of their servers have already been patched, although “customers will also need to update the OS as soon as possible.”

Aside from certain technology firms, it appears that no other organizations were warned ahead of time. “There was no advance knowledge besides the public release of the information,” said Michael Wiseman, Acting Director of Information Security at U of T.

According to Wiseman, U of T will be following all recommended procedures to fix the security flaws, including installing patches.

While the world is now aware of these vulnerabilities, and organizations are taking the steps to fix them, there remains a lingering fear. Since researchers have been aware of Meltdown and Spectre since last year but only released this information in 2018, it is possible that malicious exploits have taken advantage of these flaws already.

Lie dispelled these fears, noting that although the vulnerabilities are powerful, exploiting them is not easy, nor could it be done quickly. “If an attacker has several vulnerabilities they could use, Meltdown or Spectre may not be the first one they reach for unless the other vulnerabilities have been patched.”

Wiseman agreed, noting that the sophistication of Meltdown and Spectre suggests that it is unlikely that an attack involving these vulnerabilities has occurred as of yet.

“Now that the information is out, we all have to be a bit more concerned,” said Wiseman.

Fear gone viral

The 2015 outbreak in Brazil has prompted global fears that Zika could be the next Ebola

Fear gone viral

About a year ago, the Zika virus broke out in Brazil. While your social media feed may have been inundated with posts on the Zika virus, the majority of people still aren’t quite sure what it is. Quickly after the May 2015 outbreak in Brazil, the virus was transferred to neighbouring countries, including Mexico and a number of others in South America.

After the media attention dedicated to the Ebola outbreak in West Africa and the resulting fear of it metastasizing into a global epidemic, the Zika virus is being treated with extreme caution. At the moment, many experts are unsure of the full extent of the danger.

What is the Zika virus?

The Zika virus is part of the Falviviridae virus family and is transmitted to humans via misquitos, most often by the Aedes Aegypti.

The Zika virus is closely related to a number of other mosquito-transmitted diseases such as West Nile, dengue, and yellow fever. Zika causes a number of symptoms, collectively known as ‘Zika fever’, which is not fatal. In adults, the virus causes headaches, rashes, fever, and joint pains.

Where did the Zika virus come from?

Like Ebola, Zika was already known to scientists before its most recent outbreak. The virus causing the disease was first isolated from a monkey, the rhesus macaque, in the Zika Forest of Uganda in 1947. Not too long after, the virus was isolated from humans in Nigeria in 1954.

Why are people worried?

When dealing with diseases that have the potential to become pandemics, it is always best to tread with extreme caution. Although the symptoms of the disease in  adults are mild in comparison to other viral diseases (like Ebola or HIV), recent evidence has demonstrated a significant link between mothers infected during the first trimester of pregnancy and microcephaly — the underdevelpment of the brain — in their newborn children.

For this reason, the Centers for Disease Control (CDC) has issued travel warnings for pregnant women from a large number of countries in the Caribbean and South America, two areas where Zika cases have been reported. As of Tuesday January 26, the CDC also added the U.S. Virgin Islands and the Dominican Republic to the list.

The near global nature of the disease is becoming particularly concerning. The World Health Organization (WHO) has advised that the virus has the potential to spread to every country in the Americas.

Should Canadians be concerned?

On January 28, 2016, the WHO  declared that they believe the virus has crossed over into common mosquitoes, including those that live in Canada. Whether or not this recent announcement is cause for concern still remains unclear.

So is the media panic really necessary?

For the most part, people are still concerned about the dangers of infectious disease after having seen the fear of Ebola spread faster globally than the disease itself.

At the same time, the link between the disease and microcephaly in children definitely makes it something to be worried about. We also lack drugs, significant research, and a vaccine for the Zika virus. If the disease really gets out of hand, then we — and most importantly, our infants — will  be left vulnerable.

Realistically, an excessive response may be the best response at the moment. Many critics have pointed out that the 2014 Ebola outbreak was caused by the lack of a serious response to earlier Ebola outbreaks, like the one responsible for 254 deaths in Zaire in 1995. It was the lack of a swift response to finding a clinical vaccine that allowed it to redevelop into the 2014 outbreak. For that reason, global apprehension and awareness are actually vital.

At the end of the day, Zika virus has the potential to be very damaging to newborns and to infect many more in the Americas. For these reasons alone, the Zika virus — like any infectious disease should be treated with extreme caution.