When security researchers encounter a security vulnerability, it’s usually because a programmer messed up somewhere. A buffer overflow here. An unsanitized input there. They all add up to introduce an element of insecurity.
Meltdown and Spectre are different. These two threatening issues aren’t the result of program running on the computer, but rather the computer itself. Flaws buried deep in the architecture of most modern CPUs have presented a golden opportunity for bad actors to access priveleged information held in memory.
Most computers contain iron-clad spaces where data can pass securely in an unencrypted, visible form. These work by limiting the access to that data from other applications and processes.
But Meltdown and Spectre undermine these safeguards. If exploited, they could result in an adversary accessing things like passwords and privileged data. Here’s everything you need to know about the current security nightmare du jour.
Meltdown is bad
Meltdown was dubbed by Daniel Gruss, one of the researchers that discovered the vulnerability, as “probably one of the worst CPU bugs ever found.” It primarily affects CPUs made by Intel, although ARM has introduced countermeasures to protect it.
While Meltdown and Spectre are both similar, what distinguishes Meltdown is that it pertains to the protective barriers between the underlying operating system and applications running on it.
Intel is by far the biggest CPU maker out there, and Meltdown affects every processor produced by the company since 1995. The researchers behind Meltdown have created a webpage that discusses the vulnerability in length. In the page’s Q&A section, it asks “Am I affected by the bug?”
The answer couldn’t be more stark: “Most certainly, yes.”
It’s worth noting that there are two notable exceptions. If your machine runs an Intel Atom CPU released prior to 2013 or an Intel Itanium CPU, you should be fine.
The researchers that discovered Meltdown have acknowledged it’s comparatively easy to exploit. The good news is that it’s relatively easy to mitigate against. Although the issue is borne from the device’s CPU architecture, users can be protected through software patches.
Vendors have quickly sprung into action, and a steady stream of patches have emerged. We’ll talk about them later. Before we get to that, let’s talk about Meltdown’s scary big brother, Spectre.
Spectre is worse
Remember when I said that Meltdown affects the barrier between the operating system and the application? Well, Spectre muddies the water between applications, allowing Program A to steal the secrets of Program B.
— Jake Williams (@MalwareJake) January 4, 2018
— Jake Williams (@MalwareJake) January 4, 2018
Williams mentions that this could be a nightmare scenario for those using virtual servers. He points out that it could be possible for a user with administrative access to a virtual machine on a KVM system to use Spectre in order to access the host’s kernel memory. Per Google:
When running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian’s distro kernel running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM.
Unlike Meltdown, Spectre is vastly harder to mitigate against. A simple software patch isn’t enough. One solution is for developers to rebuild their applications with countermeasures against the attack.
That’s tricky for two reasons. Not every developer will do the legwork, and not every user will bother to install the patch.
The one big thing that makes Specture measurably worse than Meltdown is that it impacts a broader swathe of the devices we use. Intel CPUs are impacted, of course. But so too are AMD’s chips.
Spectre also impacts a significant chunk of ARM chips. These aren’t just found in phones and tablets, but also Internet of Things devices.
— Anis ⣢ (@0xUID) January 4, 2018
It’s horrifying to think, but literally every strata of computing is affected by this.
Fixing Meltdown has a measurable CPU performance cost
As mentioned, vendors have jumped into action to release software fixes to Meltdown. Unfortunately, there’s a pretty nasty side effect. Users who patch their systems may experience significant system slowdown. This ranges between 5 percent to 30 percent, according to Michael Larabel writing in Phoronix.
It’s worth mentioning that there is a major caveat here: the slowdown you’ll experience will ultimately depend on what you’re using your computer for.
Gamers, for example, should emerge relatively unscathed as the bulk of computational legwork is done by the graphics card.
Similarly, if you use your computer for the basics — like emailing and browsing the Internet — you should be alright. These tasks don’t interact with the kernel, and aren’t exactly what you’d consider to be CPU intensive.
Put bluntly, if you’re an ordinary computer user and you’re worried about a scenario where your machine feels like a Compaq desktop from 1998 that’s laden with mountains of toolbars and Bonzi Buddy, don’t be. It won’t be that bad.
The biggest hit will be felt by those who use their machines to perform CPU intensive tasks that interact with the operating system’s kernel. Think databases, virtualization, and compiling software.
Larabel benchmarked a series of tests on a computer running Ubuntu 16.04.03 LTS. For comparison, he used a latest-gen Core i7 8700K “Coffee Lake” CPU, as well as an older “Broadwell” Core i7 6800K processor.
The biggest performance hit was felt when he ran the FS-Mark v3.3 and CompileBench benchmarking tests. Both tests look at file system performance, which spells doom for machines that perform a lot of disk I/O, like a file server.
He also noticed slowdown when using the popular PostgreSQL and Redis database systems. This trend has been observed by others.
PostgreSQL SELECT 1 with the KPTI workaround for Intel CPU vulnerability https://t.co/N9gSvML2Fo
Best case: 17% slowdown
Worst case: 23%
— The Register (@TheRegister) January 2, 2018
Fortunately, applications that are “limited to user-space activity” should emerged unscathed. One of the tests Larabel performed was converting a video file with FFmpeg. Any slowdown here was barely noticeable.
Intel handled this badly
Intel has attracted a lot of flak as a result of Meltdown and Spectre. This is due to the fact that Meltdown is an issue that affects Intel silicon. In the interest of fairness, it’s worth mentioning that Spectre affects pretty much every modern processor from all major manufacturers. ARM, AMD, you name it.
Intel’s response was sharply criticized as being PR spin, however. Writing in The Register, Thomas Claburn scathingly accused the company of minimizing the threat posed by the two vulnerabilities, mislead users, and pass the buck to other chip vendors.
Some of the harshest criticism came from Linux founder Linus Torvalds. Writing on the Linux Kernel Mailing List, he said that Intel should take “a long hard look at their CPU’s [sic], and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.”
“Or is Intel basically saying ‘we are committed to selling you shit forever and ever, and never fixing anything?’,” he asked.
It doesn’t help that Intel’s CEO, Brian Krzanich, is accused of selling off a significant amount of stock after the company became aware of the vulnerabilities.
In November, Krzanich dumped $24 million worth of shares. Intel was informed of the issues several months prior. This, obviously, is pretty poor optics. And it goes without saying that Intel’s share price took a massive dint after the news of Meltdown and Spectre became public.
If you can, you should patch your system
It’s time to update your system. Meltdown and Spectre are both serious security issues. As previously mentioned, vendors have begun to release patches, which are gradually making their way to consumers.
— Thomas Fox-Brewster (@iblametom) January 4, 2018
As mentioned earlier, the browser is a potential attack vector for Spectre. To protect yourself, ensure your browser is regularly updated. Mozilla has already issued a mitigation for Firefox.
It’ll be interesting to see what happens next. As was the case with ShellShock and HeartBleed, vulnerable systems continued to exist long after the issue became public knowledge and was addressed by vendors.
This time around, the issue isn’t a software issue, but rather something much lower-level. Spectre in particular is fiendishly difficult to mitigate against. I suspect we’ll see vulnerable systems continue to float around for a long time.
Spectre is an issue on ARM, but is purportedly extremely difficult to execute. Furthermore, a fix was part of the January patch issued to Nexus and Pixel devices by Google.
I doubt owners of older devices from other, less committed manufacturers will be as lucky though. Given the fragmented Android landscape, I predict that a sizable swathe of Droid users won’t see a patch at all.
It’s also interesting to see what happens next. In a separate blog post, Fox-Brewster raised the interesting point that if a similarly catastrophic issue emerged in the automotive industry, cars would be recalled.
— Thomas Fox-Brewster (@iblametom) January 4, 2018
Will Intel recall its chips and issue replacements or refunds? I seriously doubt it. There are a myriad of reasons why this will never happen: from cost, to logistics, to the fact that many affected chipsets are no longer in production.
But the fact is users (particularly in the enterprise world) are faced with an unenviable choice: either accept a significant slowdown of their systems, or remain catastrophically insecure.
It’s a deeply unenviable situation. Suffice to say, I think the next few weeks will be eventful for Intel, and for the broader semiconductor industry.