Meltdown and Spectre CPU Vulnerabilities explained

Even since the dawn of the computing age, creation and preservation of data along with its security have been of prime concern. The computing age has been pioneered by some of the greatest minds ever in Human history such as Tim Berners-Lee, Steve Jobs, Bill Gates to name a few mortals. Since most of the computing product architectural specifications are unknown to the common man, bugs and security issues keep on cropping frequently, to say the least. Meltdown and Spectre are two such CPU vulnerabilities that hogged the limelight for the year 2017.

What is Spectre?

Spectre is a CPU vulnerability that affects how the processor predicts some of the operations that it may need to perform in the near future by using a technique called as branch prediction and speculative execution. It may not sound that much dangerous but get this scenario, for eg: Attackers may get some useful information such as your personal information even when you aren’t doing any activity related to it just because the CPU thinks you may need the information so it prefetches it prior to the actual need and it stays idle in the CPU’s memory.

Spectre Logo

Source: Wikipedia

What is Meltdown?

Meltdown is a hardware vulnerability that all of the system’s memory to be readable by a rogue process even without having all the required permissions to do so. It typically exploits the race condition that occurs in processors when two or more processes are in the queue to access a shared resource.

This affects all the modern processors from AMD (although unknown at this point in time), Intel, Qualcomm and IBM. Since the threat is at a hardware level even the most recent and patched versions of all major OSes are affected.

Meltdown logo

Source: Wikipedia

Why is Meltdown and Spectre a concern now and not before?

Cyber Security in the computing age is an ongoing continuous process with new vulnerabilities discovered every now and then. It is also impossible to further predict what issues may crop up in the near future beforehand. All around the world thousands of security researchers spend countless days and nights to examine all of our digital footprints to make sure that these kinds of threats are detected beforehand.

Both Spectre and Meltdown are were discovered independently by a group of cybersecurity specialists in the year 2017 and alarms were raised to the concerned authorities and both of these vulnerabilities were made public on 3rd of January 2018.

These are very severe computing security defects that were initially believed to be false by many cybersecurity professionals. But both of them gained traction in the cybersecurity space when many Computing Heavyweights such as when Microsoft demonstrated it in JavaScript JIT engines and also verified by many independent cybersecurity professionals.

Meltdown Security Vulnerability Discoverers:

  • Jann Horn (Google Project Zero)
  • Werner Haas, Thomas Prescher (Cyberus Technology)
  • Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology)

Spectre Security Vulnerability Discoverers:

  • Jann Horn (Google Project Zero) and
  • Paul Kocher in collaboration with, Daniel Genkin (the University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61).

Source: https://meltdownattack.com

What all devices and vendors are affected by Meltdown and Spectre?

  • All modern CPU’s from Intel, AMD (although unknown at this point in time), IBM and Qualcomm seem to be affected by these vulnerabilities affect the inherent way these processors are designed to function.
  • All smartphones which use the ARM processor architecture design and made by Qualcomm, although only a few of the ARM processors are affected and information regarding these is expected from Qualcomm’s end.
  • All Cloud infrastructure providers such as Amazon AWS, Microsoft Azure, Google Cloud Platform using server CPUs from Intel or AMD (although unknown at this point in time).
  • All IOT and other smart devices using ARM’s patented microprocessor instruction for its CPU.

Meltdown and Spectre Implications:

  • First and foremost, raw and unprotected data is exposed during its execution even when not needed causing a whole range of information stealing attack vectors to be used.
  • Currently, well-documented videos exist to demonstrate the proof of concept for Meltdown and Spectre.
  • Since these architectural defects are present since the dawn of the modern day CPUs, just a single patch cannot resolve the problem fully.
  • Spectre itself will lead to a group of new attack vectors which will cause additional headaches in the upcoming years to go.
  • Patches are in development for both Spectre and Meltdown by different CPU vendors alike but those are slated to decrease the overall performance of the existing systems. Intel CPUs back from even 2011 is said to be affected at this point in time.
  • OS level patches are also being developed by major OS vendors such as Microsoft and Apple but still, these issues will need to be mitigated at the hardware level.

Meltdown and Spectre

Source: The EU Cyber Security Agency

Meltdown and Spectre Safety Measures:

  • As an end user, nothing can be done at the hardware level.
  • At the software front, install all the latest software patches available from the respective OS vendors (but this will decrease CPU performance up to 20% in some cases).
  • Install and update anti-malware software on your computing systems (this will, in theory, protect the systems once the attack vector signatures get known).
  • Do not click on suspicious links and download content that may harm your system or open unknown email attachments.
  • Buy newer hardware which is said to have mitigated Meltdown and Spectre vulnerabilities (statement from Intel confirms this).

At this point in time, we at The Techies Guide can simply offer to say is that “at an individual level You and You alone are responsible for the safety of Your data”.

Related: Downloading torrent files in an iPhone.