Cybersecurity Log: Meltdown and Spectre

With the Equifax Inc. breach still visible in our rearview mirror, we didn’t expect to be discussing another massive cyber vulnerability quite so soon. But two recently-discovered processor flaws called Meltdown and Spectre may have implications that are far more widespread and serious. The Equifax debacle affected roughly half of the adults in the United States. Between them, Meltdown and Spectre affect the processors of nearly every computer, tablet, smartphone, and cloud computing service in current use. Virtually every person, business, military, and government agency in the world is a potential victim.

How did this happen?

Both vulnerabilities can be traced back to our civilization’s ever-growing demand for faster computers. We want (and expect) each generation of information technology devices to be noticeably quicker than its predecessors. In an attempt to satisfy the continual demand for greater speed, manufacturers of processors began relying on a technique known as “speculative execution.” In simple terms, a processor tries to guess which code instructions will be needed next, and then fetches the “speculative” code from memory to have it ready at the instant its required. When the processor’s guess turns out to be wrong, it needs to flush the speculated code and then load the correct code before proceeding.

Meltdown, which is specific to Intel chips, exploits the way speculative executions are stored in a processor's cache. Essentially, it develops a model of what’s currently loaded in the processor by digging through the processor's trash, and then uses that model to reconstruct parts of the computer's high-privilege memory, including passwords and sensitive personal information.

By contrast, Spectre, directly exploits the process of speculative execution. A Spectre attack fools a target processor into speculatively executing code sequences that should not be active during correct program execution. This can force even the most secure applications to render up protected information.

Every processor manufacturer implements speculative execution in its own (usually proprietary) fashion. As a result, a Spectre exploit which affects one set of processors may not be effective against another set of processors. This makes Spectre far more difficult to execute than Meltdown, but also far more difficult to prevent or repair.

What’s at risk?

Basically, everything. Make no mistake. Top level industry analysts believe this represents a global failure of computer security at the fundamental level. As of this writing, no hostile exploits of either flaw are known to exist. But the weaknesses are now public knowledge, so it’s only a matter of time until hackers and other hostile actors figure out a way to capitalize on the vulnerabilities.

What’s the fix?

Software patches for Meltdown are already available for Windows, most supported versions of Linux, and other operating systems. Unfortunately, these patches can slow down computers by 20 to 30 percent. Clearly, this will have implications for processing speeds, download speeds, and all online services for the foreseeable future.

A resolution for Spectre is less easily obtained. The flaw affects nearly all microprocessors on the market, and according to Google Project Zero (the security research group who discovered both weaknesses), a fix for Spectre may require the development and fielding of an entirely new generation of processor chips.