AEC statement on Meltdown & Spectre vulnerabilities.
1/12/2018
AEC statement on Meltdown & Spectre vulnerabilities.

During the last few weeks, the internet news and papers are being filled with information about the Meltdown and Spectre security defect. These two are hardware vulnerabilities, which, once again after some time, affect the general public all over the world.

What is the problem about?

Microprocessors, which are today an integral part of the daily life of each person or household, are the core of problem. The main names that are being mentioned in association with these vulnerabilities are Intel, AMD, or ARM. But this issue concerns also other companies with products based on similar technologies, such as nVidia graphic processors, A-chips in Apple mobile devices, or Snapdragon processors from the Qualcomm company. Theoretically, this issue thus concerns the major part of the computers, mobile phones, and data centers existing all over the world.

 

More detailed view?

Both these vulnerabilities differ on the principle, but both of them, simply put, enable access to that part of the processor memory, into which the process has, under normal circumstances, no proper authorizations.

Meltdown (Rogue Data Cache Load, CVE-2017-5754) is based on the situation, where a harmful process can gain access to the memories of operating system, processes, or virtual machines, which can be found in the same cloud. The main targets are the selected chips from the ARM family, but most of all, the great number of the x86 Intel microprocessors that contain a single memory, both for the processors, as well as for the system core. The attacker is thus able to access the operating system core memory, including the process, simply operating under an unprivileged user account. Of course, the processors contain security mechanisms checking any access to the protected area of the memory, but before there comes a turn for these instructions to happen, the content of the core is already loaded into the cache of the memory, where, with the right timing, it is freely accessible.

Spectre (CVE-2017-5753, CVE-2017-5715) is somewhat more global issue, impacting also the AMD processors and the other players named above. This vulnerability is resulting from the co-called code branch prediction technology, which is used by the processors in order to ensure their most efficient operation. Spectre is then divided into several variants, which are used by the attacking process in order to be able to access the restricted part of the cache. As opposed to Meltdown, the target is only the other processes’ memory, not the core of the system.

Who is at fault?

Although we could blame first and foremost the manufacturers of the processors, the answer to the question above is not so simple. In the past, the processors’ frequencies unambiguously determined their performance. But physical and technology limitations stood behind the fact that the manufacturers of the microprocessors started to develop diverse techniques optimizing the operation of the processor cores, processing the instruction chains, and calculations, all of it in the name of the microprocessor performance increase. Some of these techniques include for example the “out-of-order execution” allowing to execute calculation out of order, or methods for speculative executions and code branch predictions, which are trying to predict the correct sequence of the instructions inside the thread when the conditions are in place. Mostly technologies as these are behind the significant increase of the processors performance during the last few years; however, this positive effect occurred in exchange for the security deficiencies in their architectures, which surfaced fully only in the autumn of last year.

Are my devices vulnerable?

Until today, there are no attacks known, which would misuse the above-mentioned vulnerabilities. In order to keep it that way, there are no specific technical details available, apart from the already published articles.

You can test it yourself, whether your computer is protected against Meltdown or Spectre. Presence of the first of these vulnerabilities may be checked either by using the script issued by Microsoft few days ago, or by a free Spectre Meltdown CPU Checker application issued by the Ashampoo software company. A special web page of the Tencent's Xuanwu Lab Chinese security team can be used in order to check whether for example your internet browser is protected against Spectre.

https://www.powershellgallery.com/packages/SpeculationControl/1.0.3
https://www.ashampoo.com/en/usd/pin/1304/security-software/spectre-meltdown-cpu-checker
http://xlab.tencent.com/special/spectre/spectre_check.html

   

How to protect yourself?

Since it is a hardware defect, its correction is very complicated. It is a threat to all operating systems – starting with desktop MS Windows, Linux, or Mac OS, up to mobile iOS, Android, or Windows Mobile. No matter if this issue affects the products of the previously mentioned manufacturers more or less, all of the microprocessors and operating systems manufacturers are recently, one by one, issuing security patches, which should serve as a software prevention of misuse of the Spectre and Meltdown vulnerabilities in the future.

Consequences?

Users should not, apart from compulsory updates and shutdowns of servers and cloud services, be significantly impacted by these problems. Security patches for Intel processors are still the great unknown, because their shared memory architecture requires a more complex correction on the operating system side. At present, this fact manifests itself in a form of lower performance during selected operations in Microsoft Windows 7 and 8.1 systems, and in some Linux distributions, namely in case of older processors. But this situation is not final because the developers are working intensively on optimization of their patches. Therefore, it is quite possible that in few weeks the situation will be stabilized and everything will be back on track. At least until the experts discover some other critical vulnerabilities, which will influence the world of information technologies once again.