The Fault in Our Stars
For those that would prefer a lighter version of this article, a Romanian version is also available…
The last few weeks have been taken by storm by the rise of two unlikely celebrities. Going by the names of Meltdown and Spectre, these two fundamental CPU flaws have sparked a flurry of press releases, controversial statements, and flame wars.
Still, what is everyone afraid of? What are the big companies going to do about it? However, before we find out whose fault it is, we should delve into the problem a little.
First of all, who gets to be affected by these flaws? The short answer is: just about everyone, from die-hard PC fans, to those who only buy mobile products with an Apple logo. While the Meltdown exploit mainly affects Intel CPUs (still market leaders), a few AMD CPUs and some ARM architectures, Spectre makes no discrimination: if it has a CPU, it’s vulnerable.
The good news is that home users shouldn’t worry too much at this point, since updated software, a decent antivirus, and some web protection can keep their systems somewhat safe. Corporate users however, along with those who share cloud architectures can be far more vulnerable. The bad news is that the patches the big players have prepared may slow down everyone. To understand why, we should look at these two vulnerabilities a bit closer.
Well, the problem with Meltdown and Spectre is that they affect your hardware at a very “basic” level. Meltdown is essentially a CPU design flaw that allows an external routine (a rogue process) to read kernel information, information that should not be accessible to common processes. It does so by exploiting a gap between memory access and privilege checking during the actual hardware processing. Since it acts at a hardware level, a Meltdown attack would be undetectable. Although some CPU architectures are immune to it, most of them will have to be “patched” with one or more software solutions.
A software solution for a hardware problem? This involves changing the way the OS handles the reading of memory. Unfortunately, changing this can and will slow down some architectures.
Spectre is a functionality flaw, one that relates to the very idea of modern CPU. You see, most modern CPUs perform something called “speculative execution”. This is basically the execution of small, unnecessary tasks, which may be useful in the nearby future (but are not specifically required). Speculative execution often implies another process named “branch prediction”, which is exactly what it sounds like: the ability to predict how and when a certain process will evolve. Spectre exploits the so called „side-effects” of these techniques by accessing information (including cache) it shouldn’t have access to. This information is left behind by the subprocesses of speculative execution, a process that cannot be completely avoided or replaced. If this sounds a little too general and too technical, it’s not only because we don’t have an editor. It’s also because Spectre is not a single exploit, but a whole class of exploits, relying on the same inherent flaw.
While Meltdown might seem like a more direct “approach”, Spectre has multiple nefarious uses and won’t be fixed by software alone. Future CPUs will have to mitigate this “design choice”.
Both vulnerabilities can essentially be reduced to the same thing. A user with non-privileged access can get eventually a hold of incredibly sensitive information on a computer or server. This information may include passwords and regular data, but also vital system data. For a better analysis of the flaws, you can consult this article.
Both vulnerabilities had been known for a while, or at least for a few months, according to Google Labs who informed the affected companies about Spectre in June 2017. Meltdown may have an even longer history.
Is There a Solution?
At this point, both Meltdown and Spectre are the target of a series of patches, for operating systems and vulnerable software. However, as updates will be rolling for both these flaws, users might be struck by a variety of side effects, one of them being the slowing down of older hardware. While some fixes may not affect performance, some of them will, as underlined by this Microsoft Blog Post.
Indeed, newer hardware (2016 Skylake range and later iterations) won’t really feel the difference, but that makes it even worse for the owners of slower machines. This is one of the reason why many users will most probably avoid major patches and focus on the easy to apply fixes (such as browser patches for web based attacks) that don’t eliminate the vulnerability, but mitigate its range. At this point, since experts haven’t seen an actual Meltdown or Spectre attack (not that they would have noticed, anyway), it can be assumed that such an attack would involve a considerable degree of effort from the attacker’s part. In other words, home users should not be the main victims. However, that doesn’t make them any less dangerous.
To put it bluntly, an exploit that companies did not want to talk about until recently (or felt they didn’t need to) may soon be affecting both home and corporate users. In order to fix it, the brands that we love to defend or promote require us to no longer benefit from the specifications we were promised when buying our machines. If this was a car recall, it would be like getting your car back without some of its horse power.
So, What Are We to Do?
For the moment, we can’t do much. However, in the future, it would be great if some of the companies whose labels we so proudly display could be held accountable for their attitude. While Intel’s CEO has been under siege for selling shares (after the company had been made aware of the flaws), he shouldn’t become a scape goat.
If we want hardware manufacturers to keep us informed about vulnerabilities such as Spectre of Meltdown and if we desire the same respect that we, as users, have been giving them, we should stop our endless bickering. It’s not about Intel or AMD, about Microsoft or Apple. It’s about openness and about admitting your vulnerabilities. It’s about honesty and that’s what we should be asking for.
P.S: Obviously, the stars in our title have nothing to do with John Greene’s novel. The title just fit.