Meltdown and Spectre: the processor bugs causing blue screens and red faces
Another month, another data security breach. This time it’s not just a big corporation that’s had its vulnerabilities exposed, it’s every device that uses an Intel, ARM or AMD processor – i.e. the vast majority of them! Even more worryingly, those chips have had these flaws for around 20 years!
The two bugs, which have been dubbed Meltdown and Spectre, refer to how malware could use loopholes in the way that the processors execute tasks to gain unauthorised information.
Due to our demand for faster and faster processing speeds, for the last couple of decades chips have been designed to save time by effectively skipping ahead in the execution of code when processing to avoid bottlenecking. When it comes to a fork in the code, the processor will venture a little way down each option to give itself a headstart.
However, security researches have found that this running out of order, or ‘speculative execution’, creates a loophole that can be exploited as the speculative execution isn’t very good at differentiating high-permission memory from low-permission memory.
In the Meltdown bug, a malicious code can trick the processor into letting it access restricted memory (such as passwords, emails or history) before the processor realises that the malicious code shouldn’t have access, and potentially then trick it again into thinking that the code should have access before the processor catches up.
Spectre is a little more complicated: it leverages speculative execution to trick innocent programmes or system processes on a computer into planting their secrets in the processor’s cache, where they could then be leaked out to a hacker performing a Meltdown-like timing attack. This article gives a good rundown of both bugs in further detail.
Journalists disclosed the bugs in the first week of the New Year, but the manufacturers had been made aware of them in the middle of 2017 and were just about to make the information public (or so they say!). Strangely for an issue that’s been underlying for 20 years, it was discovered by multiple different groups of security researchers across the world all roughly within a month or two of each other.
Attempts to hurry out patches haven’t been plain sailing. Microsoft was forced to abort all security updates when they started to receive complaints from customers reporting being left with the dreaded “blue screen of death” when they tried updating on Windows 10, 8.1 and 7.
Some have claimed that the patches have drastically slowed down their running speeds. Google insists that their patches “introduce minimal performance impact” that will diminish over time, and Intel claim that their impacts are “dependent on workload” – the average user won’t notice any difference.
So far the main response from customers and industry alike is bemusement. Perhaps there would be more anger if the bugs were uncovered off the back of a major hack, but at the moment it seems like they were discovered by the right people first. Of course, there’s no way of knowing for sure that the bugs haven’t been discovered and exploited before under wraps, a fear that seems pretty plausible given that the bugs have been around for 20 years.
Maybe it’s the ubiquity of the problem that makes it easier to swallow, or rather harder to feel indignant about. Maybe it’s the fact that it’s our obsessive need for processing speed that’s to blame. Either way, Meltdown and Spectre show that even the most standardised component needs diligent security testing.
Let us know your thoughts. Are you looking for a career in cyber security? Get in touch!