Meltdown and Spectre are two words that have had computer security companies panicking over the last few days and weeks.
Here’s what we know so far.
Identified by Google’s ‘Project Zero’ team, in collaboration with numerous university research teams, Meltdown and Spectre are vulnerabilities that are present in every Intel processor. It made headlines in the mainstream for a couple of days until manufacturers started talking about, “patches,” and, “fixes,” and then the panicking was left to everyone responsible for actually creating an online solution for a hardware issue.
This, of course, cannot be done. Well, not in the purest sense anyway but more on that in a moment.
The problem is this – modern Intel processors are clever little devices that use something called speculative execution to give you the efficient computing experience you have today. Think of it like this – you give your computer a command and rather than just working its way through a list of tasks to complete that command (which is called sequential execution) it conducts a number of calculations on what it needs to do and in which order to be most efficient. Part of this process is the creation of speculative commands, which could be described as potential actions. Some are used and some aren’t, but the problem is that those that aren’t used are leaked with virtually no permissions.
This means that (thanks to the Graz University of Technology) if you are exposed to Meltdown:
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
While Meltdown may sound more ominous, Spectre is likely to be the major problem. Google has discovered a way, not to fix Meltdown, but to adjust permissions in such a way that information is not shared. The catch is that this will probably slow your computer down – with estimates ranging from 5% to 30% in speed.
Spectre is trickier, not only concerning security measures but also to be used as a hacking avenue. Ironically, it’s difficulty as a vulnerability makes it much worse. The only people likely to try a Spectre hack are highly competent professionals seeking information for nefarious purposes – think corporate espionage or worse. This means that even with costly updates and security measures in place, that extra layer will have workarounds present – something that a high level professional will take into account. As one security professional said, “Spectre is well named – it’s going to haunt us for decades.”