It’s only been four days since the start of 2018, and already we can tell it’s going to be a big year in tech. Right off the bat, there’s a big round of controversy, with the disclosure of multiple CPU vulnerabilities that are present across processors from Intel, AMD and ARM. While the vulnerabilities are now well understood, the cost of the fixes could be quite devastating for a certain manufacturer.
Their names are Meltdown and Spectre
People are fond of giving names to things; typhoons, stars and IT vulnerabilities. It’s no different here, with Meltdown and Spectre being the names of the major CPU vulnerabilities that have recently been discovered and disclosed.
But just what are they, you ask. How do they work and what’s the actual problem? To answer those questions, we need to understand a specific feature of all CPUs going back more than twenty years. It’s called branch prediction processing.
Branch prediction processing
People think of computers as complex calculators. That’s true, but they’re also built with lots of smarts. As part of the CPU wars in the late 90s, Intel, AMD and everybody else introduced predictive branch processing features. Essentially the CPU inside your computer will, under some circumstances, guess what’s going to happen next in a program, in order to utilize free CPU time.
A CPU does this by saving the progress of the current process at a part of a program that branches depending on circumstance. It then takes off on a branch of the program it thinks is most likely to be used next. Think of the computer coming to a crossroads and then taking an educated guess based on the signs. If the prediction is correct, then operations continue as normal. If the prediction was incorrect, then the CPU goes back to its previously saved state and goes down the correct path.
This is all well and good, but the newly revealed vulnerabilities all stem from this function of predictive processing.
Spectre attack variants
There are two types of attacks that the Spectre vulnerability allows.
The first allows the CPU to load data from outside the bounds of a data array that has set boundaries. However, the out-of-bounds data won’t be able to get into the program itself, but can be used during processing, and one can’t really do anything to extract useful data. This CPU vulnerability is very hard to exploit usefully if you’re a hacker. Instead, it’s far easier to use the other variant of Spectre to do something malicious.
The second variant of Spectre allows the CPU to be tricked by malicious code to run incorrect branches. Because the correct branch becomes known eventually, there’s little evidence anything malicious ever occurred. However, anybody with local access can access privileged information in addressed spaces such as encryption keys. In order to exploit this variation of Spectre, one must know how the CPU Branch Target Buffer (BTB) is addressed.
Meltdown is the most serious of the CPU vulnerabilities. Similar to the second Spectre variation, it tricks the CPU. However, this time, it tricks the processor into loading data that should not be readable from its cache memory. This relies on the CPU running operations without checking whether it should be doing it in the first place. Without such checks, sensitive data can be extracted through the running of malicious code.
What chips are affected?
Pretty much any CPU that uses branch prediction is affected by the first, but non-malicious version of Spectre. The second version of Spectre can only work when the Branch Target Buffer addressing is known. In this case, recent Intel CPUs and some ARM mobile chips are affected. No AMD chips are vulnerable to this type of attack, as their BTB addresses are not aliased in a predictable manner.
Meltdown is pretty much an Intel only bug. Because Intel’s CPUs are highly aggressive when it comes to utilising branch prediction, they are most vulnerable. This is because there is no check in these CPUs as to whether sensitive data should be loaded from cache. In fact, this lax security flaw goes back to 2008 with the first of its Nehalem CPUs.
What’s the fix?
Both Spectre and Meltdown are hardware architecture issues. Because of this, the only way to plug the holes is to prevent software from acting in the manners described above. There is no way that CPU architectures can be changed now that they’re already out there.
As to the performance degradation of each of the CPU vulnerabilities:
- Spectre variant one has an easy software fix, with minimal performance impacts
- Spectre variant two also has a relatively simple software fix, already implemented in Linux. Performance impacts should also be minimal.
- Meltdown requires that operating systems unmap all privileged memory spaces, so malicious code can’t find sensitive data. Marking them inaccessible is not enough, since Intel ignores that. Workloads that require access to sensitive memory spaces and the data contained within could see up to thirty percent performance loss.
Microsoft has already issued a patch to plug the holes in supported Windows operating systems.
Should you worry?
These CPU vulnerabilities are not going to affect home users and gamers all that much. In fact, your typical desktop, tablet and smartphone won’t be doing much of the affected workloads, or even hold the kind of data the exploits target.
Those who should be worried are big datacentres, which run mostly Intel servers. Meltdown is the vulnerability most likely to affect them, and ultimately Intel. If operators start switching over to alternative hardware providers such as AMD Epyc or Power PC chips which are immune to the exploit, then Intel could be in deep financial trouble.
The trouble is that by being able to read sensitive data, such as cryptographic keys, hackers can then start changing, editing and generally screwing around. Passwords won’t be safe. Neither will your personal details stored in these places.
Intel should be punished for this. Whether they are, at least by their customers, is another question entirely.
Either way, the fallout of this event could roll on for quite some time. Somebody’s PR department is going to be working overtime. However, a true hardware fix for Intel customers looks to be some time away.