Peter Bright, Technology Editor at ARS, authors a series of especially informative, albeit technically complicated, explanations of the two vulnerabilities named Meltdown and Spectre.
In this post, we will include some excerpts as we attempt to simplify the vulnerabilities and key takeaways in the interest of satisfying your curiosity or concern, and saving you from reading the plethora of technical articles that have justifiably been a part of the recent news cycle.
At BizTech, we empower each client to accomplish their mission through technological innovations and operation improvements. This includes anticipation and response to technical issues that might impact user productivity.
What is the security vulnerability?
The two flaws named Meltdown and Spectre take advantage of how a physical processor manages information. It was determined that these flaws, which share similar characteristics, could gain unauthorized access to information stored in a temporary cache. It was thought, until recently, that access was protected due to a combination of process instruction isolation, tiered privilege checks, and random address space writing. The newly discovered flaws make it possible to extract information that a rogue process would not otherwise have permission to access. Namely, discarded data temporarily stored in processor kernel or cache. The information accessed could be coming from the Operating System or even directly from a web browser itself. Of the two flaws, Spectre presents a more challenging problem due to its more generalized attack, resulting in a solution that is not as straightforward.
Peter described the problem in this way,
“At their heart, both attacks take advantage of the fact that processors execute instructions speculatively. All modern processors perform speculative execution to a greater or lesser extent; they'll assume that, for example, a given condition will be true and execute instructions accordingly. If it later turns out that the condition was false, the speculatively executed instructions are discarded as if they had no effect.”
Peter continues, “However, while the discarded effects of this speculative execution don't alter the outcome of a program, they do make changes to the lowest level architectural features of the processors.” Herein lies the problem: The anticipated actions of the processor (by design), allow for exploit of the discarded data.
What devices are affected?
Unlike security flaws related to malware, this newly discovered vulnerability happens at the hardware level. The processors that are effected are manufactured by Intel, AMD, and ARM. These modern-day, high performance processors are built on chip architecture that dates back a decade. They can be found in both business and personal computers, along with a myriad of other processor embedded smart devices like phones, barcode readers, thermostats, and TVs, for example. Because the vulnerability exists at the hardware level, affected devices might be running Operating Systems including Microsoft Windows, Apple IOS or macOS, Linux, or Google Android or ChromeOS. For the business user, this means your Server, PC, MAC and Smartphone.
Peter notes, “While all modern processors, including those from Intel, AMD, and ARM, perform speculation around memory accesses, Intel's processors do so in a particularly aggressive way.”
What is the solution response?
The release of information to the public seems to have been a loosely coordinated reveal through a joint effort between affected vendors. The response from the various hardware manufacturers and affected Operating Systems is continually evolving. For example, Windows, macOS and Linux have all received software-based security patches, some delivered automatically through updates on affected systems. The results have been mixed with some updates being pulled from Windows Update, based on the failure of some systems with certain hardware specifications. This is despite the fact that Microsoft began testing patches back in November.
Hardware manufacturers have a more difficult solution path ahead, including firmware and microcode level updates. However, this hardware level patching is only a band-aid. A true solution will not exist until the processor architecture is changed on next generation hardware.
What will be the performance impact?
In order to bypass the vulnerability of how processor architecture is designed to manage information, patches for Meltdown and Spectre have to add additional layers of protection. These additional layers lengthen the process instruction pipeline for data management to mitigate the risks. In short, it will now take longer for the processor to process each instruction. The actual impact to end user productivity has much to do with what kind of power user you are.
A number of qualified benchmarking sources are beginning to demonstrate that most typical users will land on the low side of the predicted 5% – 30% performance impact range. While this is good news for most business users with on-premise infrastructure, the potential impact to the many cloud-based solutions that leverage the Microsoft Azure and Amazon Web Services computing platforms could be huge. Think of all of the cloud-based business and personal apps you use... No one wants to have Netflix stream an episode of Stranger Things so slow that we can’t get it finished over a lunch break!
Patching the Meltdown flaw may have little impact to the traditional business user. Peter references a Microsoft statement that notes we should expect a bigger impact on systems running Windows 7 and Windows 8. He continues,
“The overhead of a few percent assumes that workloads are standard desktop workloads; browsers, games, productivity applications, and so on. These workloads don't actually call into the kernel very often, spending most of their time in the application itself (or idle, waiting for the person at the keyboard to actually do something). Tasks that use the disk or network a lot will see rather more overhead.”
What are the key takeaways?
The security vulnerability inherent to processor architecture, by way of the Meltdown and Spectre flaws, is serious. The security ramifications are classified as having potentially “catastrophic” results. Solutions to this problem are continually evolving as vendors focus on patching the two flaws in their effected systems. The performance impact will vary, based on the hardware platform and power profile of the business user. This is a problem that we will be hearing about for some time, and it justifiably demands our continued attention as the situation develops.
Source credit: ARS TECHNICA