In the first days of 2018, published research revealed that nearly every computer chip manufactured in the last 20 years contains fundamental security flaws, with specific variations on those flaws being dubbed Spectre and Meltdown. The flaws arise from features built into chips that help them run faster, and while software patches are available, they may have impacts on system performance. There is as of yet no evidence that these flaws have been exploited in the wild, but such exploits would be difficult to detect, and the flaws are so fundamental and widespread that security researchers are calling them catastrophic.
What are Spectre and Meltdown?
Spectre and Meltdown are the names given to different variants of the same fundamental underlying vulnerability that affects nearly every computer chip manufactured in the last 20 years and could, if exploited, allow attackers to get access to data previously considered completely protected. Security researchers discovered the flaws late in 2017 and publicized them in early 2018. Technically, there are three variations on the vulnerability, each given its own CVE number; two of those variants are grouped together as Spectre and the third is dubbed Meltdown.
What is speculative execution?
Speculative execution essentially involves a chip attempting to predict the future in order to work faster. If the chip knows that a program involves multiple logical branches, it will start working out the math for all of those branches before the program even has to decide between them. For instance, if the program says, "If A is true, compute function X; if A is false, compute function Y", the chip can start computing both functions X and Y in parallel, before it even knows whether A is true or false. Once it knows whether A is true or false, it already has a head start on what comes after, which speeds up processing overall. Or, in another variation, if a chip learns that a program makes use of the same function frequently, it might use idle time to compute that function even when it hasn't been asked to, just so it has what it thinks the answer will be on hand.
What is caching?
Caching is a technique used to speed up memory access. It takes a relatively long time for the CPU to fetch data from RAM, which lives on a separate chip, so there's a special small amount of memory storage called CPU cache on that lives on the CPU chip itself and that can be accessed very quickly. This memory gets filled with data that the chip will need soon, or often. What's relevant for our situation is that data that's output by speculative execution is often stored in cache, which is part of what makes speculative execution a speed booster.
The problem arises when caching and speculative execution start grappling with protected memory.
What is protected memory?
Protected memory is one of the foundational concepts underlying computer security. In essence, no process on a computer should be able to access data unless it has permission to do so. This allows a program to keep some of its data private from some of its users, and allows the operating system to prevent one program from seeing data belonging to another. In order to access data, a process needs to undergo a privilege check, which determines whether or not it's allowed to see that data.
But a privilege check can take a (relatively) long time. So — and this is the key to the vulnerability we're discussing — while the CPU is waiting to find out if the process is allowed to access that data, thanks to speculative execution, it starts working with that data even before it receives permission to do so. In theory this is still secure, because the results of that speculative execution are also protected at the hardware level. The process isn't allowed to see them until it passes the privilege check, and if it doesn't pass the check, the data is discarded.
The problem arises because the protected data is stored in CPU cache even if the process never receives permission to access it. And because CPU cache memory can be accessed more quickly than regular memory, the process can attempt to access certain memory locations to find out if the data there has been cached — it still won't be able to access the data, but if the data has been cached, its attempt to read it will be rejected much more quickly than it otherwise would. Think of it as knocking on a box to see if it's hollow. Because of the way computer memory works, just knowing the addresses where data is stored can help you deduce what the data is. This is what's known as a side-channel attack.
What's the difference between Spectre and Meltdown?
If you want a much more technical description of how Spectre and Meltdown work, you should check out the post on Google's Project Zero site that was most of the world's introduction to it. To keep it short and simple, both Spectre and Meltdown could allow potential attackers to get access to data they shouldn't have access to using the techniques outlined above, but their effects are somewhat different:
- Meltdown got its name because it "melts" security boundaries normally enforced by hardware. By exploiting Meltdown, an attacker can use a program running on a machine to gain access to data from all over that machine that the program shouldn't normally be able to see, including data belonging to other programs and data that only administrators should have access to. Meltdown doesn't require too much knowledge of how the program the attacker hijacks works, but it only works with specific kinds of Intel chips. This is a pretty severe problem but fixes are being rolled out.
- By exploiting the Spectre variants, an attacker can make a program reveal some of its own data that should have been kept secret. It requires more intimate knowledge of the victim program's inner workings, and doesn't allow access to other programs' data, but will also work on just about any computer chip out there. Spectre's name comes from speculative execution but also derives from the fact that it will be much trickier to stop — while patches are starting to become available, other attacks in the same family will no doubt be discovered. That's the other reason for the name: Spectre will be haunting us for some time.
Why are Spectre and Meltdown dangerous?
But beyond the potential specific attacks themselves lies the fact that the flaws are fundamental to the hardware platforms running beneath the software we use every day. Even code that is formally secure as written turns out to be vulnerable, because the assumptions underlying the security processes built into the code — indeed, built into all of computer programming — have turned out to be false.
Spectre and Meltdown patches
The fundamental vulnerability exists at the hardware level and cannot be patched. However, most vendors are releasing software patches that work around the problems. The KAISER patch, developed coincidentally in 2017 to improve Linux security, actually has the side effect of preventing Meltdown attacks. Major cloud vendors have by and large patched their servers. Patches have already been rolled out by Intel, Microsoft, Apple, and Google (see more below) and more are on the way. CSO's J.M. Porup has a good roundup of steps you should take in the short term. Rendition Infosec also has a great resource on establishing a strategy for your organization that will, among other things, harden your systems and practices to prevent further damage if you do fall victim to an attack exploiting Spectre or Meltdown.
Notably, older systems, particularly Windows XP, will almost certainly never be patched. Also left in the lurch are the millions of third-party, low-cost Android phones that don't get security updates from Google, many of which are not particularly old.
When will my PC, Mac, iPhone, Android phone, or browser get a patch for Meltdown and Spectre?
- As of January 11th, Microsoft has released operating system patches for most versions of Windows from Windows 7 on, which also patch the company's Internet Explorer and Edge browsers. The previous link also includes a roundup of links to firmware updates from hardware manufacturers, which cover all the major players. However, some AMD systems after downloading the patches did not restart, so those patches have been pulled for the moment.
- Apple released patched versions of its macOS, iOS, and tvOS operating systems, as well as its Safari browser, on January 3rd.
- Google released a list of which Chromebook models have been patched or won't need a patch (most of them), which will be patched soon, and which are end-of-lifed and won't see a patch.
- Firefox has a patch that will be released on January 23rd, but is now available in beta.
- Google's Chrome browser has a patch that will be released on January 23rd. You can turn on the experimental Site Isolation feature in the meantime to protect yourself.
- The multiplicity of Android handsets makes the question of whether your Android phone is or will be patched difficult to answer. Most phones sold directly from Google or giants like Samsung are patched or will be, but many will not. The Italian trade-in company RiCompo has a site that keeps you up to date on many different brands and models.
Do Spectre and Meltdown patches hurt performance?
These patches generally mitigate the vulnerabilities by altering or disabling how software code makes use of the speculative execution and caching features built into the underlying hardware. The downside of this, of course, is that these features were designed to improve system performance, and so working around them can slow your systems down. While there were initial reports of performance hits up to 30 percent, benchmarks from Phoronix indicate that 5 to 10 percent seems more typical.