If there was a league table of security flaws then surely the two major – and we can’t stress major enough – security flaws recently revealed in the microprocessors inside nearly all of the world’s computers would place pretty high. At the very least they’d be in Champions League contention. These vulnerabilities, named Meltdown and Spectre, have existed for decades and could let hackers access the entire memory contents of computers, mobile devices and cloud computer networks.

Most Intel processors implement out-of-order execution; a lot of modern CPUs work out of order, executing code not based on its original order in the program but instead by which input data is available when. Pretty much every processor made since 1995 works this way, and is now at risk of being affected by Meltdown. Since the initial reports, another chip maker, ARM, has revealed some of its processors are also affected.


The larger issue, though, is with Spectre, which calls into question the way all processor manufacturers design their chips, with an emphasis being placed on speed ultimately leaving them vulnerable to security issues. Almost every system is affected by Spectre: desktops, laptops, cloud servers, as well as smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable.

Attacking the basic building blocks of cybersecurity

Although they share similarities, the two security flaws are different. Meltdown, which has been described as “one of the worst CPU bugs ever found” by one of the researchers who discovered it, breaks the mechanism that keeps applications from accessing arbitrary kernal memory, and consequently enables a user process to read kernel memory.


Spectre, on the other hand, is a name covering two different exploitation techniques. Spectre essentially breaks the isolation between different applications and allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.


What’s so scary about these vulnerabilities is that they basically attack the basic building blocks of what makes computers secure. The whole reason your browser is so secure is because it’s an isolated process; it works that way because the CPU doesn’t want that isolated process to look at memory outside of it, so this is an attack on that basic foundation of security.

The logos for Meltdown and Spectre, which were designed by Natascha Eibl

Performance vs security: the problem posed by patching Meltdown and Spectre

So how do you fix it? Well patches are going out and it appears that a fix for Meltdown is mitigating vulnerabilities. Because the issues Spectre highlights are so fundamental though, the easy fix would be to just stop doing the things responsible for speeding things up, so just sort of roll back this innovation in chip processing. In other words, roll back and rip up Moore’s Law.


In a press release, Intel said that with its patches “performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,” and Google said the software fixes that have begun to appear "introduce minimal performance impact".

“Patching Meltdown and Spectre has been significant enough an act to draw complaints.”

However, in reality, patching Meltdown and Spectre has been significant enough an act to draw complaints. As reported in the Register, who broke the initial story at the beginning of January, Quora, which relies on AWS, on Saturday said it is "facing a slowdown due to the patch applied by AWS for Intel's Meltdown and Spectre issues."


It is estimated that processing power in devices could be slowed down by as much as 30%, which looked at another way is like turning back the clock on Moore’s Law by two years. It’s an insane thing to have to do to technology because we buy new products because they work faster.


To have to go backwards and work slower is a strange scenario, and the age when developers grab the lowest hanging fruit when it comes to improving processing power is over. Ultimately, though, if given the option of having a device that is faster but less secure or a device that works slower, but keeps your information safe there really is only one choice. So maybe taking one step backwards – albeit, a rather large step – to take two forward isn’t such a bad move.

Share this article

Share

Share this article