Almost all modern computers are at risk today, thanks to an architectural flaw in the way processors allow access to memory. Meltdown and Spectre CPU vulnerabilities affect all processors from Intel, ARM, and AMD.
The year 2018 started with a big news on serious vulnerabilities present in the processors used in almost all devices of today. The vulnerability is complex and technical in nature. However, the gravity of the situation is such that, I believe this must be made accurately aware to all users of technology. In a bid to make things clear in simpler terms, let me explain what the CPU vulnerabilities really are.
Let’s consider you are checking in at a hotel. The hotel has thick perimeter walls, manned by security personnel round the clock. The bellboy escorts you to your room. He asks you if you have booked any more rooms in the hotel. Gleefully, you point him to another room which you claim to be yours. In an attempt to show his responsiveness, he immediately opens up the second room for you.
As he opens, he realises this room is being used by another guest and he quickly apologises and closes the door. But that was enough for you to take a photograph of that room on your phone. You now know exactly what was going on there.
And that’s not all.
You then point to another room in the hallway and tell the bellboy that is also your room. The bellboy unsuspectingly yet again opens that room. The story is repeated not once, not twice, but an unlimited number of times. By the end of the day, you have managed to take photographs of all the rooms in the highly secure hotel multiple times.
The bellboy obvious has a huge fundamental flaw in his working. And that’s exactly what the chip makers of the world have been doing all these decades.
Where does this analogy fit in terms of computing?
Desktop / Server / Phones
Your device has some hardware, an operating system and some applications sitting on top of it. Usually, the OS allows applications to access only those parts of the system memory that belong to that application. In this way, multi-tasking applications work on a single device, and the data remains isolated from other applications.
Now, what if a rogue web site that you are browsing got access to your financial accounting software? What if that rogue website read the confidential documents open in your word processor. Scary, isn’t it? This is how the CPU vulnerabilities affect general computers and mobile devices.
Virtual Servers / Cloud
Things get more complicated and serious here, in a multi-tenancy setup. During the past 15 years, virtualisation has become the norm in most server implementations, primarily because processors are very powerful. Rather than keeping the processors underutilised, companies now create multiple virtual servers on a single physical host. This is also the premise of VPS and cloud servers.
In Infrastructure-as-a-Service (IaaS) aspect of cloud computing, the service providers host multiple virtual servers on a single physical server. It is expected that owner of one virtual server can in no way, access the memory of the second virtual server.
This fundamental assumption is broken apart by the Meltdown and Spectre CPU vulnerabilities. The memory dump of another virtual server is now known to be accessible to other.
What the CPU makers have to say about this?
Intel, who is the world leader in processor design and manufacturing, is vulnerable to both Meltdown and Spectre. Intel has chosen to play down the issue, citing it to be a feature and not a bug. The simple interpretation of their polished words is “We have done this in the interest of keeping our processors serving information fast.” Now that they have been caught, they do concede that a fix to this will be coming soon. There are estimates that with the added security checks, the processors may work up to 30% slower. It is not yet clear how the fix will be applied to the billions of devices which remain vulnerable.
AMD is affected by the Spectre vulnerability, which although on similar lines, allows memory to be read at a slower rate than what is possible with Meltdown. AMD has acknowledged the issue and is also in the process of fixing it.
ARM processors which run most of the mobile devices are also affected by these CPU vulnerabilities. Google, the maker of Android was the first to discover these vulnerabilities a year back. They have been working on software updates for their platform during this period, before making the discoveries public.
What are the OS vendors doing about this?
Many vendors have security patches available for one or both of these attacks.
- Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018
- MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
- Linux — Linux kernel developers have also released patches.
- Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update. Other users have to wait for their device manufacturers to release a compatible security update.
- Chrome – Chrome users can turn “Site Isolation” feature on to mitigate these flaws, as far as Chrome browser is concerned.
It must be noted that there is no single global fix for all systems to overcome these inherent CPU vulnerabilities. This is a painful exercise, and unless each device that we control is patched, we are all going to be living on the edge.