Want to Know About Meltdown and Spectre?

Meltdown and Spectre are a threat to your computer, smartphone and tablet devices. (RedHat)

Meltdown and Spectre are a threat to your computer, smartphone and tablet devices. (RedHat)

There's a lot of hype going around concerning a couple of the latest threats to our computer systems, smartphones, tablets, and other microprocessor controlled devices known as Meltdown and Spectre.  These threats exploit common features that are in many of today's modern microprocessor chips. The vulnerabilities to the devices, if attacked, can also result in vulnerabilities to the networks they are within.  The threats affect mainly Intel based processors, but do also have some affect on AMD based processors.  Addressing the threats requires both a software update to the device operating system and a firmware update to the device basic input/output system (BIOS).

So, what do you need to know?  RedHat, a developer of open source, flexible, cloud-native application development solutions, does a pretty good job of explaining it and has put together a nice video, Meltdown and Spectre in Three Minutes, using layman's terms for those that are not experts in chip design.  A core part of the article is shown below.  The full article can be viewed by clicking the "What are Meltdown and Spectre? Here’s what you need to know." button at the bottom of this article.

"Recent press reports talk about a newly discovered form of security threat that involves attackers exploiting common features of modern microprocessors (aka chips) that power our computers, tablets, smartphones, and other gadgets. These attacks, known as “Meltdown” and “Spectre”, are getting a lot of attention. People are (rightly) concerned, and it’s of course very important to apply all of the necessary software updates that have been carefully produced and made available. Technology leaders, including Red Hat, are working together to address these exploits and minimize the risk of potential attacks.

At Red Hat, we’ve been working on mitigations for potential attacks under standard industry security embargos, deploying small, targeted teams operating on a “need to know” basis in order to prepare ahead of public disclosure. I was fortunate enough to be co-leading our efforts at mitigation of Meltdown and Spectre, alternatively known as variants 1, 2, and 3 of a family of similar attacks disclosed by Google Project Zero in a blog post on January 3rd. In the course of our efforts, we reproduced Meltdown (variant 3) in our labs, and examined other variants, while working alongside many of our trusted hardware partners on mitigations.

While we have a solid understanding of these vulnerabilities and the current analysis of the contributing factors as well as patches to mitigate their potential impact, we will continue to collaborate with our partners, customers and researchers on this situation. Additionally, we would like to help others to understand these complex issues, ideally using language and terms that don’t require the reader to be in the chip design business. For those who want in-depth technical details, the original research papers and associated publications are available at http://meltdownattack.com/ and http://spectreattack.com/, but it’s worth also keeping in mind that many of those involved in identifying these exploits have extensive backgrounds in academic computer architecture research. At least one of them received a Ph.D. in a related area last year. So don’t feel bad if it takes a few passes to really dig into the technical details - this is very complex and detailed stuff.

To get going, let’s understand a bit about “speculative execution” by looking at an everyday analogy.

Suppose a regular customer visits the same coffee shop and orders the same caffeinated beverage every morning. Over time, the customer gets to know the baristas, who become familiar with the customer’s order. Seeking to offer good service (and save their valued customer some time standing in line) the baristas eventually decide to begin preparing the customer’s order when they wave at them as they enter through the front door. But one day, the customer changes their order. Now the barista has to throw away the previously prepared coffee and make a new one while the customer waits.

Taking the analogy one step further, suppose the baristas know the customer’s name, and they like to write that name using a permanent marker on their cup. When they speculatively prepare the usual beverage, they write the customer’s name on the cup. If the customer comes in with a different order, the speculated cup is thrown away along with its contents. But in so doing, the cup’s personally identifiable information is briefly visible to anyone watching.

This coffee shop scenario involves speculation. The staff doesn't’t know for sure when the customer comes in that they’re going to order a latte or an Americano, but they know from historical data what the customer usually orders and they make an educated guess to save the customer waiting. Similar speculation happens throughout our everyday lives because such guesses often turn out to be true, and we can get more done in the same amount of time as a result. It’s like this with our computers. They use a technique known as “speculative execution” to perform certain processing operations before it is known for certain that those operations will be required, on the premise that these guesses often turn out to save time.

In the case of computers, speculative execution is used to decide what to do when confronted by a test like “if A, do this; otherwise, do that”. We call these tests conditions, and the code that executes as a result is part of what we term a conditional branch. A branch just means a section of the program that we choose to run in response to whatever the result of the condition turns out to be. Modern computer chips have sophisticated “branch predictors” that use fancy algorithms to determine what the result of the conditional test is likely to be while that test is still being calculated. In the interim, they speculatively execute code in the branch that seems to be most likely to run. If the guess turns out to be right, the chip appears to run faster than waiting for the test to complete. If the guess is wrong, the chip has to throw away any speculative results and run the other branch. Branch predictors are often over 99% accurate at guessing.

As you can see, the potential performance benefit from a chip speculatively executing the correct branch of code is significant. Indeed, speculative execution is one of the many optimizations that have helped to dramatically speed up our computers over the past couple of decades. When implemented correctly, the resulting performance benefit is substantial. The source of the newly discovered problems come from the chip design attempts to further optimize by assuming that speculation process is a black box that is completely invisible to outside observers (or bad guys).

Conventional industry wisdom was that whatever happened during the process of speculation (known as a “speculative execution window”) was either later confirmed and the results were used by the program, or it was not used and completely discarded. But it turns out that there are ways attackers can view what happened within the speculation window and manipulate the system as a result. An attacker can also steer the behavior of branch predictors to cause certain code sequences to run speculatively that should never normally have been executed. We expect these vulnerabilities and other similar flaws which could exploit speculative execution to lead to fundamental changes in the way that future chips are designed so that we can have speculative execution without security risks."

What can you do?  The best thing is to allow your systems to install the patches released by the maker of the operating system and BIOS for your computer system, smartphone or tablet.  In the case of systems connected to a cellular network (smartphones and tablets), you cellular carrier will generally push the update to your device.  Most systems will install the updates automatically, if the system is set to allow it.  For those systems connected to organizational networks, your IT staff will likely push the patches to you for installation.

For the Windows operating system (which is approximately 90% or all desktop and laptop operating systems), Microsoft has released patches, but has noted that some antivirus software applications, particularly anti-virus applications, have been making "unsupported calls into Windows kernel memory." If the patches are applied to systems with these applications, it could stop the device from booting or cause blue screen of death (BSOD) errors after the patch is applied. Therefore, as part of the security patch updates, Microsoft is requiring that all third-party antivirus vendors confirm compatibility with its CPU fixes and then to set a registry key in their products to certify compatibility. Without the key being set, Microsoft's security update may not install properly or at all.  Removing the offending software should allow you to install the patch updates.  You can find more information on this issue in ZDNet's article, "Microsoft: No More Windows Patches at All if Your AV Clashes with our Meltdown Fix."

For those with systems using Advanced Micro Devices (AMD) chipsets, you may want to hold off, as Microsoft has suspended sending Windows updates after some people reported their computers failed to boot after installing the patches.  Microsoft is currently working with AMD to resolve the issue.  You can find more information in the Washington Post article, "Microsoft Pauses AMD Updates for Spectre and Meltdown After Consumer Issues."

Likewise, Apple and Google have released security patches for the Android (88% market share) and iOS (12% market share) operating systems that address the flaws on newer "stock" operating system phones.  If you have an older phone or one with a modified, or "rooted," OS, the patches may not work.  More information on the threat to your smartphone and tablet devices can be found in the iDQ CSO article, Meltdown and Spectre Affect the Smartphone in Your Pocket. Should You Be Worried?

Will the fixes affect my computer's performance? The fixes, since they limit the benefits of speculative execution, are expected to have some impact to performance of computer systems. However, for most users, installing the patches is well worth the security benefit as the performance hit is expected to be relatively minor (in the range of 1 to 4 percent reduction in process execution speed).  For users with 2016 era and newer PCs with Skylake, Kabylake or newer CPUs, the slowdown will likely be in the milliseconds range and not noticeable.  However, users of older systems with Windows 7, 8 and 10, namely 2015-era PCs with Haswell or older CPUs, will likely perceive a system slowdown.  For some drive read/write intensive processes, especially those that use Non-Volitile Memory express (NVMe) storage devices such as solid-state drives (SSDs), the impact could be more serve.  More information can be found in the Redmond Magazine Article, "Microsoft Confirms System Slowdowns from Fixes to Meltdown and Spectre Attack Methods."  Benchmarking of some common desktop applications, games, and hard drive performance showing results without the patches installed (speculative execution fully implemented), with only the Windows OS software update installed, and with both the Windows OS software and BIOS updates installed can be found in Hardware Unboxed's benchmark video.

What is the Federal Government doing?  A summary on what the Federal Government is doing about the threats can be found in Federal Computer Weekly's article, Feds Face Limited Options for Meltdown, Spectre Bugs.