7 Things You Need To Know About Spectre And Meltdown Security Exploits
So Far -- No "Observed Active Deployment" Of Spectre And Meltdown
Intel Vice President Stephen Smith says that so far the chip giant has observed "proof of concept" of the Spectre and Meltdown exploits but has not "observed any active deployment" of the exploits in PCs or servers.
Smith says Intel is moving forward with a "comprehensive" threat mitigation plan that includes operating system and firmware updates that will be made available in the next "few weeks." By the end of next week Intel says it expects to have issued updates for more than 90 percent of processor products introduced within the past five years.
"We have been working to put together a combination of operating system updates on the broadly used operating systems and some firmware updates that we developed that are specific to the configuration and operation of our processor," said Smith in a conference call with analysts on Wednesday night. "That has all been developed with industry partners, tested with industry partners, working with OS vendors and with OEMs. We have been working at this for some time such that we'll be ready beginning in the next few days to start the deployment of the mitigations. It will probably take a few weeks before the mitigations we have in mind will all be available to customers."
Intel Encourages Customers To Utilize Automatic Update
Intel is encouraging "computer users worldwide to utilize the automatic update functions of their operating systems and other computer software to ensure their systems are up-to-date."
The company said the system updates are being made available by system manufacturers, operating system providers and others.
"We have begun providing software and firmware updates to mitigate these exploits," said Intel in a document on the security exploits. "End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any updates as soon as they are available."
Intel said that for "malware to compromise security" using Spectre and Meltdow it must be running locally on a system. "Intel strongly recommends following good security practices that protect against malware in general, as that will also help protect against possible exploitation," Intel said.
Intel said that many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.
"Our approach to mitigation is that we look at this and we want to provide for Intel platforms the most comprehensive approach that we can such that we will offer the highest level of security for our users on Intel platforms," said Intel's Smith.
An Industry Wide Issue Not Specific To Intel
Intel has gone to great lengths to stress that Spectre and Meltdown are not "unique to any one architecture or processor implementation."
In fact, Intel says security researchers notified Intel, AMD and ARM of the exploits.
Intel says that Spectre and Meltdown – which allow attackers to see contents of "privileged memory" – exploits "speculative execution techniques common in modern processors."
Intel's Smith says the chip giant "brought the industry together" to come up with a "common approach" to mitigating the problem
"There was a security research team that notified Intel as well as other industry participants including AMD and ARM Holdings of the new side channel analysis exploit of the computing system," said Smith.
Solution providers, for their part, said the exploits affect most modern processors and can be executed against mobile devices, desktops, laptops and servers running in cloud environments. All told, the flaw affects nearly every device an end user has or operates, said Michael Knight, president and CTO of Encore Technology Group, Greenville, S.C.
"This is significantly different because it's a critical hardware flaw, not a software flaw," said Knight. "The scale is massive."
AMD Claims "Near Zero Risk" On AMD Processors
Chip manufacturer AMD claims there is a "near zero risk" to AMD processors in regards to Spectre and Meltdown.
In fact, AMD says it has no plans to issue operating system or firmware updates for its processors.
"The security research team identified three variants targeting speculative execution," AMD said in a prepared statement. "The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."
AMD said the three variants are titled: "bounds check bypass, branch target injection and rogue data cache load." AMD said it resolved the bounds check bypass through software and OS updates with "negligible performance impact expected', while the other two variants did not impact the company.
When asked by an analyst about comments from AMD that the issue does not impact that company's processors, Smith responded that the researchers have demonstrated some of the exploits running across a variety of product implementations, both in hardware and software.
Intel, he said, has provided details on what that company is doing.
"It's an industry issue," he said. "And you'll have to ask each participant what their specific mitigation implementations are."
ARM – Majority Of Our Processors Are Not Impacted
ARM Holdings – which makes processors for smartphones- said the "majority of ARM processors" are not impacted by Spectre and Meltdown.
That said ARM cautioned users that it is important to note that the exploits are dependent on "malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads."
ARM said the "cache timing side-channels" involved in the exploits are a well-understood concept in the area of security research and is not a new finding. "However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed," the company said.
The Performance Impact On PCs And Servers
Intel says that using industry benchmark testing, the average impact of the mitigations on performance to be between zero and two percent, said Ronak Singhal, Intel Fellow and director of CPU compute architecture at Intel. "A workload that is largely in the user space will see little to no impact," he said.
However, for workloads that spend a lot of time going back and forth between the operating system and the application, some synthetic workloads have shown an impact of 30 percent or more, Singhal said.
Singhal said that Intel does not differentiate the performance impact on a PC vs. in a data center, but instead any impacts are really dependent on the attributes of the workload.
When asked by an analyst about how mitigations to the security issue might impact cloud and data center infrastructures vs. PCs, Intel's Smith replied, "It depends on the workload specifically in use, and a little bit less on where the workload is."
Three Attack Variants For Spectre And Meltdown
Security researchers have found three possible variants of side channel timing attacks that could let attackers gain access to data that they normally could not access and how they can be mitigated, said Intel's Singhal.
The first is the bounds check bypass, a fairly fundamental exploit that could let an attacker take advantage of existing code with access to privileged information and use it and abuse it to speculatively have access to information in memory they might normally not have access to, Singhal said. "We've been working with software partners on both the operating system side and the browser side for mitigations for the first exploit," he said.
The second variant is Branch Target Injection in which malicious code could find a way to redirect the internal structures inside the processor to speculatively execute code attackers want to see executed, Singhal said. Such an attack does not impact the basic function of the processor, but does allow the speculative attack to occur, he said. Mitigation is being done via microcode updates that provide a new interface between the operating system and the processor, which requires work on both the hardware and software sides, he said.
The final variant is Rogue Data Load which is the ability for an application to speculatively access memory that it normally does not have access to, Singhal said. Intel has already pushed patches to Linux to isolate the page tables between the kernel and the user space, he said.