The Spectre of Future Meltdowns

I’ve created and deleted drafts on this topic all weekend. All the metaphors I’ve tried to come up with are pretty inaccurate, or don’t add anything that others haven’t already said. So I’ll just do this the boring way.

Don’t let the cute logos fool you, both Spectre and Meltdown are about as serious as you can get in computer security. Both take advantage of the design of many high-end CPUs. In order to squeeze out as much efficiency as possible, nearly all CPUs from Intel allow the processor to reorder the instructions it executes and make guesses about certain values. Unfortunately, when the CPU is jumping ahead it relaxes some of its normal security checks; fortunately, if those guesses are wrong it undoes any changes and executes the right code. On the surface, that prevents any security issues.

But there are still fingerprints of what was executed left behind, hidden in places a programmer can’t directly access but which nonetheless have subtle effects on the behavior of the processor. A clever programmer can combine brute-force checking with probability to guess at the contents of what the processor executed then erased, allowing them to wiggle past security checks. The result is devastating, as it can reveal sensitive data like passwords or worse. These attacks also take place at the hardware level, which makes them incredibly difficult to fix; at one point, US-CERT’s primary recommendation was to replace your CPU, roughly equivalent to replacing a car’s engine. Ouch! Bruce Schneier has weighed in, which saves me from being doom-and-gloom for once.

The problem is that there isn’t anything to buy that isn’t vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. […]

It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the research into the Intel ME vulnerability — have shown researchers where to look, more is coming — and what they’ll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

I got lucky. When I ran the Spectre demo code on my home computer, nothing happened; while many AMD CPUs are effected, they fare better than Intel’s. ARM CPUs, like those on your phone, are somewhere in between. Having said that, Schneier’s right: these bugs are a big deal, and are guaranteed to spur the development of nastier ones.

If you’d like info on both these bugs, Computerphile has a great semi-technical explanation and Jann Horn a super-technical one.