Chip Technology Taking a Beating as Newly Discovered Flaws Point to Security Vulnerabilities

January 7, 2018 – If you have a feeling that someone is looking over your shoulder these days when you are using your computer, you may be justified to a degree. It appears that the core of computer chips, once seen as invulnerable, are not and that more than one manufacturer is to blame. I’ve always recommended Intel processors when advising friends on buying a new computer. But now it appears it doesn’t matter who supplies the chips at the core of your new machine. All are suspect.

Previously unknown flaws have made almost every current device insecure. Whether it’s a smartphone in your pocket, a laptop, tablet or desktop system, hackers can exploit these flaws to extract personal information you thought was protected by your normal security protocols.

It was the Google Project Zero engineering team that first identified the flaws giving them the names Spectre and Meltdown.

 

The images above are the icons for Meltdown and Spectre, security flaws that put most computers at risk. Fixes are on the way.

 

Common to Intel, AMD, and ARM processor architecture, the engineers traced the vulnerability back nearly two decades. These processors are the artificial brains found in billions of devices including the computers that store information in the Cloud, and sensors deployed in vehicles, machinery, and other equipment.

Processors are designed to predict and execute tasks. They store instructions that include user IDs, passwords, and vital data associated with credit, and banking.  But so far Intel and Google have indicated they have yet to see an exploitation of the flaws. And the Computer Emergency Readiness Team in the United States concurs. Carnegie Mellon University’s Software Engineering Institute has provided a complete description of Spectre and Meltdown. In both flaws, kernel memory is exposed.

The following table compares Spectre and Meltdown.

Spectre Meltdown
CPU mechanism for triggering Speculative execution from branch prediction Out-of-order execution
Affected platforms CPUs that perform speculative execution from branch prediction CPUs that allow memory reads in out-of-order instructions
Difficulty of successful attack High – Requires tailoring to the software environment of the victim process Low – Kernel memory access exploit code is mostly universal
Impact Cross- and intra-process (including kernel) memory disclosure Kernel memory disclosure to userspace
Software mitigations Indirect Branch Restricted Speculation (IBRS)
Note: This software mitigation also requires CPU microcode updates and it only mitigates Spectre variant 2
Kernel page-table isolation (KPT)

 

The solutions proposed include updates to the microcode within the processors and updates to applications that have been deemed vulnerable.

Technology providers affected besides Intel, AMD and Arm include:

  • Amazon,
  • Android’s Open Source Project,
  • Apple,
  • CentOS,
  • Cisco,
  • Citrix,
  • Debian GNU/Linux,
  • Fedora Project,
  • Fortinet,
  • FreeBSD Project,
  • Google,
  • and IBM.


Len Rosen lives in Toronto, Ontario, Canada. He is a researcher and writer who has a fascination with science and technology. He is married with a daughter who works in radio, and a miniature red poodle who is his daily companion on walks of discovery. More...

Advertisement