In flaws, operating against computer architecture that’s been

In today’s day and age of
information and technology, security is of the utmost priority. Spectre and
Meltdown are security vulnerability exploits that have the potential of
accessing and capturing sensitive data. These processor flaws have been around
for over 20 years, but were only recently discovered and claimed to be
disastrous. Meltdown and Spectre affect not only desktop computers but also
tablets, laptops, mobile devices, and cloud computing alike; similarly, these
flaws take advantage of how data is processed. If and when software is utilized
to leverage these vulnerabilities, private data held in running programs and
processed in memory can be accessed and obtained by hackers. It is highly
recommended to update operating system software, update system firmware, and
any other software on all devices in order to mitigate and prevent data loss although
there are known performance decreases. Additionally, it is suggested to replace
affected hardware as soon as it becomes available in order to reduce the risks
associated by these exploits. This paper will discuss what Meltdown and Spectre
are, how they are exploited, the range of potentially affected devices, and countermeasures
to mitigate and prevent these CPU flaws.

 

 

 

 

 

 

Computer
hardware and software is endlessly under attack by hackers, tested immensely by
professionals, and constantly updated in order to expose and fix vulnerabilities.
Computer exploits have and will continue to appear but recently there has been
quite a bit of talk about security vulnerabilities, specifically around
Meltdown and Spectre. There is a vast amount of technical information available
in regards to these vulnerabilities but only emphasis on important and
high-level details will be covered. Collectively, Spectre and Meltdown security
vulnerabilities affect nearly all processors and memory and can be leveraged by
malicious software to acquire personal information including but not limited to
user names, passwords, personal information, financial information, and so on. Although
there is a short list of CPUs which are not impacted by these flaws, it is a
brilliant idea to update your system regardless of confidence in not being affected.
“Meltdown and Spectre are exploits, not chip design flaws, operating against
computer architecture that’s been designed into chips for decades” (Gold,
2018).

These
vulnerabilities impact not only personal and business computers, but also
mobile devices and the cloud. Meltdown and Spectre can be utilized to obtain sensitive
data stored in running programs such as e-mail, web browsers, and even
documents. Furthermore, these security vulnerabilities can possibly access
protected memory but need to accompany an application to execute successfully (Gold,
2018). Overall, “Meltdown and Spectre exploit critical vulnerabilities in
modern processors. Their hardware vulnerabilities allow programs to steal data
which is currently processed on the computer” (Graz University of Technology,
2018). Some speculate that these vulnerabilities allow for system changes and
reading and writing of data from disk which is not the case; they are not
typical malware and do not behave in that fashion, nor are they simple to
execute usefully without prevalent determination (Gold, 2018).

The
Meltdown security vulnerability, its logo displayed in Figure 1 and coined by
Daniel Gruss, is a bug that attacks hardware security limitations, specifically
those of processors, in order to infiltrate and read contents of memory (“Meltdown
(security vulnerability)”, n.d.). According to the Graz University of
Technology (2018):

Meltdown
breaks the most fundamental isolation between user applications and the
operating system. This attack allows a program to access the memory, and thus
also the secrets, of other programs and the operating system. If your computer
has a vulnerable processor and runs an unpatched operating system, it is not
safe to work with sensitive information without the chance of leaking the
information. This applies both to personal computers as well as cloud
infrastructure. (para. 3)

Meltdown is believed to
be “one of the most dangerous vulnerabilities ever found at least for a CPU”
since it impacts a vast number of users, their devices, the programs they run,
and their data; “this makes Meltdown really dangerous for us and easy for
hackers” (The Windows Club, 2017).

Figure 1: Meltdown
Logo by Natascha Eibl (Graz University of Technology, 2018, para. 2)

            Meltdown, “pertains to the protective barriers between
the underlying operating system and applications running on it. Intel is by far
the biggest CPU maker out there and Meltdown affects every processor produced
by the company since 1995” (Hughes, 2018). Although this flaw has been around
for more than 20 years, investigation and detection of the Meltdown
vulnerability was only recently and individually raised by Jann Horn of Google
Project Zero, Werner Haas and Thomas Prescher of Cyberus Techology, and Daniel
Gruss, Moritz Lipp, Stefan Mangard, and Michael Schwarz of Graz University of
Technology (Graz University of Technology, 2018). Due to the wide range and
countless possibilities in which this vulnerability may be exploited, there appears
to be a global desire to fix this and the Spectre security flaws alike.

The
Spectre security vulnerability, its logo displayed in Figure 2 and coined by
Paul Kocher, varies somewhat from the Meltdown vulnerability and gains entree
into the memory of programs to obtain data undetected (The Windows Club, 2017).
According to the Graz University of Technology (2018):

Spectre
breaks the isolation between different applications. It allows an attacker to
trick error-free programs, which follow best practices, into leaking their
secrets. In fact, the safety check of said best practices actually increase the
attack surface and may make the applications more susceptible to Spectre.
(para. 3)

Spectre technically has
two different variations and, although grouped together as one, when exploited,
they are capable of forcibly revealing private data from programs even though
detailed information about the program’s operations are required (Fruhlinger,
2018). The National Cybersecurity and Communications Integration Center (NCCIC),
“encourages users and administrators to refer to their hardware and software
vendors for the most recent information. In the case of Spectre, the
vulnerability exists in CPU architecture rather than software and is not easily
patched; however, this vulnerability is more difficult to exploit” (United
States Computer Emergency Readiness Team, 2018).

Figure 2: Spectre
Logo by Natascha Eibl (Graz University of Technology, 2018, para. 2)

Compared
to Meltdown, Spectre is more difficult to exploit but is additionally more
problematic to mitigate since it not only “affects the barrier between the
operating system and the application” but also allows applications to take private
data from one another (Hughes, 2018). Similar investigation and detection of
the Spectre vulnerability was recently and individually reported by Jann Horn
of Google Project Zero, Paul Kocher of the University of Pennsylvania, Daniel
Genkin of the Univeristy of Maryland, Mike Hamburg of Rambus, Moritz Lipp of
Graz University of Technology, and Yuval Yarom of the University of Adelaide
and Data6 (Graz University of Technology, 2018). Although Spectre is able to
“trick other applications into accessing arbitrary in their memory”, Meltdown
and Spectre need to be addressed, mitigated, and fixed equivalently (Chacos
& Simon, 2018).

Meltdown
and Spectre exploit what are known as “speculative execution” and “caching”,
which essentially allow access to information that was intended to have been
entirely protected; this is done through accessing pre-fetched data from the
CPU that was previously obtained from memory and the processor (Fruhlinger,
2018). Although investigators found that Meltdown is easily exploitable, it is fairly
simple to mitigate due to the accessibility of software patches. This is
unfortunately not the case for Spectre since it touches many more devices and a
single software patch will not be sufficient (Hughes, 2018). No evidence of
real-world exploitation by either CPU flaw has been reported yet but detection
and restoration seem unlikely, if not near impossible, once these disastrous security
vulnerabilities are executed on a system (Fruhlinger, 2018).

According
to Brad Chacos (2018), there is a list of items which are required to protect
against both Meltdown and Specture vulnerabilities and consist of the
following:

·        
Update your operating system

·        
Check for firmware updates

·        
Update your browser

·        
Update other software

·        
Keep your antivirus active

With this in mind, it is
good practice to check for and update everything possible starting with the
operating system (Windows Update), followed by the firmware (BIOS), and lastly,
updating all other software (web browsers, antivirus, etc.) in order to prevent
these exploits from penetrating a system. Even if all of these tasks are
completed, it is nearly impossible to tell if either or both exploits have been
used against a system since no log files or traces are left although virtually
all systems are affected (Graz University of Technology, 2018). Several
companies such as Dell and HP, previously released firmware patches, but those were
quickly revoked “following Intel’s advice to halt deploying the chip makers’
microcode or firmware patch due to unexpected reboots” (Tung, 2018). “Further,
all of the major OS vendors are patching their software to dramatically limit
the ability of these exploits to cause harm, and firmware is being updated by
the chip and machine vendors” (Gold, 2018).

Updating
a system will immensely mitigate the risk of losing private data, but there may
also be a related performance reduction. Jack Gold (2018) goes on to state,

Speculation
that the patches will cause a 30 percent decline in performance is, in my
opinion, highly overstated. I estimate for the average user on a PC, the
performance degradation may not even be noticeable or will likely be in the 3
to 5 percent range. (para. 17)

Prior to implementation,
the NCCIC, “recommends using a test environment to verify each patch. After
patching, performance impacts may vary, depending on use cases” (United States
Computer Emergency Readiness Team, 2018). Following update installations, IT
specialists and system administrators of a company ought to validate that the
patches have been applied successfully and all systems are protected. Overall,
system security and integrity should be the highest priority over performance in
order to protect sensitive data and prevent unauthorized data access.

            Spectre and Meltdown expose potentially tremendous flaws
and affects almost every processor produced since approximately 1995. Both of
these vulnerabilities can be exploited through software to steal sensitive data
such as usernames, passwords, and even banking information, not only from a current
user, but any other user on a machine or connected via network (Fruhlinger,
2018). Since almost all CPUs are vulnerable, modern-day computers require
software patches, such as operating system updates rolled out by Windows, as
well as firmware patches rolled out by device manufacturers. To take it one
step further, according to the US CERT from an article by The Windows Club
(2017), it is recommended to “replace CPU hardware. The underlying
vulnerability is primarily caused by CPU architecture design choices. Fully
removing the vulnerability requires replacing vulnerable CPU hardware”.
Unfortunately, this may not be a practical option for most since it is timely
and could be costly, so the next best option is to update any and all impacted systems.
Ultimately, everyone is faced with two choices: take no action and let sensitive
data become vulnerable or take actions and tolerate possible system slowdowns.