A guide to the CPU security flaws and their flawed patches
Every year of the last decade or so has provided us with a big new security threat to worry about, from Heartbleed to the Mirai botnet. Already 2018 has proved to be no exception, and within just a week of the New Year, we learned of a serious design flaw present in most processor chips made in the last 20 years.
Worse still, it was reported by security experts that this could be exploited using techniques known as Spectre and Meltdown, leaving devices vulnerable to hackers, and requiring an operating system (OS) update in order to fix it.
A lot has happened since then, so for anyone needing to catch up, here’s a complete guide to the whole debacle.
The design flaw
The security vulnerability is a result of a design flaw that was originally found to be present in all Intel chips made in the last 20 years (effectively every processor since 1995 except Intel Itanium and Intel Atom before 2013).
What exactly are Meltdown and Spectre?
Spectre and Meltdown are simply the names given to different variants of this same vulnerability, which involves a malicious program gaining access to data that is normally protected by the kernel.
Meltdown is so-called because it figuratively 'melts' the security boundaries normally enforced by chip hardware that protect sections of the memory. Essentially it's able to spy on data it shouldn't have access to.
Spectre, on the other hand, derives its name from speculative execution, which involves a chip attempting to get a headstart on what a user might want from it. For instance, if the program a user is running follows an 'if X, then Y' rule, then if a user chooses to perform X, the chip must then work on carrying out Y. A chip performing speculative execution would start carrying out Y before the user chooses to perform X, to get a headstart on computation. Doing so leaks data that should stay confidential.
A Spectre attack requires more intimate knowledge of the victim program's inner workings, and doesn't allow access to other programs' data, but will also work on just about any computer chip out there.
Spectre's name also derives from the fact that it will be much trickier to stop — while patches are starting to become available, other attacks in the same family will no doubt be discovered. That's the other reason for the name: Spectre will be haunting us for some time.
The official Spectre website (yes, there is one) states that while Spectre is harder to exploit than Meltdown, it is also harder to mitigate. It breaks the isolation between different applications and allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. However, it is possible to prevent specific known exploits based on Spectre through software patches.
Which systems are affected?
It depends on the attack you’re looking at. Meltdown mostly affects Intel processors and at the moment, it is unclear whether AMD processors are also affected. ARM says some of its processors are also affected.
Spectre is much more widespread, however. Almost every system is affected by Spectre, including desktops, laptops, cloud servers, and even smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable, that means all popular operating systems, including Windows, Linux, and macOS are affected.
Am I affected?
It’s safe to say that if you own a computer of some sort, you are almost certainly affected by the vulnerability. And to add insult to injury, you can’t really detect if someone has exploited Meltdown or Spectre against your device, as the exploitation does not leave any traces in traditional log files.
While it’s theoretically possible that your antivirus can detect or block the attack, it’s unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware that uses the attacks by comparing binaries after they become known.
If your system is affected, the exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system. To protect yourself, the best way is to keep up to date with the patches that chip and software manufacturers are releasing. However, that could prove somewhat confusing…
In the rush to patch the vulnerabilities when they became known at the start of 2018, vendors issued updates that caused many issues for users.
Shortly after issuing a fix in January, Microsoft withdrew the update after a number of AMD-powered PCs failed to boot following the installation of the security patch.
The issue was brought to Microsoft's attention on its customer support blog, with users saying their devices stopped loading the Start menu or taskbar after installing updates pushed to their devices on the 3 and 9 January. It seems computers running Windows 10, Windows 8.1 and Windows 7 were all affected, with some of the machines dating back 10 years.
Intel had a much bigger issue after releasing its CPU bug fixes, however.
After discovering that the Spectre patches impact performance by up to 25% on data centre chips, and 3% to 4% on other systems, the chip giant backtracked and decided to advise customers not to download the patches, due to the reboots and performance hits they were causing.
The firm’s executive vice president, Navin Shenoy, recommended that OEMs, cloud service providers, system manufacturers, software vendors, and end users “stop deployment of current versions on specific platform as they may introduce higher than expected reboots and other unpredictable system behaviour”.
This applied to systems powered by Intel’s previous generations of chips, including Broadwell, Haswell, Coffee Lake, Kaby Lake, Skylake, and Ivy Bridge families.
In a post on the Linux kernel mailing list, Linux creator Linus Torvalds lambasted Intel for the fiasco, saying the patches “do literally insane things” to the performance of the systems they are installed on.
“They do things that do not make sense,” Torvalds declared. “That makes all your arguments questionable and suspicious. The patches do things that are not sane."
He ranted that the patches are “ignoring the much worse issue, namely that the whole hardware interface is literally mis-designed by morons”.
In February, however, Intel finally issued a working update for its Skylake chips. It might have arrived three weeks after the original buggy patch release, but the firm said it had successfully developed a number of microcode solutions to protect its customers against the Meltdown and Spectre exploits.
The released updates included fixes for its OEM customers and partners for Kaby Lake and Coffee Lake-based platforms, as well as additional Skylake-based platforms. These included its sixth, seventh and eight-generation Intel Core product lines as well as the latest Intel Core X-series processor family.
The recently announced Intel Xeon Scalable and Intel Xeon D processors for data centre systems are also covered by the patches.
"This effort has included extensive testing by customers and industry partners to ensure the updated versions are ready for production," Shenoy said in a blog post. "On behalf of all of Intel, I thank each and every one of our customers and partners for their hard work and partnership throughout this process."
It's still not clear if Intel has successfully patched its fourth and fifth generation Haswell and Broadwell CPUs yet, however.
Should I patch?
Users worried about the impact of Spectre and Meltdown should keep up to date with the patch releases from the manufacturers of their devices, and hope that they don’t cause too much of an undesired affect to the performance of the machines.
Microsoft recently disabled its Spectre patch, saying that the performance impact was too great compared to the low likelihood of someone launching a Spectre attack on someone's device. However, if you're a big business that would prove a lucrative target for hackers, not patching Spectre is probably not an option for you.
Torvalds' outburst was also directed at the fact that Intel's plan to bypass its patches' hits on performance was to make the Meltdown fix optional, so shipping faulty hardware that users would then have to patch themselves.
However, at the start of February Intel issued a fresh patch for devices running its Skylake-based Core or Core M processors that it claims won't introduce bad side-effects. A similarly effective patch for Haswell and Broadwell-running PCs is still in the works, but Intel has also introduced patches for its Kaby Lake, Coffee Lake, sixth, seventh and eight-generation Intel Core and Core X series.