| #1856 |  | 1400 |  |
January 18, 2018 |  | By Debashish Bose | ||
|
Everybody in the cyber security industry is focused on two new vulnerabilities, namely “Spectre” and “Meltdown”, made public on 03 Jan 2018. For a change these represent vulnerabilities in computer hardware. Variants currently in the wild are :-
(CVE numbers are unique identifiers for publicly known information security vulnerabilities) Modern computers owe their humungous processing abilities to two main processing concepts that aid in enhancing performance. These are caches and parallelism. These two concepts along with the Principle of Isolation form the bedrock of modern day processors. The Isolation Principle isolates the working and the data of one program from another program. These two new vulnerabilities break down the Principle of Isolation by exploiting weaknesses found in the implementation of caches and parallelism features of processors. A cache is a piece of hardware that holds the previous result of the processor, on the assumption that you will require the same result in the future. It is particularly applicable with instruction caches and data caches that hold previously accessed information. This is also applicable to other obscure caches like Branch Target Buffer (BTB), which keeps track of where previous instructions jumped to, and the Translation Lookaside Buffer (TLB), which remembers mappings between virtual addresses and their actual locations in the computers memory. This is primarily done to ensure faster response time, if a piece of information is there in the cache, there will be an immediate response, otherwise scarce CPU cycles will have to be spent on recalling them all over again. Parallelism as the word suggests implies doing multiple things at the same time. Another common method for increasing performance is speculative and out of order execution. Thus, the processor can speculate and carry out certain actions in anticipation. Processor designers are continuously focused in their attempts to squeeze every last bit of performance out of a combination of caches and parallelism, whereas the security engineers rely on isolation. If two programs are running on a computer, it is critical that one program is not able to deduce information about the other. In situations where the planned isolation fails, practically, a hostile program can read passwords out of memory or other sensitive information such as authentication cookies or cryptographic keys. Both Spectre and Meltdown exploit the interactions between speculative execution and various caches to read information across security barriers by observing how long various operations take. Cloud services are especially vulnerable, since the basic premise of cloud computing is to share the same hardware amongst several customers. Whereas Meltdown allows unauthorized applications to read from privileged memory to obtain sensitive data from processes running on the same cloud server, Spectre can allow malicious programs to induce a hypervisor to transmit the data to a guest system running on top of it. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Someone can run a process in the cloud and steal data from every other users on the same hardware (server). While cloud service providers will have to immediately patch their systems, users of the cloud services will also have to patch the instances of their operating systems, so that they are fully protected. Updates and Performance Impact Intel has not yet been very forthright in declaring what is going to be the impact of the two malwares. Intel has declared that they would be issuing software to handle the flaws. They have said that 90% of processor products introduced in the past five years will be patched in a week. It is very pertinent to note that these are BIOS firmware updates, which are not distributed centrally, the way we receive Windows patch updates. The PC makers will have to manage the same as and when they become available. It is a nightmare to think what could happen to all the locally assembled PCs that we have in various offices. Who is going to do the hand holding for them? Additionally they have vaguely said that there will be performance issues for certain kinds of workloads. In fact Intels prices have dropped seven percent since the time these vulnerabilities have been announced. Microsoft has been more forthright in declaring performance issues, summarized as below
In fact the most important declaration made by Microsoft is the fact that Windows Server instances will have a more severe impact. The appreciated impact is so huge that Microsoft advises customers not to update the server firmware,in case tehy don't run untrusted software, a tricky and confusing choice between security and performance. As per the third statement issued by Intel on 10 Jan 2018, impact for average users will not be significant, however the test results released are for eighth generation Intel processors. Initial reports say that Intel had been warned of the flaw in June 2017 itself. Other companies that have not talked about the vulnerability are Apple and Google. They have not released any information as to whether iPhones, Macs or Androids will require any firmware updates. In fact there is no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. So finally what we are realizing is the fact that microprocessor designers have been building insecure hardware for the last two decades. The interesting fact is that it took the security industry 20 years to discover it. In the mad rush to make computers faster, no one was thinking about security. The microprocessor designers didn't have the expertise to detect these vulnerabilities. And those who did, were too busy finding normal software vulnerabilities, than to examine microprocessors. In a nutshell all major processor manufacturers are scrambling, and hiding behind smartly worded statements, with each statement giving us a little bit more, towards the full picture. Spectre and Meltdown only affect the confidentiality of data, but now that people have got to know where to look, surely more vulnerabilities will come out. This is wild untested territory in Information Security. Keeping in mind economic / commercial considerations I am sure that we will be spending the next few months in “Ostrich Mode”, i.e. companies will assume all sorts of considerations regarding difficulty levels for the hackers to be able to exploit the vulnerability, and continue to work with the vulnerability. Actually, difficulty in exploitation is not a substantial protection, it only takes one clever hacker to create an exploit, and thereafter every other hacker can exploit the same. Like Bruce Schneier says, “2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride.”
| ||||||||
References
| ||||||||
| ||||||||
