Security

Spectre and Meltdown: Cheat sheet

What are the Spectre and Meltdown vulnerabilities, and how do they affect you? This essential guide will tell you everything you need to know about Spectre and Meltdown.

The revelation of a previously undiscovered vulnerability at the heart of nearly every modern computer caused shockwaves at the start of 2018.

But what are the Spectre and Meltdown security vulnerabilities, and how do they affect you? This guide—which will be regularly updated—will tell you everything you need to know about Spectre and Meltdown.

SEE: All of TechRepublic's cheat sheets and smart person's guides

What are Spectre and Meltdown?

They are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone—allowing hackers to read sensitive information, such as passwords, from memory.

Malicious code running on a computer or even in a web browser could exploit these vulnerabilities to access information held in protected memory.

Meltdown could prove particularly dangerous on unpatched cloud platforms, due to the possibility of malicious code inside a virtual machine being able to read data from the memory of the underlying host computer, with the threat that one cloud customer could steal data from another.

Read more

Who does Spectre affect?

Practically every PC, server and smartphone is vulnerable to attacks that exploit the Spectre flaws.

Because Spectre-related attacks exploit the fundamental design of modern processors they could affect far more processors than Meltdown. All of the major processor manufacturers have a wide range of processors vulnerable to Spectre-related attacks, including those from AMD, Arm and Intel.

Only older chips, such as those used in the $35 Raspberry Pi 3, aren't vulnerable to Spectre-related attacks.

Read more

Who does Meltdown affect?

Meltdown only affects devices that have Intel, Apple or Arm Cortex A75-based processors.

However, given how widely Intel chips are used in PCs and servers there are still a lot of machines affected, particularly since Meltdown affects Intel chips going back decades, with potentially all out-of-order execution Intel processors since 1995, except Itanium and pre-2013 Atoms, being vulnerable.

Apple has also indicated that all iPhones, iPads and modern Mac devices are affected by Meltdown.

Read more

How do Spectre and Meltdown work?

To understand Spectre, you need to grasp the basics of how modern computer processors work.

Modern processors accelerate the rate at which they execute instructions by loading data into the processor's on-board cache memory ahead of when it's needed. Data can be retrieved from this on-board cache far more rapidly than from the computer's main memory.

SEE: Incident response policy (Tech Pro Research)

If a processor is executing a set of instructions that branches depending on the input, then processors will try to guess which branch of instructions is most likely to be executed and load the necessary data into the processor's cache. These processes, called Branch Prediction and Speculative Execution, are what can be exploited by Spectre attacks. The attacker manipulates the processor so it loads a value from protected memory into the cache. They then follow up by attempting to load known data from unprotected memory. If one piece of this known data loads far more rapidly than the others, then they can infer that this data is being retrieved from the cache, and therefore is related to the value stored in protected memory.

Meltdown works slightly differently, taking advantage of a privilege escalation flaw that allows any user able to execute code on the system to access protected memory. This has the effect of neutralizing security models based on address space isolation and paravirtualized software containers.

There are two variants of Spectre attacks, variant 1 known as Bounds Check Bypass, referenced by CVE-2017-5753, and variant 2, known as Branch Target Injection, and referenced by CVE-2017-5715. The Meltdown vulnerability, known as Rogue Data Cache Load, is referenced by CVE-2017-5754.

As of February 2018, security researchers have discovered more than 130 variants of malware designed to exploit either the Spectre or Meltdown flaws, however most were proof-of-concept code rather than being used in actual attacks.

Read more

How can I protect against Spectre and Meltdown?

Patches against Meltdown and variant 1 Spectre attacks are being issued by operating system and virtual machine vendors, with patches rolled out on major operating systems such as Windows and macOS, and automatically applied to most systems.

The Linux kernel has also been patched to help mitigate against Meltdown and Spectre-related attacks, with TechRepublic contributing writer Jack Wallen producing a comprehensive guide on how to check if your Linux-based machine is protected, here.

Fixes for the variant 2 of the Spectre attacks require a computer firmware update, which are being issued by chip manufacturers and designers such as Intel and Arm, and sometimes also an operating system kernel update.

Major cloud providers, AWS, Google and Microsoft have updated their systems with the latest updates for Spectre and Microsoft, while virtualization provider VMware has issued patches against both variants of the Spectre attacks.

You can find a comprehensive list of affected computer hardware and software, and the patches issued by vendors, here.

Meltdown is easier to patch against than Spectre, due to Spectre-related attacks exploiting a fundamental design choice in modern processors. Because of the difficulty in addressing Spectre, the patches generally mitigate the risk from attacks, rather than blocking them altogether.

The creator of the Linux kernel, Linus Torvalds, has been particularly critical of how Intel is choosing to patch systems against Spectre variant 2, describing the updates as garbage, due to operating system makers having to add code that opts-in to enabling Spectre mitigation.

Most major browsers have also been updated to prevent malicious JavaScript on a website from exploiting the Spectre vulnerability to read from the computer's memory.

Read more

SEE: How confident are you in your company's cybersecurity strategy? Take this quick survey and tell us. (Tech Pro Research)

How will installing patches against Spectre and Meltdown affect my computer?

While tech firms have been preparing updates to mitigate the Spectre and Meltdown flaws for months, details of the vulnerabilities leaked out early.

In the rush to issue patches there have been multiple instances of Spectre- and Meltdown-related updates causing problems of their own.

Intel told computer manufacturers to temporarily stop rolling out its firmware fix for Spectre variant 2 after reports of unexpected reboots on systems that had applied the fix. The problems were originally thought to only be affecting systems running on older Intel Broadwell and Haswell-era chips, however Intel later revealed that computers using newer processors were also suffering from instability after applying the update.

Microsoft warned that Windows PCs won't receive any further security updates until third-party AV software is verified as compatible with Windows patches for Spectre and Meltdown, although this issue has now mostly been resolved.

SEE: Securing Linux policy (Tech Pro Research)

And chipmaker AMD worked with Microsoft to resolve problems after the patches caused PCs running on some older AMD Opteron, Athlon and AMD Turion X2 Ultra processors to refuse to boot.

The nature of the Spectre variant 2 flaw means that fixes to guard against attacks also have the effect of slowing down computers in certain circumstances. A Microsoft analysis of which systems are likely to be worst affected by applying the Spectre fix found the following:

  • Most users running Windows 8 and Windows 7 PCs on 2015-era Intel Haswell or older CPUs will notice a decrease in system performance.
  • Some users running Windows 10 PCs on 2015-era Intel Haswell or older CPUs will notice a decrease in system performance, with "more significant slowdowns" than on newer chips.
  • Most users running Windows 10 PCs on 2016-era Intel Skylake, Kaby Lake or newer CPUs won't notice a change, due to only "millisecond differences" in operations.

Intel found the same Spectre-related firmware updates can also cause a significant decrease in server performance.

However, the extent of the slowdown was heavily dependent on the nature of the workload and the configuration of the system, with some jobs barely affected and others taking noticeably longer.

Intel tested server platforms running two-socket Intel Xeon Scalable systems based on its Skylake microarchitecture.

The worst affected workloads were those "that incorporate a larger number of user/kernel privilege changes and spend a significant amount of time in privileged mode", according to Intel.

The results found that:

  • Benchmarks to simulate common enterprise and cloud workloads saw up to two percent performance impact. Intel simulated these workloads using industry-standard measures of integer and floating point throughput, Linpack, STREAM, server-side Java and energy efficiency benchmarks.
  • An online transaction processing (OLTP) benchmark simulating modeling a brokerage firm's customer-broker-stock exchange showed a four percent impact.
  • Storage benchmarks varied widely.
    • In FlexibleIO, a benchmark simulating different types of I/O loads, stressing the CPU with an 100 percent write led to an 18 percent decrease in throughput performance. However, a 70/30 percent read/write model saw a 2 percent decrease in throughput performance, with no throughput impact for 100 percent read.
    • There was also a wide range of impacts when Intel ran Storage Performance Development Kit (SPDK) tests, which provide a set of tools and libraries for writing high-performance, scalable, user-mode storage applications. Using SPDK iSCSI, Intel found as much as a 25 percent impact while using only a single core. However, using SPDK vHost had no impact.

The potential performance impact on servers is such that Microsoft recommends users "evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment".

Google has produced its own Retpoline update to guard against Spectre branch target injection exploits, which Intel has said "could yield less impact".

Major cloud providers, AWS, Google and Microsoft say that, for the majority of workloads, customers should not notice a difference in performance following the updates. However, there have been reports from some customers of a drop off. AWS customer Epic Games attributed a more than 20 percent spike in CPU load on a cloud server hosting games of Fortnite to the impact of the Spectre and Meltdown patches.

Virtualization vendor VMware has also warned that the resulting increase in CPU utilization after applying fixes for Spectre could result in organizations discovering they need to increase the size of clusters of virtual machines where previously they had sufficient capacity.

Read more

Will buying a new processor help?

Yes, to an extent, the performance of newer processors appear to suffer less after applying patches against the security flaws.

However, the fact that Spectre exploits a fundamental aspect of modern processor design, one that has delivered significant performance benefits, means that chipmakers can only do so much when designing new processors.

Rewriting the fundamental architecture of modern CPUs will not be a fast process, and in the meantime it will likely mean continuing to use processors that either have some degree of insecurity or perform significantly worse when it comes to certain tasks.

Read more

meltdown-spectre-header.png

About Nick Heath

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks

Free Newsletters, In your Inbox