Imagine for a moment that you own a house with a persistent termite problem. You do what you can to stop the pests: protecting your support beams, closing off entry routes, monitoring for any signs of infestation. You know you may not be able to completely remove the termites, but you believe that you can at least minimize the damage and reduce the number of infestations you experience. Maybe with a few upgrades to the house and the right pest solution, you can even reduce the problem to a negligible state.
Now imagine the company who built your home announced that the foundation is made of softwood and that termites could reach it every time you opened any door in the house…and that the same problem applies to all of the houses in the world.
That’s about on par with how the revelations about Meltdown and Spectre felt like to cybersecurity professionals. The truth that microprocessors’ native functions could result in key memory compromises—and that even if remediation is possible it would result in significant operational slowdowns—left many shocked and reeling. That these issues have existed undetected for the past two decades, affecting virtually every computer and mobile device built since 1995, only fueled the collective anxiety.
These issues, nicknamed Meltdown and Spectre, are still being parsed, patched, re-patched, and debated at time of writing. It can be hard for anyone to wrap their head around. We’ve already provided our own coverage and spoken with Neil Weitzel of Cygilant about these monumental security vulnerabilities, but this story continues to unfold. At this rate, it may prove one of the most devastating discoveries in InfoSec history. We want to make sure you have all the information you need to adequately understand and prepare against Meltdown and Spectre. Here’s what we’ve learned:
A Quick Refresher
Spectre and Meltdown are security flaws embedded in the operation of microprocessors. Chips by Intel, Arm, and AMD—the three largest microprocessors manufacturers—all contain it; experts believe flaws are inherent in the design, rooted in the race for greater processing speeds during the home computer revolution of the mid-to-late 90s.
It all comes down to speculative execution. Microprocessors achieve their incredible modern speeds by essentially predicting what operation they will need to do next—the user has activated X, therefore I will be called to activate Y—and prerunning it so it can launch it quickly. But by prerunning operations early, speculative execution opens a backdoor to the operating systems’ normally secured kernel memory—where the most important data, passwords, and documents are stored. Meltdown and Spectre are the exploits of this backdoor.
Returning to the earlier metaphor, it doesn’t matter how many barricades you place on the walls, the house’s foundations are fragile and weak, ready to collapse with the right push.
Intentional Delays in the Response
All of the microprocessor manufacturers were made aware of Meltdown and Spectre sometime around June 2017. The public announcement of the flaws’ existence did not occur until just about two weeks ago (at time of writing).
On one level, this does make sense—reporting the issue without having some sort of patch in place is like setting out the welcome mat for hackers to conduct zero-day attacks. It is customary for solutions providers and manufacturers, once made aware of a security hole, to take a few months to explore the issue and generate a patch.
However, the patches for Meltdown and Spectre seemed to take much longer than expected, and some writers have criticized the manufacturers for a lack of transparency. Initially, the plan for Intel was to disclose Spectre and Meltdown during CES, the world’s largest technical show, with the news under embargo until then. But the truth was revealed slightly earlier than expected, as discoveries by independent researchers forced everyone’s hand. When the news did come out, there were serious deployment issues, as if the manufacturers were still unprepared. We’ll discuss that in more in detail below.
Adding fuel to the suspicions, Intel’s CEO Brian Krzanich sold the maximum amount of stock he is legally allowed to in Q4— before the news became public but after Intel was informed of Spectre and Meltdown. There is now a very real possibility of an SEC investigation. Even if the sale was legal as Krzanich contends, it does not speak confidence to Intel’s (and other chip manufacturer’s) ability to solve the problem.
Meltdown and Spectre are Actually Three Different Vulnerabilities
Yes, despite having two names, Spectre and Meltdown are in fact three variations on the same abuse of the speculative execution processes. Spectre is actually two different vulnerabilities that forces programs to reveal secure data to attackers. It requires more sophisticated knowledge of the program’s inner mechanics and only works on individual programs, but it can work on almost any chip. Both variants are more challenging to fix than Meltdown, with the second variant “Branch Target Injection” proving to be extremely difficult to solve without serious performance compromises.
By contrast, Meltdown uses speculative execution to gain access to all of a systems data that would normally be secure, including the data of other programs and information that only administrators should have access to. While easier to “solve,” many of the complaints of slow downs we’ll explore in more detail below stem from the Meltdown mitigation processes.
The Patches Aren’t Working Well…Or Aren’t Being Deployed at All
To their credit Intel, Arm, AMD, Microsoft, and Google among others are releasing patches and possible solutions as quickly as they can to fix Spectre and Meltdown. But problems with the patches are emerging. Overall, the patches have been reported as buggy and potentially damaging.
Intel has asked people to no longer use the microcode update to defend against Spectre after numerous reports of systems crashes from the patch. Microsoft had to halt deployment of the AMD chip patch after complaints arose that they were causing Blue Screen of Death errors. In the first days of the patches, the patches were known to clash with certain anti-virus solutions; Microsoft responded by essentially holding all of its updates hostage until solutions providers registered as compatible with the patches.
Even though most solutions providers should be integrated with the patches now, older solutions or apps that no longer update should be removed as the manufacturers will not create patches for them. Indeed, endpoint security vendor Crowdstrike notes that those most at risks are those with older browsers and lesser-known applications with vendors not up-to-date with these vulnerabilities—and the microprocessor manufacturers appear to be confirming this observation. Intel only provided patch benchmarks for the latest Intel processors, leaving older models behind.
Microsoft withdrew its AMD systems patch after crashes, and industrial manufacturers are experiencing product driver incompatibilities with Meltdown patches and are currently avoiding implementation until these are resolved.
No One Has Weaponized Meltdown or Spectre…Yet
As of time of writing, no wild permutation of a Meltdown and Spectre attack has appeared. That’s the good news. However, researchers state with confidence that hackers are getting closer by the day; their academic studies have gotten remarkably close to cracking how to utilize the exploits. That’s the bad news.
If the patches cannot adequately protect against Spectre and Meltdown by the time a hacker figures out how to weaponize them, then literally almost every person on earth is left vulnerable. Sensitive data will have no respite, and sandboxing would be an exercise in futility. It would represent some of the most potent malwareless attack vectors ever conceived.
It’s an apocalyptic vision, yes. But not necessarily an inaccurate one. The possibility of a zero-day attack increases by the day.
The Patches Will Negatively Affect Performance On Some Systems
Between the reports of incessant reboots resulting from the patches and inadequate protections, a more basic issue has also emerged: because the patches affect a process that boosts the performance of operating systems, the patches will have a negative effect on that performance. It stems from the need to increase the kernel memory’s overhead, increasing its protections but also bloating its processes.
Intel was initially bullish that the slowdowns would be minimal at best, but over time their message has become increasingly bleak. Most recently, they contend that the performance impacts shouldn’t be “significant” for “average” computer users, without defining their terms. Perhaps the problem lies in the individuality of the endpoints affected; the particular chip in each computer and mobile device, the age of their operating system, and the apps they run all affect the potential slowdown time. General estimations on processing slowdowns range from 5% to 30%.
Microsoft in particular has been transparent about these issues, warning Windows Servers customers of more significant performance impacts and other customers to hold off on firmware updates if they don’t run untrusted code. The impact of the Meltdown and Spectre patches is that bad.
What Should You Do?
Arm CEO Simon Segars noted that Meltdown and Spectre may only really be the beginning. What has been deemed safe for years may yet prove vulnerable. The problems stems from the hardware, and according to experts nothing less than a complete physical microprocessor overhaul could actually totally eradicate the problem. Yet none of the microprocessor manufacturers are offering anything more than software patches—bandaids for major gashes. Therefore none of the patches will be 100% effective against the inevitable Spectre and Meltdown attacks; indeed, it will be hard to know how effective they will be at all.
There are still some best practices you can do to fortify your enterprise against Spectre and Meltdown. First, as expensive as it may be, it may be time to evaluate what endpoints and operating systems you can afford to update. Intel and other microprocessor manufacturers have made it clear that they will not be providing patches for older endpoints, operating systems, and apps. See if you can make updates without compromising valuable data and intra-office processes. Additionally, check your anti-malware and SIEM solutions and make sure they are compatible with Spectre and Meltdown patches; if your solution has been end-of-lifed it is definitely time for a change.
Second, reports suggest that Google’s Retpoline tool—developed by their internal response team—is effective against the second variance of Spectre. The second variance is considered one of the most difficult to patch for and potentially the worst of the three issues to suffer. According to reports, Retpoline has only a negligible effect on performance. It might be worth seeing if it compatible with your endpoints, OS, and solutions.
Finally, staying informed is the best policy when it comes to fighting against Spectre and Meltdown. Keep abreast of announcements by Intel, Arm, AMD, Microsoft, and Google—Google alerts are often a handy tool for staying up-to-date—and listen to what they recommend on doing to keep yourself protected. Coordinate with your IT and cybersecurity teams to see how you can execute on their recommendations. Check with your solution provider, as third party patches are becoming more prevalent and effective at containing the problem.
Above all, stay vigilant. These spectres will follow us for some time.
Latest posts by Ben Canner (see all)
- 5 Key Security Analytics Capabilities for Security Operations Centers - October 17, 2019
- 40 Percent of Security Practitioners Don’t Report to the Board - October 15, 2019
- What Do SIEM Components Actually Do For Enterprises? - October 10, 2019