Windows 10 News and info | Forum
January 16, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Spectre and Meltdown are just as bad as you think  (Read 423 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 29430

I Do Windows

WWW Email
« on: January 04, 2018, 10:23:26 PM »

When security researchers encounter a security vulnerability, itís usually because a programmer messed up somewhere. A buffer overflow here. An unsanitized input there. They all add up to introduce an element of insecurity.

Meltdown and Spectre are different. These two threatening issues arenít the result of the program running on the computer, but rather the computer itself. Flaws buried deep in the architecture of most modern CPUs have presented a golden opportunity for bad actors to access privileged information held in memory.

Most computers contain iron-clad spaces where data can pass securely in an unencrypted, visible form. These work by limiting the access to that data from other applications and processes.

But Meltdown and Spectre undermine these safeguards. If exploited, they could result in an adversary accessing things like passwords and privileged data. Hereís everything you need to know about the current security nightmare du jour.

Meltdown is bad

Meltdown was dubbed by Daniel Gruss, one of the researchers that discovered the vulnerability, as ďprobably one of the worst CPU bugs ever found.Ē It primarily affects CPUs made by Intel, although ARM has introduced countermeasures to protect it.

While Meltdown and Spectre are both similar, what distinguishes Meltdown is that it pertains to the protective barriers between the underlying operating system and applications running on it.

Intel is by far the biggest CPU maker out there, and Meltdown affects every processor produced by the company since 1995. The researchers behind Meltdown have created a webpage that discusses the vulnerability in length. In the pageís Q&A section, it asks ďAm I affected by the bug?Ē

The answer couldnít be starker: ďMost certainly, yes.Ē

Itís worth noting that there are two notable exceptions. If your machine runs an Intel Atom CPU released prior to 2013 or an Intel Itanium CPU, you should be fine.

The researchers that discovered Meltdown have acknowledged itís comparatively easy to exploit. The good news is that itís relatively easy to mitigate against. Although the issue is borne from the deviceís CPU architecture, users can be protected through software patches.

Vendors have quickly sprung into action, and a steady stream of patches have emerged. Weíll talk about them later. Before we get to that, letís talk about Meltdownís scary big brother, Spectre.

Spectre is worse

Remember when I said that Meltdown affects the barrier between the operating system and the application? Well, Spectre muddies the water between applications, allowing Program A to steal the secrets of Program B.

As pointed out by The Register, it could also be used to extract secrets from the same process the exploit is running on. Chris Williams, The Registerís US editor, gives the example of malicious JavaScript in a web page being used to extract authentication tokens from the memory of a web page.

Itís worth mentioning that a JavaScript proof-of-concept already exists, making the browser a viable attack vector for Spectre.

Williams mentions that this could be a nightmare scenario for those using virtual servers. He points out that it could be possible for a user with administrative access to a virtual machine on a KVM system to use Spectre in order to access the hostís kernel memory. Per Google:

When running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debianís distro kernel running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM.

Unlike Meltdown, Spectre is vastly harder to mitigate against. A simple software patch isnít enough. One solution is for developers to rebuild their applications with countermeasures against the attack.

Thatís tricky for two reasons. Not every developer will do the legwork, and not every user will bother to install the patch.

Alternatively, users can wait for a chipset microcode patch to be issued. At this point, neither AMD nor Intel have done that.

The one big thing that makes Specture measurably worse than Meltdown is that it impacts a broader swathe of the devices we use. Intel CPUs are impacted, of course. But so too are AMDís chips.

Spectre also impacts a significant chunk of ARM chips. These arenít just found in phones and tablets, but also Internet of Things devices.

Itís horrifying to think, but literally, every strata of computing is affected by this.

Fixing Meltdown has a measurable CPU performance cost

As mentioned, vendors have jumped into action to release software fixes to Meltdown. Unfortunately, thereís a pretty nasty side effect. Users who patch their systems may experience significant system slowdown. This ranges between 5 percent to 30 percent, according to Michael Larabel writing in Phoronix.

Itís worth mentioning that there is a major caveat here: the slowdown youíll experience will ultimately depend on what youíre using your computer for.

Gamers, for example, should emerge relatively unscathed as the bulk of computational legwork is done by the graphics card.

Similarly, if you use your computer for the basics ó like emailing and browsing the Internet ó you should be alright. These tasks donít interact with the kernel, and arenít exactly what youíd consider to be CPU intensive.

Put bluntly, if youíre an ordinary computer user and youíre worried about a scenario where your machine feels like a Compaq desktop from 1998 thatís laden with mountains of toolbars and Bonzi Buddy, donít be. It wonít be that bad.

The biggest hit will be felt by those who use their machines to perform CPU intensive tasks that interact with the operating systemís kernel. Think databases, virtualization, and compiling software.

Larabel benchmarked a series of tests on a computer running Ubuntu 16.04.03 LTS. For comparison, he used a latest-gen Core i7 8700K ďCoffee LakeĒ CPU, as well as an older ďBroadwellĒ Core i7 6800K processor.

The biggest performance hit was felt when he ran the FS-Mark v3.3 and CompileBench benchmarking tests. Both tests look at file system performance, which spells doom for machines that perform a lot of disks I/O, like a file server.

He also noticed a slowdown when using the popular PostgreSQL and Redis database systems. This trend has been observed by others.

Fortunately, applications that are ďlimited to user-space activityĒ should emerge unscathed. One of the tests Larabel performed was converting a video file with FFmpeg. Any slowdown here was barely noticeable.

Intel handled this badly

Intel has attracted a lot of flak as a result of Meltdown and Spectre. This is due to the fact that Meltdown is an issue that affects Intel silicon. In the interest of fairness, itís worth mentioning that Spectre affects pretty much every modern processor from all major manufacturers. ARM, AMD, you name it.

Intelís response was sharply criticized as being PR spin, however. Writing in The Register, Thomas Claburn scathingly accused the company of minimizing the threat posed by the two vulnerabilities, mislead users, and pass the buck to other chip vendors.

Some of the harshest criticism came from Linux founder Linus Torvalds. Writing on the Linux Kernel Mailing List, he said that Intel should take ďa long hard look at their CPUís [sic], and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.Ē

ďOr is Intel basically saying Ďwe are committed to selling you shit forever and ever, and never fixing anything?í,Ē he asked.

It doesnít help that Intelís CEO, Brian Krzanich, is accused of selling off a significant amount of stock after the company became aware of the vulnerabilities.

In November, Krzanich dumped $24 million worth of shares. Intel was informed of the issues several months prior. This, obviously, is pretty poor optics. And it goes without saying that Intelís share price took a massive dint after the news of Meltdown and Spectre became public.

If you can, you should patch your system

Itís time to update your system. Meltdown and Spectre are both serious security issues. As previously mentioned, vendors have begun to release patches, which are gradually making their way to consumers.

Forbesí Thomas Fox-Brewster has done some amazing work and compiled a list of all available fixes. If one is available for your system, you really ought to download and install it.

As mentioned earlier, the browser is a potential attack vector for Spectre. To protect yourself, ensure your browser is regularly updated. Mozilla has already issued a mitigation for Firefox.

Itíll be interesting to see what happens next. As was the case with ShellShock and HeartBleed, vulnerable systems continued to exist long after the issue became public knowledge and was addressed by vendors.

This time around, the issue isnít a software issue, but rather something much lower-level. Spectre, in particular, is fiendishly difficult to mitigate against. I suspect weíll see vulnerable systems continue to float around for a long time.

Spectre is an issue on ARM but is purportedly extremely difficult to execute. Furthermore, a fix was part of the January patch issued to Nexus and Pixel devices by Google.

I doubt owners of older devices from other, less committed manufacturers will be as lucky though. Given the fragmented Android landscape, I predict that a sizable swathe of Droid users wonít see a patch at all.

Itís also interesting to see what happens next. In a separate blog post, Fox-Brewster raised the interesting point that if a similarly catastrophic issue emerged in the automotive industry, cars would be recalled.

Will Intel recall its chips and issue replacements or refunds? I seriously doubt it. There is a myriad of reasons why this will never happen: from cost to logistics, to the fact that many affected chipsets are no longer in production.

But the fact is users (particularly in the enterprise world) are faced with an unenviable choice: either accept a significant slowdown in their systems or remain catastrophically insecure.

Itís a deeply unenviable situation. Suffice to say, I think the next few weeks will be eventful for Intel, and for the broader semiconductor industry.

« Last Edit: January 05, 2018, 03:28:09 AM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page September 24, 2018, 12:18:05 PM