Fears continue to mount regarding the Meltdown and Spectre vulnerabilities that were highlighted earlier this month.
Both vulnerabilities, which are separate but similar, can be traced back to a design flaw that was introduced 20 years ago. Three different sets of researchers uncovered the Spectre vulnerability in June 2017 prior to uncovering the Meltdown flaw in July 2017.
We are all asking why it has taken 20 years to discover the vulnerabilities and what is the true risk to the technology industry and its customers?
Back In Time
Since the 1990’s memory access times have improved ten-fold, while the speed of the central processor (CPU) has increased by a factor of 1000. To allow the CPU to talk to the slow memory, most modern chipsets are designed with a technique called “speculative execution”, where a processor will read ahead and take snipets of code before it is needed in order to save valuable nonosecods in performance.
While the technology risk with a cyber security vulnerability can not be overstated, it is important to understand both flaws in more detail:
|Meltdown breaks the most fundamental principle for isolating user applications and ‘melts’ the virtual walls separating digital memory from diffident programs.
The vulnerability, which primarily affects Intel chips manufactured since 1995, could allow an adversary to access the memory and secrets of other programs, such as passwords, encryption keys and payment details. This applies both to personal computers as well as cloud infrastructure.
While Meltdown is easy to exploit, the good news is that the flaw can be fixed and Technology vendors are rushing to release software patches.
|Spectre enables a rogue program running on an affected chip to trick a legitimate application to divulge sensitive information.
The Spectre flaw affects most modern processors, including Intel, AMD and ARM which are used in Apple, Dell, HP, Microsoft, Google, Amazon computers and smartphones.
While Spectre is harder to exploit than Meltdown, it is significantly more difficult to fix. Widely known exploits can be partially mitigated through new software patches. A lasting fix is expected to require new hardware which has not yet been designed or manufactured.
The software fix for Meltdown, moves the core operating system program, or kernel, into its own dedicated virtual memory space, protecting it from potential exploits. A significant downside is that the fix introduces an additional processing overhead, potentially slowing down the system.
It is anticipated that high performance activities, such as heavy disk storage, network activity and system calls, will be impacted with a 30% degradation in performance. Light workloads, such as simple web servers, will be mildly affected.
Partial mitigations for Spectre, which involve recompiling software with specific countermeasures, are expected to have a further negative impact on processing performance.
Industry advice is to install new software patches as soon as they become available.
Providers of cloud-computing services, such as Amazon Web Services and Google, which have data centres will millions of computers, are thought to be are most at risk. Their business model is critically dependent on the appearance of strong security and moats around the cloud computing client.
Rogue actors could rent capacity as a cloud tenant and steal sensitive information, such as passwords and account numbers, from their virtual neighbours.
While it is recognised that the technology industry is responding to the threat, any degradation in performance could be the equivalent to tens of thousands of computers for the cloud providers.
A drop in CPU performance will be equally worrying for cloud subscribers, who are typically billed by the hour or second. They could face skyrocketing bills if cloud usage rises substantially to apply the fixes, or support existing cloud processing payloads.
Both Spectre and Meltdown has shaken the heart of the technology industry which has historically prioritised processor speed over security. While this is the first major security vulnerability that has impacted a new generation of cloud providers, security has to be designed in as a critical perquisite for our new highly connected and networked world. Meltdown will soon be forgotten, but Spectre will challenge cloud organisations and its customers for years.
Call me to discuss how to strengthen the cyber security resilience of your organisation.
Email : ian@IanAlderton.com