Expect More Cybersecurity 'Meltdowns'After Meltdown and Spectre, Researchers Will Pummel Microprocessors for Flaws
Technology giants and end users alike are still struggling to figure out how bad the Spectre and Meltdown flaws might be, how to get systems patched and whether those patches might protect users.
Spectre and Meltdown are both flaws in predictive computing, a concept that dates from 1967 but which wasn't put into practice until the 1990s. Since then, the technique has been used to increase the speed of computers in a manner that is built into CPU hardware, including chips manufactured by Intel, AMD and ARM.
"You can't have a free lunch - forever, at least."
Several groups of researchers, working independently, last year discovered that these predictive techniques created an unfortunate side effect: they could be exploited.
The award for the best non-technical description of the problem goes to Scott Hanselman, a Microsoft developer:
Explaining #Meltdown to non-technical spouse.— Scott Hanselman (@shanselman) January 5, 2018
"You know how we finish each other's..."
"No, sentences. But you guessed 'sandwiches' and it was in your mind for an instant. And it was a password. And someone stole it while it was there, fleeting."
"Oh, that IS bad."
Protecting against these flaws requires at least partially disabling processor speed improvements, meaning that fixes come at a cost. Already, Microsoft and others are saying that all servers, and all systems except those with the latest operating systems and CPUs, will see noticeable speed declines after installing Meltdown and Spectre patches (see Performance Hit: Meltdown and Spectre Patches Slow Systems).
Computer scientists and chipmakers may find new ways of improving processor performance without security tradeoffs. But that day has not yet arrived.
Expect More Meltdowns
Having to patch and sometimes re-patch CPUs and critical software may already seem like a nightmare scenario.
Unfortunately, it's one that's likely to become more common, says information security expert Bruce Schneier. "This is bad, but expect it more and more," Schneier says in a recent blog post on Meltdown and Spectre. "Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement."
Schneier sees three trends: First, these flaws often affect consumers devices, many of which are not designed to receive patches. Second, firmware flaws are tricky for consumers to install, and sometimes OEMs never even build and distribute patches. Finally, for 20 years, microprocessors have been built to prioritize speed over security. "Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines," he says.
How many more Meltdown and Spectre types of flaws might they find?
If past bug-hunting efforts are any guide, the world is soon going to learn that there are many more flaws in CPUs than anyone knew.
Life After Heartbleed
In 2014, for example, researchers publicized a flaw in OpenSSL, the open-source implementation of the SSL and TLS protocols, that they dubbed Heartbleed. The flaw could be exploited to steal private SSL keys as well as VPN session tokens (see Heartbleed Lingers: Nearly 180,000 Servers Still Vulnerable).
"With OpenSSL, once that was shown to have flaws, public attention got focused," says Sean Sullivan, a security adviser at Helsinki-based security firm F-Secure.
One upside was the launch of the Core Infrastructure Initiative, through which a number of leading technology firms - including Amazon Web Services, Cisco, Dell, Facebook, Google, HP and Microsoft, among others - began directly funding the development of critical open source tools, including OpenSSL.
While having researchers take a close look at CPU security will help the world develop more secure CPUs, getting there will inevitably require more potential speed tradeoffs as well as security updates and inevitable patch management pain.
"You can't have a free lunch - forever, at least," Sullivan says. "It's time to pay the piper: The focus has been on speed and performance boosts." And he contends that it's a certainty that more researchers, including academics, will be getting funded to look closely at the security of microprocessor code.
"Because research grants are competitive and people need to produce research papers that are interesting in order to get more grants, there are economic incentives for researchers to go after this stuff now; that's how academics work," he says. "So if anything, you'll see the academic community pursuing vulnerabilities in this class."
Problems: Intel, AMD, Windows
As more vulnerabilities get discovered, some patching errors will be made, as the current state of Meltdown and Spectre security fixes demonstrates.
Already, Intel's firmware fix has been causing numerous systems to suffer stability problems, leading the chipmaker to now recommend that many users avoid updating their firmware, at least for now (see Intel: Stop Installing Patches Due to Reboot Problems).
Chipmaker AMD, which originally said its processors were not affected by the Spectre and Meltdown flaws, now says its chips are at risk from both Spectre variants and that firmware updates will be required. In the meantime, Microsoft stopped rolling out security updates to many systems with AMD processors after they left systems unbootable. Microsoft blamed AMD for failing to share proper specifications with its developers before they coded Windows updates. Both firms say working patches should arrive soon.
Patches: Not Always Foolproof
As Intel, AMD and Microsoft have demonstrated, firmware, operating system and application patches are not necessarily foolproof.
Another potential risk is that patches may themselves create new types of vulnerabilities that could be exploited by attackers. Of course, that's a patching fact of life.
And many vendors are still trying to figure out which of their products are at risk, never mind ship security updates that IT managers can test and roll out. To help, the Meltdown Attacks website, created by the researchers who discovered the flaws, contains security advisories from numerous vendors, as does vulnerability guidance issued by US-CERT.
One piece of good news, at least, is that "there is no known exploit in the wild taking advantage of these vulnerabilities yet," says Mounir Hahad, a cybersecurity researcher for Juniper Networks.
But the bad news is that "there is little doubt that some sophisticated threat actors will attempt to take advantage of unpatched systems in the near future," he says.