Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

Countermeasures to protect apps from attack

Analysis Intel has borne the brunt of the damage from the revelation of two novel attack techniques, dubbed Meltdown and Spectre, that affect the majority of modern CPUs in various ways.

The chipmaker's stock price is down, and it's being eyed for possible securities litigation, following reports CEO Brian Krzanich sold the bulk of his Intel shares after the biz had been made aware of the flaws.

In its defense, Intel has said other chip designers are also affected. While the Meltdown vulnerability, a side-channel attack that allows user applications to read kernel memory, is known to affect Intel processors (and the Arm Cortex-A75 that is yet to ship). The other vulnerability, Spectre, meanwhile, has been demonstrated on Intel Ivy Bridge, Haswell and Skylake processors, AMD Ryzen CPUs, and several ARM-based Samsung and Qualcomm system-on-chips used for mobile phones.

But Spectre will be harder to mitigate than Meltdown because the most effective fix is redesigned computing hardware.

"We are currently not aware of effective countermeasures that will eliminate the root cause of Spectre, short of hardware redesign," said Daniel Genkin, one of the authors of the Spectre research paper and postdoctoral fellow in computer science in the University of Pennsylvania and the University of Maryland, in the US, in an email to The Register.

CERT in its January 3 vulnerability note for one of the two Spectre CVEs said the solution is replace CPU hardware, noting, "Underlying vulnerability is caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware." That passage was deleted from a subsequent revision of the vulnerability notification.

Coincidentally, Intel on Thursday declared it has developed and is in the process of issuing patches to its manufacturing partners that render its hardware "immune from both exploits" – meaning both Meltdown and Spectre.

Bullshit. While it has Meltdown covered, Chipzilla only has half of Spectre in its sights. The patches and firmware available now for Intel processors are:

  • Operating system updates for Linux, Windows and macOS, that separate kernel and user spaces, and kill the Meltdown vulnerability. On Linux, this fix is known as Kernel Page Table Isolation, aka KPTI.
  • On pre-Skylake CPUs, kernel countermeasures – and on Skylake and later, a combination of a microcode updates and kernel countermeasures known as Indirect Branch Restricted Speculation, aka IBRS – to kill Spectre Variant 2 attacks that steal data from kernels and hypervisors.
  • That leaves Spectre Variant 1 attacks, in which rogue software can spy on applications, unpatched. It's a good thing this variant is difficult to exploit in practice.

Intel is in denial. It insisted the vulnerabilities identified do not reflect flaws in its chips. "These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to," the company said.

Thus, we're asked to believe that Intel and its peers are racing to fix products that are in perfect working order and functioning as designed, even as the security researchers who developed these attacks contend hardware will need to be redesigned to cover all bases.

For what it's worth, Intel and AMD CPUs, and selected Arm cores, are vulnerable to Spectre Variant 1 attacks. Intel and Arm said Arm cores are vulnerable to Spectre Variant 2. Only Intel CPUs and one Arm core – the yet-to-ship Cortex-A75 – are vulnerable to Meltdown.

Oh, and Apple's Arm-compatible CPUs are affected by Meltdown and Spectre, too, but we'll get to that later.

We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare


Patches to address Meltdown have already started to appear for the aforementioned operating systems, and they come with a performance hit, one that varies with the computational workload and hardware in question.

Linux kernel supremo Linus Torvalds has suggested a five per cent slowdown should be typical; Willy Tarreau, CTO of HAProxy and a Linux kernel contributor, has reported a 17 per cent slowdown; worst-case scenarios have been as high as 30 per cent.

Amazon Web Services confirmed to The Register that its deployment of the Meltdown mitigation has been noticed by AWS customers, though it stressed the impact on virtual machine performance isn't particularly significant.

Your mileage may vary

On Thursday, Matt Linton, senior security engineer at Google, and technical program manager Pat Parseghian, expanded on previously published vulnerability info with another blog post.

Responding to concerns about slowdowns arising from KPTI, they said, "Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance."

The Register asked Google whether it could quantify the performance hit it has seen on its systems, but has not yet received a reply.

In any event, dealing with Spectre is likely to slow computing operations further, beyond the Meltdown tax. And Spectre is everywhere: laptop and desktop computers, servers in data centers, and smartphones. It can affect web applications and virtual machines.

To reduce idle time, most modern chips speculate about future instructions while processing present ones, a process known as speculative execution. If they guess, right, they save time; and if they guess wrong, they just toss errant predictions and are not worse off than if they'd just sat idle awaiting the next instruction.

Taken together, the right and wrong guesses still process data faster than just waiting around for every instruction to be executed in a serial fashion, one after another.

Spectre attacks dupe the processor into making guesses about future instructions that wouldn't otherwise be allowed, and thereby can gain access to privileged information within the kernel address space, or data in other running processes.

Basically, those designing affected processors didn't anticipate this scenario. They built a fence around their execution engines, and were satisfied with their security and privacy protection – until Google Project Zero researchers, and other experts, brought a ladder to the party and broke their security model.

Two Spectre attacks have been demonstrated, a bounds bypass check, aka Spectre Variant 1, and branch target injection, Spectre Variant 2, both of which the Project Zero researchers have explained in more detail than most would care to consider.

Fixing the bounds bypass check attack requires analysis and recompilation of vulnerable code; addressing the branch target injection attack can be dealt with via a CPU microcode update, such as Intel's IBRS microcode, or through a software patch like "retpoline" to the operating system kernel, the hypervisor, and applications.

In other words: to protect yourself from Spectre Variant 1 attacks, you need to rebuild your applications with countermeasures. These defense mechanisms are not generally available yet. To protect yourself from Spectre Variant 2 attacks, you have to use a kernel with countermeasures, and if you're on a Skylake or newer core, a microcode update, too. That microcode is yet to ship. It's not particularly clear, through all the noise and spin this week, which kernels have been built and released with countermeasures, if any. A disassembly of latest Windows releases suggests Microsoft is, for one, on the case.

It's not a straightforward process. It's messy, and Chipzilla is trying to simplify the situation to impress investors and right its share price. Yes, Meltdown is under control. Spectre not so much, and it's going to take a little while longer to straighten out. That's time Intel can't afford.

Sponsored: Minds Mastering Machines - Call for papers now open

Biting the hand that feeds IT © 1998–2018