Some of you may have seen news recently about a bug with Intel chips that required rapid fixing. Updates have been available as of Wednesday evening on many systems to minimize the risk of cyber threats. The bug is actually two bugs, codenamed “Meltdown” and “Spectre.” The former affects almost all Intel and Apple chips dating back at least 10 years, as well as at least one recent high-perfomance ARM chip; the latter affects just about every chip manufactured by anybody over that time.
Articles in ARS Technica and TechCrunch provide solid explanations of the bugs—the first article gives an explanation of the vulnerabilities in some level of detail, whereas the second is geared more toward a non-technical audience. Here’s an explanation of our own, which we hope will be of use to you. We’ve provided a longer technical explanation in the next section, followed by a shorter explanation by analogy.
The vulnerabilities revolve around something called speculative execution. Modern processors have pipelines of instructions, and they try to perform instructions in parallel as much as possible. For example, if one instruction doesn’t depend on the result of the previous one, these instructions can be run in parallel. Speculative execution is when the processor starts executing instructions without yet knowing whether or not it should. If it turns out that the processor didn’t need to execute these instructions, it throws out the result; if it turns out it did, the processor has managed to save a bit of time. As long as the processor is right sufficiently often, this results in substantial savings. There are a number of reasons why a set of instructions might not end up needing to be executed. A simple one is a basic “if” condition:
If X < 0, do stuff.
In this case, the processor might start to “do stuff” before it has checked whether or not X < 0. Another case where instructions would not need to be executed is if the program doesn’t have the access privileges to execute them. Operating systems typically separate memory and programs into a number of “rings” of access privilege. The highest access level is Ring 0, the supervisor level, and the lowest level is Ring 3, the user level. Ring 0 memory is used to store sensitive information relevant to the operating system’s state, as well as things like passwords stored in memory. A program running in Ring 0 has access to everything in memory, whereas a program running in Ring 3 only has access to Ring 3 memory.
According to Wednesday’s ARS Technica article, Intel chips allow for the speculative execution of instructions that write to Ring 0 memory, even from Ring 3 programs. The execution may start, but it is (correctly) blocked, so the user program shouldn’t be able to access anything in Ring 0. Unfortunately, it appears that there’s a side effect to this speculative execution, in that Ring 0 data is loaded into a cache. The vulnerability seems to be that the Ring 0 data loaded into cache can be read under certain conditions, allowing for a user program to gain access to sensitive data.
Explanation by Analogy
That was a rather long, technical explanation, so here’s a short analogy. You get an email marked “urgent” from a client asking you to perform calculations on some confidential data and return the result, which the client tells you needs to be done as soon as possible. You’re not sure whether or not the client should actually have access to the data, so you ask a co-worker to find out. While waiting for the co-worker to respond, you decide to perform the calculations to get a head start so that you’ll have the results ready if you’re told the client should indeed have access to the data. You take out a pad of paper and start the calculations. The co-worker gets back to you stating that the client should not have access to the data. You correctly tell the client that you can’t reveal the information; however, the client somehow gets access to the notepad with the calculations before you have a chance to shred the sheet of paper.
That’s the explanation for the Meltdown vulnerability. The Spectre vulnerability is similar, in that it’s also a consequence of speculative execution. However, it appears that this vulnerability is caused by other kinds of speculative execution carried out by a wider range of processors, encompassing almost all processors made over the last decade
The Meltdown vulnerability has already had patches issued to address it in a number of systems. This includes automatic Windows 10 updates (with the caveat that the updates may not have been automatically installed if the computer has third-party antivirus, which can cause problems with the update), optional Windows 7 updates (which are due to become automatic next week), as well as updates for Apple systems and various Linux based systems. These patches can potentially slow systems down by 5 to 30%, which is significant. This may come down over time, as it appears that the issued solution is the most straightforward but also the most costly. The Spectre vulnerability doesn’t appear to have a mitigation at present.
It should also be noted, as the TechCrunch article does, that the various software companies had been working on patches/mitigations for months, but that the publication of another article in The Register seems to have forced them to issue patches earlier than intended. It’s possible that a better solution for Meltdown and at least some solution for Spectre were in the works when the article came out. One could speculate, for example, that the reason the patch for Meltdown that was ultimately released was so costly from a performance point of view could be because this was the best they could publish before completing a different solution they were still working on.
Obviously, the percentage of potentially affected systems is enormous (it would be appear to be close to 100%). However, a number of articles mention that, for desktop users at least, these vulnerabilities are only a problem in combination with other vulnerabilities. From the first ARS Technica article: “For typical desktop users, the risk is arguably less significant. While both Meltdown and Spectre can have value in expanding the scope of an existing flaw, neither one is sufficient on its own to, for example, break out of a Web browser.” The TechCrunch article mentions another piece of good news, which is that attacks for these vulnerabilities are not easy to execute remotely (i.e., malware used in such an attack would have to run on the targeted computer itself).
On the other hand, there is also mention of the fact that it could break virtualization, which means it would be a major problem for cloud service providers. Virtualization is what prevents users of the cloud from accessing the underlying operating system, or from accessing other users’ data, even when that data is physically located on the same computer being accessed. It would appear that both AWS and Azure have already taken steps to guard against Meltdown.
Without knowing under what conditions these vulnerabilities can be exploited, it’s difficult to assess the potential impact. One can guess that it’s significant given the fact that Microsoft has made their Windows 10 update automatic despite the significant performance hit.
The best advice in this case is the same as in any other: Check if updates are available, and install them without delay if they are.