2018 started with a bang when the Register reported about a design flaw affecting all Intel CPU’s. You might think of The CPU, or Central Processing Unit as the ‘brain’ of the computer. It is a chip executing the millions of executions that make up any program. The design does not just affect Intel CPU’s but also CPU’s manufactured by ARM and AMD. Together, Intel and AMD own the entire PC/server/laptop market. ARM processors mostly power mobile devices. This means that the vulnerability affects just about every computing device in the world. The true scale of the vulnerability is not clear yet. Together MELTDOWN and SPECTRE might very well be the largest security flaw in history.

Timeline

As early as June 2017, researchers reported variants of the security holes to CPU vendors. Security researchers commonly follow a practice called ‘Responsible Disclosure’. They will inform affected vendors and keep the details secret to give the vendors time to remedy the issue. This practice makes sure vendors have time to properly fix the issue, while they can be held accountable by their users. Since we value both security and transparency, Clocktimizer has a responsible disclosure policy too.

During the fall of 2017, programmers around the world have been frantically developing to plug the security holes. Linux Kernel maintainer submitted the first patches in November. Microsoft started deploying the fix to their cloud environment Azure in the final days of 2017. All this activity has not gone unnoticed, allowing the Register to reveal the issue. Please note that all our cloud services are hosted on Azure and have been patched.

Explanation

So how exactly can a design flaw cause a security issue? To understand this, you need to know a little bit about how modern computers work.

Branch prediction

CPU’s become faster every year. Initially, this speed increase was driven by increasing clock speeds. In 1982, the Commodore 64 had a clock speed of 1 MHz. This means that it could execute one million instructions every second. That already is mind-boggingly fast but nowhere near as fast as modern computers, which can execute billions of instructions per second. Even your cell phone is at least a thousand times as fast as the Commodore 64.

Because of the laws of physics, CPU manufacturers were unable to raise the clock speed further. Light only travels a couple of centimeters during one instruction cycle. If clock speeds increased further, signals simply would not have enough time to reach the other end of the motherboard. That’s why modern CPU’s employ a strategy called Branch Prediction. Simply said, CPU’s guesses what the next execution might be. If the guess was right, the CPU can gain precious clock cycles by working ahead. If you think it sounds complicated, you are right. In fact, it is so complicated that a critical security flaw lingered unnoticed for years.

Kernel

Every computer has an operating system, which allows programs to access different parts of the device it is running on like memory, display and the hard drive. Windows, iOS, Android and Linux all are examples of operating systems. Each operating system has a so called ‘kernel’ which governs which resources can be accessed by the application. The kernel acts like a gatekeeper and makes sure that one application can’t read the memory used by a different application. However, during branch prediction some the CPU erroneously  omits some of these gatekeeper checks.

Because of the design flaw malicious programs can trick the kernel into releasing information belonging to different programs running on the same computer. Broadly, there are two possible ways to do this. These twin ‘attacks’ have been christened MELTDOWN and SPECTRE by the security community.

MELTDOWN

The MELTDOWN attack only affects computers with Intel CPUs. Since Intel has a market share of more than 75% of the PC market and -crucially- the server market, this is a big problem. MELTDOWN theoretically allows malicious programs to steal passwords and other sensitive information from computers. Although currently (5-1-2018) there are no known attacks, it is probable that the first exploits will appear in the wild soon. The attack can be exploited using Javascript, the language powering every web page. Just visiting the wrong web site might be enough. The good news is that all major operating systems vendors have released patches for MELTDOWN.

SPECTRE

The SPECTRE attack is the more insidious of the duo. It is a lot harder to exploit than MELTDOWN and there are no known active attacks. However, SPECTRE affects Intel, AMD and ARM chips. This means that every device, including your mobile phone, is vulnerable. Unlike MELTDOWN, it is impossible to provide a blanket fix for SPECTRE. It is impossible to fix vulnerabilities until concrete exploits are discovered. SPECTRE affects every processor produced after 2011 (and possibly earlier). Hardware is much more difficult to replace than software. SPECTRE will be around for a while.

Mitigation

First and foremost: You should make sure your Operating System is up to date:

  • If you use Windows 10, there is an update available via Windows Update. Microsoft will include the patch for Windows 7 and 8 in next Tuesday’s update patch. However, you should update immediately: Windows 7, Windows 8.1
  • If you use iOS, make sure you have updated to version 11.2 or higher.

Nowadays, most devices update automatically. Make sure you have ample free disk space and shut down your laptop every now and then. Hibernating your laptop by closing the screen will prevent some updates from installing.

Always use Two Factor Authentication (2FA) when it is available. Even if an attacker manages to steal your password, they still do not have access to your mobile phone or 2FA token. Clocktimizer supports Two Factor Authentication. If you haven’t enabled it yet, you should do so now.

Conclusion

MELTDOWN and SPECTRE show that absolute security does not exist. Fortunately, there is much you can do to mitigate the impact of these and other vulnerabilities. Remember to keep your software up to date, always use two factor authentication and eat enough vegetables. You will live to enjoy the internet for another day.