Meltdown, Spectre Repeat Hard Security Lessons
SAN JOSE, Calif. — Vendors are still issuing patches and starting to think about optimizations for them after last week’s disclosure of one of the largest security flaws ever to hit microprocessors. Meltdown and Spectre provided the latest painful lesson about the nature of what’s known in the security world as common vulnerabilities and exposures (CVEs).
The U.S. maintains what aims to be an authoritative list of CVEs. As of this writing it included a whopping 94,971 entries.
Vendors typically assign teams to keep up with the flow of new hacks and patches for them. But few are as broad as Meltdown and Spectre that effect microprocessors that support speculative execution. The technique is used widely in high-end chips shipped over the last several years from companies including AMD, ARM, Apple, IBM, Intel, Oracle and others.
Reuters reported about 5 percent of the 120 billion chips ARM has shipped to date may be affected by Spectre, but fewer would be susceptible to Meltdown. Intel and AMD have not disclosed how many of their chips are affected, but AMD said its chips are not affected by Meltdown.
The flaw Google researchers found last summer involved a way sophisticated hackers with intimate access to a system could use speculative execution to access data in cache — including encryption keys.
There’s nothing intrinsically wrong with speculative execution, a crucial technique for microprocessor performance. So, chip vendors are issuing patches for the cache-data leak and will close the hole in future CPUs, said Linley Gwennap, principal of the Linley Group.
Gwennap praised vendors for collaborating on an effort in which many have issued most of the patches their products need. Thankfully, there are no reports of anyone using the vulnerabilities maliciously to date.
However, not all affected products have patches yet, and existing patches in some cases are creating performance issues.
To date, AMD, Apple, ARM, Google, IBM, Intel and Microsoft are among vendors who have released details about their patches. So far, Cavium, Oracle and Qualcomm are among those who have not issued specific statements about Meltdown/Spectre.
Nvidia is a special case. GPUs do not use speculative execution, said Jon Peddie, principal of Jon Peddie Research. However, Nvidia issued patches for its ARM-based chips and for its GPU drivers that run on host CPUs.
Initially vendors said the patches would have minimal impact, typically below a 5 percent performance hit. Red Hat found 8-19 percent performance degradations on applications with “highly cached random memory, with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions.”
That’s significant given the wide use of such apps. Such reports have IT managers and large data center operators concerned. Part of the solution will come in optimized versions of the patches, something Red Hat said it is working on.
Gondalf 1/11/2018 10:01:02 AM
CEO
realjjj 1/11/2018 2:03:29 AM
First CERT edits out their recommendation to replace the hardware after being "ïn contact" with Intel and now ... would love to know if the analysts and the press have been chatting with Intel about the right way to fix this. What would you do if you couldn't fix this for quite some years, maybe try to convince everybody that there is no need for a fix?
Such articles enable and encourage bad behavior. Would be great if you could remember what/who inspired this article and the line of thinking it promotes. Removing speculative execution as a fix is as absurd as trying to cure the flu with a shotgun, so who came up with that argument, who claimed that the fix must be software because you can't just remove speculative execution? Whoever planted that idea, is someone you can't trust.