![]() ![]() Until yesterday, information on Meltdown and Spectre was not intended to be published until Tuesday, January 9 th, which would have been the first Patch Tuesday of the year. We now know that the Meltdown and Spectre attacks were discovered last summer, and since then vendors and security researchers have been coordinating their response in order to better understand the ramifications of the exploits and to ensure everyone had time to develop the necessary fixes and guidance. #SPECTRE MELTDOWN SOFTWARE#The way that the news about Meltdown and Spectre have been released was unplanned, and as a result researchers, hardware vendors, software vendors, and the public at large have been trying to catch up on everything that is going on. An Early Release Leads To An Incomplete Picture However the scale of the problem – virtually all computers and mobile devices currently in use – means that it will take quite a bit of effort to mitigate. ![]() The good news is that it looks like the worst of these attacks can be mitigated in a combination of software and CPU microcode updates. And because the root causes are based in hardware architecture rather than software, these are not as easily fixed as software bugs. #SPECTRE MELTDOWN PC#Spectre requires more setup work to coerce a target application to leak information, but the fundamental nature of the risk means that Spectre is currently considered harder to mitigate, and in general is not as well understood.īetween Meltdown and Spectre, the end result is that prior to patching and mitigation efforts, virtually every PC and every mobile device is thought to be vulnerable to these attacks. What makes Spectre different however is that it’s a less-straightforward but much more insidious attack whereas Meltdown is based on abusing specific implementations of speculative execution, Spectre can be thought of as a (previously unknown) fundamental risk of speculative execution, one that can now be weaponized. Like Meltdown, a Spectre attack abuses speculative execution in order to glean information that should be restricted. Essentially every high-performance processor ever made – Intel, AMD, ARM, and POWER – is thought to be vulnerable here. Meanwhile a second class of attacks is being called Spectre, and the number of processors at risk for exploitation is even wider. As a result, Meltdown can be readily used to spy on other processes and sneak out information that should be restricted to the kernel, other programs, or other virtual machines. #SPECTRE MELTDOWN CODE#With Meltdown it is possible for malicious code to abuse Intel and ARM’s speculative execution implementations to get the processor to leak information from other processes – particularly the all-knowing operating system kernel. The immediate concern is an exploit being called Meltdown, which primarily affects Intel’s CPUs, but also has been confirmed to affect some ARM CPU designs as well. As a result, essentially every last high-performance CPU on the market or that has been produced in the last couple of decades is vulnerable to one or more of a few different exploit scenarios. Speculative execution is one of the cornerstones of high-performance execution on modern CPUs, and is found in essentially all CPU designs more performant than an embedded microcontroller. Security researchers working for Google’s Project Zero group, along with other research groups and academic institutions, have discovered a series of far-ranging security risks involving speculative execution. But I’m getting ahead of myself, so let’s start at the beginning. Suffice it to say, it’s the kind of week we haven’t seen for a long time in the technology industry. ![]() Because for the last 24 hours or so, it feels like I’ve been on the verge of one just trying to keep up with all of the new information that has come out on this and the also aptly named Spectre exploit. It seems only fitting that one of the two hardware based exploits to rock the CPU world this week was named Meltdown. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |