Nearly a week on from the news of the Meltdown and Spectre vulnerabilities in many of the world’s CPUs, what have we learned? And what will be the performance hit as a result?
2018 started with a bang when news broke that pretty much every CPU on the planet suffers from one or more security problems. These have been named Meltdown (exclusively affects Intel CPUs) and Spectre (which hits Intel, AMD and ARM).
The news was broken by UK IT news site The Register at an unfortunate time in the sense that a fix for Meltdown was in the works but had not yet been released. The result was a great deal of speculation and a certain amount of mixing of facts. Intel was clearly caught on the hop by The Register and initially responded slowly but then released more information on a daily basis.
We now have a fairly clear idea about the duration and scale of these two problems, and the fact of the matter is that things do not look pretty, although there is some light at the end of the tunnel.
At some point in 2017 (they are being deliberately vague) Google’s Project Zero and other researchers discovered two separate flaws with the way modern CPUs work. The first, Meltdown is an Intel problem. A Blackhat can run a piece of Java malware in your browser that can read data that is held within the protected kernel memory of the CPU. In other words protected data is actually accessible to software that is running on the PC, workstation, server or laptop. This is not supposed to happen and means that malicious software can read the memory and hijack information such as passwords. There is no suggestion that a hacker can alter information but instead the problem is they might be able to read things that should remain secret.
Intel’s statements make it clear this fault dates back to Sandy Bridge which launched in 2011 as Core i7-2xxx and that this problem includes every Intel CPU since then, with the exception of 64-bit Itanium server chips and a tiny number of Atoms. The answer to Meltdown is to patch the Operating System (Windows, Linus and Mac OS) to change the addressing for kernel memory.
With hindsight we now realise that back in November the Linux people started working on updates for systems powered by Intel CPUs and those patches were rolled out over Christmas. Microsoft was due to release a Windows Update to fix the problem on Patch Tuesday next week which, ironically, is the opening day of CES in Las Vegas. Intel had been playing things cautiously as they did not wish the discuss the problem until it had been fixed by Microsoft, however that plan was ruined by the early-breaking news.
The patch for Meltdown will doubtless be followed up by micro code updates from Intel in the form of BIOS updates from motherboard manufacturers.
Spectre is altogether more serious as it affects AMD, ARM and Intel and exploits Speculative Branch Prediction (hence the SPEC part of the name). Speculation allows a CPU to think ahead and work on data that may or may not come down the pipeline at some point. It is related to Out Of Order Processing and dates back to 1995 which broadly speaking means every CPU on the planet. Spectre has three separate avenues of attack and only one of these affects AMD. It seems that Spectre requires an attacker to get up close and personal with your computer where Meltdown can run from anywhere on the network i.e. globally.
The problem with Spectre is that there appears to be no fix as Speculation is inherent to modern CPU design.
The other problem with both Meltdown and Spectre is that if some Blackhat steals your data there is very little chance you will be any the wiser.
Takeways and performance
What’s the takeaway? We are all affected, and probably on multiple devices. Microsoft, Apple and other manufacturers will be rolling out security updates that will alleviate the problem but it seems unlikely they can fix everything. My personal thought is that the best move is to keep potential attackers off your network in the first place. Double check encryption is enabled, be wary about unwanted visitors to your network and ratchet up the paranoia one click further.
As to the performance hits, it seems unlikely the Meltdown update will have much impact on desktop users such as gamers as in basic game benchmarks so far it looks like the differences can be swallowed up by margin for error. However, any heavy input-output usage might be a different story. It’s too early to draw any firm and fast conclusions, but it looks like some particular systems that run virtual machines may suffer a hefty performance hit as they ensure the software on each machine can only access the memory it is allowed to access. All of which means there is the chance that cloud-based software will take a hit as the data has to flow in and out of your PC or laptop.
Watch this space.