Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Think Intel ME was big? Meet Intel’s new flaws: Meltdown and Spectre
It isn’t often that a company as big as Intel is plagued with two different scandals in such a short time. In 2017 the chip giant received a devastating blow when researches found Intel ME contained a full-fledged operating system: MINIX. The discovering was dread enough, but this time two new security vulnerabilities were discovered: Meltdown and Spectre. Both vulnerabilities are top-class threats, and what’s worse is that they’re at hardware level. Could anything go worse? Yes: most Intel CPUs dating back as far as 1995 and up to date are affected.
Update: Speculative Store Bypass on the rise
A state-of-the-art hardware “bug” in three minutes
The excellent video from Red Hat is dead-simple and makes it clear: CPUs try to predict (speculate) on what will happen in the future. If they’re not correct they will toss the result of the speculation in an unsecured area which any unprivileged program can access. Maybe that’s not too scary, but here’s a live example to make things even more straightforward:
— Michael Schwarz (@misc0110) January 4, 2018
Pretty scary right? Imagine that being the password of your bank account, enough to make you shiver right? And worse of all, you wouldn’t even notice. Now that you understand the consequences of the vulnerabilities, it’s time to look at the causes and the solutions.
- The Register – Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign
- The Register – Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs
Everyone is (probably) affected
The bad news here is that the two vulnerabilities (Meltdown and Spectre) are caused by a hardware design flaw. It is speculated that most Intel CPUs from 1995 up to date are affected, in the meanwhile Intel released a list of affected CPUs. This means not only your 5-years old laptop is affected, but also the newest cloud server sitting in a data center hosting your VPS is affected. Meltdown and Spectre are essentially the worst hardware bugs (vulnerabilities) ever discovered.
The most aggressive vulnerability, Meltdown, is readily exploitable and more dangerous than the second one, Spectre. The former mostly affects Intel CPUs with some ARM CPUs also affected. The latter, Spectre, affects virtually any of the three most important CPUs (Intel, AMD, ARM). Both vulnerabilities have been assigned CVEs:
Since the Spectre whitepaper lists a whole class of possible exploitations, it has been assigned two CVEs depending on the variant of the attack used. What’s more daunting is that an operating system-level fix will be needed to mitigate these vulnerabilities.
Both Meltdown and Spectre have been confirmed to affect Intel CPUs by Intel. Intel is probably the company that has been hit the hardest, and responded with an announcement and a detailed whitepaper. Intel has also released a list of Intel CPU families affected.
For AMD it is unclear if processors are also affected at the moment. In particular AMD claims “Zero AMD vulnerability due to AMD architecture differences.” for Meltdown. AMD also addressed Spectre saying that variant one has “negligible performance impact expected” after the patch and “near zero risk of exploitation of this variant” for variant two.
ARM (SoftBank) was probably the most diligent among the three big companies. Not only ARM released an announcement and a whitepaper (download), but they also released a new instruction that provides developers with a speculation barrier. The whitepaper also contains example code.
- ArsTechnica – Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it
- The Register – Amazon: Intel Meltdown patch will slow down your AWS EC2 server
- ZDNet – How the Meltdown and Spectre security holes fixes will affect you
Patching hardware with software will take its toll
The perfect solution would be to redesign CPUs, but you can’t change existing one without replacing them. Since Intel is not replacing your CPU something else needed to happen. The principal solution that has been developed up to date is to patch operating systems, antivirus software and browsers in order to mitigate the two hardware vulnerabilities. Is a patch all it is needed? Will it be the end of it? Sort of.
PostgreSQL SELECT 1 with the KPTI workaround for Intel CPU vulnerability https://t.co/N9gSvML2Fo
Best case: 17% slowdown
Worst case: 23%
— The Register (@TheRegister) January 2, 2018
Although the patches to mitigate such issues have been coordinated in a joint effort from major players, the consequences of said patches may be terrible. Just like some medicines have side effects, Meltdown and Spectre patches also will take their toll on operating systems. From early benchmarks the performance dip could hit as bad as 30% loss in performance depending on the workload.
- The Verge – Google says CPU patches cause ‘negligible impact on performance’ with new technique
- The Register – It gets worse: Microsoft’s Spectre-fixer bricks some AMD PCs
Windows, Azure, Meltdown and Antivirus software
Microsoft already released a patch (KB4056892) but your antivirus must be updated before you can install it, otherwise you might experience BSoD after rebooting. Although Microsoft has been actively working with antivirus software houses, if you can’t see the update installed, or you can’t see the update at all, it’s probably your antivirus not being compatible. It is worth to notice that old, end-of-life, operating systems such as Windows XP won’t receive the update. Microsoft also promptly patched its Azure machines.
- The Verge – Microsoft issues emergency Windows update for processor security bugs
- The Register – Microsoft patches Windows to cool off Intel’s Meltdown – wait, antivirus? Slow your roll
- ZDNet – Windows Meltdown-Spectre fix: How to check if your AV is blocking Microsoft patch
- The Verge – Microsoft halts AMD Meltdown and Spectre patches after reports of unbootable PCs
Apple took a bit longer than the others to respond to the issue. Meanwhile, the patches for its latest operating systems were released in December 2017. It seems, however, that only MacOS 10.13 High Sierra contains the fix for Meltdown as of the moment of writing this article.
Google’s announcements (Android, Chrome, Chromebooks and GCP)
Google has promptly published a product status page, here you can take a look at the whole range of products offered by Google and their individual responses to the vulnerabilities. In addition, here’s the blog entry from Google security blog.
Android published a security bulletin containing the fixes, as always other manufacturers will have to implement the fixes and distribute them to their users, this process is known to be quite slow.
Google Chrome has been patched and has a dedicated page regarding the vulnerabilities.
The Google Cloud infrastructure has been patched, nevertheless customers are advised to update their machines operating systems. A security bulletin has also been issued.
Amazon Web Services
Amazon promptly patched their cloud infrastructure. You can find more details here, no further steps are required by end-users.
Linus Torvalds, the creator of Linux creator has been, as usual, very blunt:
A *competent* CPU engineer would fix this by making sure speculation
doesn’t happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.
I think somebody inside of Intel needs to really take a long hard look
at their CPU’s, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed. [text cut]
Please talk to management. Because I really see exactly two possibibilities:
– Intel never intends to fix anything
– these workarounds should have a way to disable them.
Which of the two is it?
Patches for Linux have already been merged and you can read about the current situation from the blog of Greg Kroah-Hartman, one of the most prominent kernel developers. If your distribution has received the patch, that’s a different matter. You can find a list of some distribution and their relative statements:
- Red Hat status page. Red Hat also published a detailed report describing performance impact.
- SUSE status page.
- Ubuntu status page.
- Debian Security Advisory.
For your distribution, please refer to your own distribution resources such as advisories, wikis or forums.
- ZDNet – How Linux is dealing with Meltdown and Spectre
- ZDNet – Major Linux redesign in the works to deal with Intel security flaw
X86: Is this the end of an era?
As you’ve seen throughout the article, these vulnerabilities are quite nasty and difficult to patch. Even with patches in places, these issues will continue to haunt us down for years according to some. Spectre name came exactly from this concept: it will haunt.
Intel declared that future chip designs will mitigate these issues, but all the current CPUs remain flawed. But is it there an alternative to the way that led us to this situation? The answer sparks interest anew in a philosophy that aims to do to hardware what Open Source has done to software: Open Hardware (also called Open Source Hardware).
Here more than ever, the need for clarity and cooperation have highlighted the flaws of a proprietary system. The Open Source Hardware movement aims to bring fresh air to the chip world by doing exactly what the name implies: open sourcing hardware. Although you will not find open source hardware in your machines soon, projects like RISC-V and the Raspberry Pi (albeit not entirely Open Hardware) are out there continuing their evolution. The Open Source Hardware Association is an example of association born to foster the movement. Although most of the chips up to date are developed on a proprietary basis the future may look more open than we might have imagined before.
- ZDnet – Why Intel x86 must die: Our cloud-centric future depends on open source chips
- Wired – Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time
The aftermath: Intel faces new Class Actions
“And they all lived happily ever after” is not the end to our story. The joint effort of all the major players in the field allowed these two nasty vulnerabilities to be mitigated, but the whole chip world, computer world were close to the abyss. Were an exploit to be developed before this effort, the whole industry, Intel atop, would’ve been doomed for quite a while.
You could say this indeed is a happy ending. To tell the truth, we only avoided the “worst ending“, but Intel still sold flawed chips for nearly two decades and it doesn’t seem they’re actually committed to repair the damage, just patch it. As Linus would put it “Intel never intends to fix anything“. That is also why in these hours new Class Actions are being filled against Intel.
To make the matter worse Intel’s CEO reportedly sold Intel shares after the company was informed of the two vulnerabilities by Google Project Zero in 2017, although the date is not yet known.
- ArsTechnica – Intel faces class action lawsuits regarding Meltdown and Spectre
- The Guardian – Intel facing class-action lawsuits over Meltdown and Spectre bugs
- CNBC – Intel’s CEO reportedly sold shares after the company already knew about massive security flaws