Think Intel ME was big? Meet Intel’s new flaws: Meltdown and Spectre

Meltdown and Spectre with some ominous figure
Meltdown and Spectre with some ominous figure

It isn’t often that a company as big as Intel is plagued with two different scandals in such a short time. In 2017 the chip giant received a devastating blow when researches found Intel ME contained a full-fledged operating system: MINIX. The discovering was dread enough, but this time two new security vulnerabilities were discovered: Meltdown and Spectre. Both vulnerabilities are top-class threats, and what’s worse is that they’re at hardware level. Could anything go worse? Yes: most Intel CPUs dating back as far as 1995 and up to date are affected.

A state-of-the-art hardware “bug” in three minutes

The excellent video from Red Hat is dead-simple and makes it clear: CPUs try to predict (speculate) on what will happen in the future. If they’re not correct they will toss the result of the speculation in an unsecured area which any unprivileged program can access. Maybe that’s not too scary, but here’s a live example to make things even more straightforward:

Pretty scary right? Imagine that being the password of your bank account, enough to make you shiver right? And worse of all, you wouldn’t even notice. Now that you understand the consequences of the vulnerabilities, it’s time to look at the causes and the solutions.

Everyone is (probably) affected

The bad news here is that the two vulnerabilities (Meltdown and Spectre) are caused by a hardware design flaw. It is speculated that most Intel CPUs from 1995 up to date are affected, in the meanwhile Intel released a list of affected CPUs. This means not only your 5-years old laptop is affected, but also the newest cloud server sitting in a data center hosting your VPS is affected. Meltdown and Spectre are essentially the worst hardware bugs (vulnerabilities) ever discovered.

The most aggressive vulnerability, Meltdown, is readily exploitable and more dangerous than the second one, Spectre. The former mostly affects Intel CPUs with some ARM CPUs also affected. The latter, Spectre, affects virtually any of the three most important CPUs (Intel, AMD, ARM). Both vulnerabilities have been assigned CVEs:

Since the Spectre whitepaper lists a whole class of possible exploitations, it has been assigned two CVEs depending on the variant of the attack used. What’s more daunting is that an operating system-level fix will be needed to mitigate these vulnerabilities.

Intel’s statement

Intel Headquarters

Intel Headquarters

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.

Both Meltdown and Spectre have been confirmed to affect Intel CPUs by Intel. Intel is probably the company that has been hit the hardest, and responded with an announcement and a detailed whitepaper. Intel has also released a list of Intel CPU families affected.

AMD’s statement

AMD headquarters

AMD headquarters

For AMD it is unclear if processors are also affected at the moment. In particular AMD claims “Zero AMD vulnerability due to AMD architecture differences.” for Meltdown. AMD also addressed Spectre saying that variant one has “negligible performance impact expected” after the patch and “near zero risk of exploitation of this variant” for variant two.

ARM’s statement

Cambridge ARM Building

Cambridge ARM Building

ARM (SoftBank) was probably the most diligent among the three big companies. Not only ARM released an announcement and a whitepaper (download), but they also released a new instruction that provides developers with a speculation barrier. The whitepaper also contains example code.

Patching hardware with software will take its toll

The perfect solution would be to redesign CPUs, but you can’t change existing one without replacing them. Since Intel is not replacing your CPU something else needed to happen. The principal solution that has been developed up to date is to patch operating systems, antivirus software and browsers in order to mitigate the two hardware vulnerabilities. Is a patch all it is needed? Will it be the end of it? Sort of.

Although the patches to mitigate such issues have been coordinated in a joint effort from major players, the consequences of said patches may be terrible. Just like some medicines have side effects, Meltdown and Spectre patches also will take their toll on operating systems. From early benchmarks the performance dip could hit as bad as 30% loss in performance depending on the workload.

Windows, Azure, Meltdown and Antivirus software

Microsoft Headquarters

Microsoft Headquarters

Microsoft already released a patch (KB4056892) but your antivirus must be updated before you can install it, otherwise you might experience BSoD after rebooting. Although Microsoft has been actively working with antivirus software houses, if you can’t see the update installed, or you can’t see the update at all, it’s probably your antivirus not being compatible. It is worth to notice that old, end-of-life, operating systems such as Windows XP won’t receive the update. Microsoft also promptly patched its Azure machines.

Apple’s response

Apple Campus

Apple took a bit longer than the others to respond to the issue. Meanwhile, the patches for its latest operating systems were released in December 2017. It seems, however, that only MacOS 10.13 High Sierra contains the fix for Meltdown as of the moment of writing this article.

Google’s announcements (Android, Chrome, Chromebooks and GCP)

Google Headquarters

Google Headquarters

Google has promptly published a product status page, here you can take a look at the whole range of products offered by Google and their individual responses to the vulnerabilities. In addition, here’s the blog entry from Google security blog.

Android published a security bulletin containing the fixes, as always other manufacturers will have to implement the fixes and distribute them to their users, this process is known to be quite slow.

Google Chrome has been patched and has a dedicated page regarding the vulnerabilities.

The Google Cloud infrastructure has been patched, nevertheless customers are advised to update their machines operating systems. A security bulletin has also been issued.

Amazon Web Services

Amazon Web Services logo

AWS logo

Amazon promptly patched their cloud infrastructure. You can find more details here, no further steps are required by end-users.

VMware

VMware building

VMware issued patches for their ESXi hypervisor, however ESXi 5.5 remains vulnerable to CVE-2017-5753 (Spectre). Take a look at the security advisory to stay up to date.

Linux’s take

Tux: Linux mascot

Linus Torvalds, the creator of Linux creator has been, as usual, very blunt:

A *competent* CPU engineer would fix this by making sure speculation
doesn’t happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.

I think somebody inside of Intel needs to really take a long hard look
at their CPU’s, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed.

[text cut]

Please talk to management. Because I really see exactly two possibibilities:

– Intel never intends to fix anything

OR

– these workarounds should have a way to disable them.

Which of the two is it?

Patches for Linux have already been merged and you can read about the current situation from the blog of Greg Kroah-Hartman, one of the most prominent kernel developers. If your distribution has received the patch, that’s a different matter. You can find a list of some distribution and their relative statements:

For your distribution, please refer to your own distribution resources such as advisories, wikis or forums.

X86: Is this the end of an era?

computer internals

As you’ve seen throughout the article, these vulnerabilities are quite nasty and difficult to patch. Even with patches in places, these issues will continue to haunt us down for years according to some. Spectre name came exactly from this concept: it will haunt.

Intel declared that future chip designs will mitigate these issues, but all the current CPUs remain flawed. But is it there an alternative to the way that led us to this situation? The answer sparks interest anew in a philosophy that aims to do to hardware what Open Source has done to software: Open Hardware (also called Open Source Hardware).

Here more than ever, the need for clarity and cooperation have highlighted the flaws of a proprietary system. The Open Source Hardware movement aims to bring fresh air to the chip world by doing exactly what the name implies: open sourcing hardware. Although you will not find open source hardware in your machines soon, projects like RISC-V and the Raspberry Pi (albeit not entirely Open Hardware) are out there continuing their evolution. The Open Source Hardware Association is an example of association born to foster the movement. Although most of the chips up to date are developed on a proprietary basis the future may look more open than we might have imagined before.

The aftermath: Intel faces new Class Actions

security permissions

“And they all lived happily ever after” is not the end to our story. The joint effort of all the major players in the field allowed these two nasty vulnerabilities to be mitigated, but the whole chip world, computer world were close to the abyss. Were an exploit to be developed before this effort, the whole industry, Intel atop, would’ve been doomed for quite a while.

You could say this indeed is a happy ending. To tell the truth, we only avoided the “worst ending“, but Intel still sold flawed chips for nearly two decades and it doesn’t seem they’re actually committed to repair the damage, just patch it. As Linus would put it “Intel never intends to fix anything“. That is also why in these hours new Class Actions are being filled against Intel.

To make the matter worse Intel’s CEO reportedly sold Intel shares after the company was informed of the two vulnerabilities by Google Project Zero in 2017, although the date is not yet known.

Images courtesy of mark | marksei, Intel, Raysonho, Cmglee and Perspecsys Photos

The following two tabs change content below.
The IT guy with a little boredom look in his eyes, fond of computers since forever he now works as a freelancer in the IT and shares his experiences through this blog.

You may also like...