Is James Bond more sinister than we thought? Insight on Spectre and Meltdown

James Bond

It certainly seems to be an amusing coincidence that a widespread processor vulnerability affecting nearly every computer chip manufactured in the last 20 years gains its headline name from the latest James Bond blockbuster. After all, Spectre does sound far more dramatic than something like CVE-2017-5753. Perhaps Meltdown will be launched in a cinema near you soon? But joking aside, the current situation that is plaguing not just Intel processors, but also AMD and ARM, is gravely concerning for us all. Colin Bodley, senior software engineer at Infomill gives us his thoughts on the matter and an insight into the relevance for field service systems.

What’s so special about Spectre and Meltdown – we’ve had vulnerability alerts before?

Heartbleed, Shellshock and Eternal Blue will most likely be names in your recent memory. But the difference with Spectre and Meltdown is their potential to affect literally billions of processors worldwide.

Most vulnerabilities affect specific software or certain operating systems. In the case of Spectre and Meltdown, the weakness is in the actual computer chip within the processor. We have a situation whereby the assumptions underlying the security processes built into all of computer programming have turned out to be false.

Uncovered in late 2017 and reported in the first days of 2018, fundamental flaws in features built into chips to make them run faster have been identified. It’s worth noting that these flaws have not been exploited yet – but they could be – and the impact would be severe and widespread; some say catastrophic.

Warning! A bit of tech talk follows…

To get your head around this issue, it’s helpful to understand what speculative execution, caching and protected memory mean in terms of computing. So, here’s a quick refresher for you.

  • Speculative execution is a technique used in chips to speed performance up. It allows the processor to predict the future and start carrying out parallel actions in order to deliver your data faster.
  •  Caching is a technique used to speed up memory access; again, working to provide the fastest possible service to the user.
  •  Protected memory is a key concept surrounding computer security and works to keep some critical data inaccessible to certain users. Data can only be accessed when privilege checks have been completed and permission has therefore been issued. But this is a timely process and competes with the need for speed, where processors are concerned.

What does all this terminology mean?

The reported vulnerability concerns how these three processes try and work together, rather at odds with each other. Given the length of time a privilege check takes, speculative execution speeds things along by allowing the CPU to work on the protected data before permission has actually been given and temporarily store it in the cache. This might include passwords and other highly valuable information. In theory, the data is still secure at this stage. If permission is not granted, the data is discarded. But in practice, this method of operating opens up a fundamental security issue, right at the heart of our processors.

Am I at risk?

Almost certainly. Meltdown is thought to affect nearly every Intel processor since 1995 and these can be found in desktop computers and servers. To make matters worse, Spectre affects virtually all modern processors, including those within smartphones and tablets.

Is there going to be a processor recall by Intel?

There have been many rumours suggesting that Intel might need to recall some level of its processors, but this is not going to happen in our opinion. You’d think it might be like cars when something goes wrong – millions recalled to put the fault right at huge cost to the manufacturer. Not so in the IT world. Intel is not going to supply you with a new PC just yet and you can imagine the incredible complexities of even recalling and replacing the processors that are sitting in the supply chain right now.

What should I do?

It’s clearly not practical or sensible to throw all of your computers and devices into the bin and start again – plus the problem exists for all new processors that currently sit within the supply chain, whether sitting on the shelf of a retailer or within the manufacturing process for a server, network or bespoke system.

Microsoft, Google and Apple have responded promptly by releasing patches for their operating systems. If you have automatics updates active, these should be downloaded to your devices upon release. It’s worth noting that manufacturers of some cheaper Android smartphones and tablets have yet to act. Updating any firmware and your anti-virus software would be a wise security move and it’s always sensible to avoid running email attachments too.

Nothing to worry about then?

Whilst patches have to be a good thing, it might affect the performance of your computer in terms of speed as the patch switches off those features that were racing to get your data ready for you. Initial reports suggested slow-downs of 30% but in reality, it’s most likely to be 5-10%. At Infomill, we’ve already noticed a slow-down of our cloud servers as a result of patches.

Of course, in exceptional circumstances where data security is highly critical, you might consider planning to replace some computers or servers with new generation processors that are sure to be developed once Intel and other manufacturers have worked out how to produce them without the aforementioned flaws. But surely these new processors might have to take a hit on speed if they can no longer utilise the predictive features that allow them to race ahead? A further challenge for the IT industry to overcome.

Should I be concerned about the security or performance of my field service system?

It’s important to remain vigilant and well-informed when a vulnerability such as this presents itself. Prioritising the download of patches and updates should help to ensure that your systems continue to run as you wish. Regular back-ups would also be wise. With regard to our data management systems, we remain entirely up to date on the latest situation and will continue to act promptly and advise our customers as fully as we can.

So, thanks to Colin, we hope that you’re more informed about the situation around Spectre and Meltdown now. Whilst most of the patches are effectively addressing Meltdown, Spectre is a longer-term concern and you can be rest assured that the worldwide IT industry is using all of its expertise to investigate and further address this weakness. Just like the last James Bond film then, Spectre is here to haunt us for a while longer and who knows what fearsome blockbuster will come along next.