Network Security, Patch/Configuration Management, Vulnerability Management

Experts: Fixing Spectre and Meltdown has required ‘new computer science,’ extraordinary collaboration

A Google official on Thursday referred to the Spectre and Meltdown computer chip bugs as "the most challenging and hardest to fix in a decade," requiring unprecedented levels of cooperation -- a contention that gibes with the accounts of additional infosec experts keeping a close eye on patching efforts.

Ben Treynor Sloss, VP of engineering at ‎Google, explained in a Jan. 11 blog post that because the flaws reside within an integral computational feature that has existed for decades in billions of chips -- a process known as speculative execution -- the bugs were incredibly difficult to both find and fix. Yet the dangers were easy to identify, as attackers could exploit these vulnerabilities to steal sensitive information, by using one low-privilege application to read the memory of another, more secured application. Essentially, said Sloss, this was a whole "new class of attack."

Alex Ionescu, chief architect at CrowdStrike, asserted in a Jan. 11 company blog post that "brand new computer science had to be invented" in order to properly repair the side-channel vulnerabilities.

Indeed, months before Google's Project Zero team, alongside several groups of independent and academic researchers, collectively revealed the vulnerabilities on Jan. 3, hundreds of engineers were secretly working behind the scenes to mitigate them, reported Sloss. In a rare move, Google even waived its 90-day disclosure policy after its researcher Jann Horn uncovered the problem, as the Herculean effort required broad and time-consuming cross-industry collaboration, as well as complex changes to many layers of the software stack.

"The flaws violate central computer science isolation principles that laid the foundation for modern sandboxing that protects your applications from attack by a browser; multi-user computing that protects your documents from another user logged into the same server; and multi-tenancy that protects your entire virtual machine from another virtual machine on the same metal host," wrote Ionescu.

According to various industry reports, Spectre and Meltdown actually consist of three individual variants of the flaws -- two for Spectre (Variant 1, CVE-2017-5753, and Variant 2, CVE-2017-5715), and one for Meltdown (Variant 3, CVE-2017-5754).

A Jan. 11 Malwarebytes  blog post stated that there is technically a second Meltdown variant as well, although most accounts refer to only three flaws. "Variants 1 and 2 of Spectre impact Intel, IBM, ARM, and AMD CPUs," Malwarebytes reported. "Meltdown appears to be exclusive to Intel CPUs, and allows attackers to read privileged memory from an unprivileged context, still using the speculative execution feature. Its variant, 3a, is exploitable on a few ARM CPUs only."

While solutions for Spectre Variant 1 and Meltdown were deployed to the Google production infrastructure in September and October, Sloss reported that Variant 2 presented a formidable challenge.

"For several months, it appeared that disabling the vulnerable CPU features would be the only option for protecting all our workloads against Variant 2," wrote Sloss. "While that was certain to work, it would also disable key performance-boosting CPU features, thus slowing down applications considerably," as well as resulting in inconsistent performance.

Google software engineer Paul Turner solved this conundrum by creating "Retpoline," a software binary modification technique that prevents branch-target-injection. "With Retpoline, we didn't need to disable speculative execution or other hardware features. Instead, this solution modifies programs to ensure that execution cannot be influenced by an attacker... We could protect our infrastructure at compile-time, with no source-code modifications. Furthermore... this protection came with almost no performance loss."

In the CrowdStrike blog post, Ionescu provides details on other companies' fixes, warning that products that remain vulnerable to Variant 1 are the most at risk because they are the "most likely to be used by a remote attacker through an existing bug in a browser or other sandboxed parsing application, allowing the attacker to bypass existing security mitigations such as ASLR and potentially read user data it should not be able to."

Malwarebytes reported that some of the patches distributed by vendors have resulted in measurable performance slowdowns. "By examining the applied patches' impact against one of our own products... we found that they are, indeed, causing increases in CPU usage, which could result in higher costs for individuals billed by cloud providers accordingly," wrote Malwarebytes blog post author Jerome Boursier.

In related news, tech company Nvidia Corporation this week clarified in a security advisory that its graphics processing unit (GPU) hardware is immune to the vulnerabilities, despite earlier reports that they were also affected. Only its driver software was affected, noted the company, which issued corrective updates for the software.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.