Meltdown and Spectre: The Case for Detection
Meltdown and Spectre: The Case for Detection

The entire technology industry has been taken by surprise by the high-profile announcement of the Meltdown and Spectre vulnerabilities last week. These vulnerabilities, present in most processors from Intel over the last two decades and also affecting ARM and AMD processors as well, have also highlighted how complex, modern processors can be susceptible to highly impactful security issues. They also signal a shift in focus towards security issues at deeper levels of the computing ecosystem. 

The mitigations for Meltdown and Spectre include BIOS updates, processor microcode updates, Operating System updates, web browser updates, and even new compiler-based mitigations such as Retpoline that modify compilers to emit code that isolates indirect branches from speculative execution paths. These mitigations, however, are not without their own risks. 

Modifying behavior this broadly across the computing stack can (and already has) had unanticipated consequences. For example, Microsoft halted updates to some AMD-based systems due to the update rendering them unbootable. The initial updates to Ubuntu Linux kernels have also caused some machines to not be able to boot. Finally, even some Linux kernel developers are warning about the potential for bugs in the backports of the mitigations to kernels before 4.14. These concerns don't even cover the performance impact the Linux KPTI mitigations may incur (tl;dr: it depends upon your processor models and workloads). 

While I wouldn't advise not applying the available mitigations as fast as is reasonably possible, applying these mitigations across enterprise environments will inevitably take significant attention and time. This complexity asymmetry allows more agile attackers to take advantage of these vulnerabilities, possibly even using readily published proofs-of-concept, while defenders are still performing their own risk analysis. As CloudFlare's analysis of Shellshock exploitation activity in the wild showed, attackers were much quicker to begin attacking than defenders could even hope to patch. CloudFlare's analysis also showed how much more quickly protections based on detection could be deployed compared to mitigations based on patching alone. Additionally, multiple detection strategies have been discovered and released after the public announcement of the vulnerabilities, showing how quickly monitoring-based detections can be developed and deployed. 

In the end, organizations do not have to choose completely between one approach or the other. Mature and advanced environments combine both to utilize each for their strengths. Eliminating the underlying cause of a vulnerability is the most effective, but also takes the most time and effort. Detecting exploitation of broad classes of vulnerabilities and attacks against your infrastructure through advanced security monitoring and automating real-time responses provide protection while known vulnerabilities are in the process of being eliminated. They can also provide a valuable signal of malicious activity while also revealing exploitation of yet-unknown vulnerabilities.