These vulnerabilities have existed for over 20 years, and we are not even close to closing the door on these significant risks.
During a recent Congressional hearing, Senators voiced concerns about the ongoing Spectre and Meltdown vulnerabilities. While the technical details were predictably glossed over, most of the hearing focused on Intel informing Chinese partners about the flaws six months before they went public. While this is troubling and potentially gave foreign hackers a longer window of opportunity, it misses the much bigger issue: These vulnerabilities have existed for over 20 years, and we are not even close to closing the door on these significant risks.
The research paper that revealed Spectre in January stated it succinctly: “As it is not easy to fix, it will haunt us for quite some time.”
How We Got Here
Spectre and Meltdown are speculative side-channel flaws that make use of a basic fact of how modern computing works. Starting with the first Intel Pentium processors in 1995, chip designers found clever ways to boost processor speed by leveraging unused processor cycles and guessing what’s coming next. This caching model (allowing the chipset to make assumptions about next steps, known as branch prediction and speculative execution, to get a jump on computing) has been embedded in the millions of processors since then, and we’ve all come to expect the performance benefits that come from it.
What was not considered is that these speculative cycles jump ahead of security checks – and hackers have now found side-channels and sophisticated timing mechanisms that can be used to exploit these short windows of exposure.
Thus, Spectre and Meltdown burst on the scene in early 2018. While Meltdown breaks down the mechanism keeping applications from accessing arbitrary system memory, Spectre tricks other applications into accessing arbitrary locations in their memory.
The upshot is that the flaws allow attackers to steal passwords, customer data, IP and more stored in the memory of programs running on a victim’s machine.
The unprecedented scope of the vulnerabilities is what made headlines: They create exposures across PCs, Macs, mobile devices and even virtual machines in the cloud.
A Problem Without a (True) Patch
Initial fixes were rushed out, with many unintended consequences. Software vendors offered operating system (OS) patches, but these caused unacceptable performance loss and were quickly withdrawn. Processor microcode updates were released, but ended up often disabling servers – so most customers steered clear of these risky updates. Chipmakers meanwhile promised future chips without these flaws would be “available soon” – which of course does nothing to address the millions and millions of vulnerable devices already in the field.
With each round of patching, users have been asked to make unacceptable choices – they must either compromise performance (by as much as 30 percent); re-compile source code completely, which takes expertise and labor; or replace the processors – a daunting task for enterprises especially, which may have thousands of computers to fix.
Meanwhile, many have rationalized that the problem is only theoretical – i.e., created by researchers in the lab and too difficult for hackers to implement in the wild. But this wishful thinking has been shaken as multiple new variants of Spectre continue to emerge, causing the same patching scramble and leading to incomplete remedies.
A Failure of Imagination
Assuming that these risks are only theoretical is both naïve and dangerous.
Throughout the last century, many disasters including 9/11, the Apollo 1 fire, Pearl Harbor and the sinking of the Titanic were blamed on a “failure of imagination.” The phrase is a handy label for something that was deemed inconceivable at the time, but emerged as an obvious danger after the fact. The chip-design flaws leading to Spectre and Meltdown fall into this category.
We also don’t have to look back far for other examples of failures of imagination in cybersecurity: In 2010, Stuxnet caused waves as NSA-developed tools brought down Iranian centrifuges with unprecedented fileless and memory-based techniques. These advanced exploits were considered arcane and only practical for nation-states — until it emerged in other scenarios. It also paved the way for the recent explosion of memory-based attacks, including WannaCry, NotPetya, Industroyer, Equifax, Triton and many others.
Fueled by the ShadowBrokers leaks, highly dangerous hacking tools are now readily available to mainstream hackers, and these previously theoretical attacks are now common. It’s hard to believe that Spectre won’t follow a similar trajectory.
Adding to the problem is the fact that the computing space is rife with traditional silos. Software developers don’t worry about the many layers in the stack below their code, and very few people (outside the chip industry) understand the microcode and hardware supporting all of our computing – from cell phones to cloud.
It’s imperative that we rethink our approach, challenge assumptions, break through silos and take strong measures to change underlying structural weaknesses.
Where to Go From Here
Business must of course go on, but ignoring elephant-in-the-room threats like Spectre and Meltdown is never wise. Solutions are emerging that look deeper into processor-caching and memory usage, as are those that selectively limit speculative execution without recompiling code or hobbling performance. The ongoing effort to replace processors will help, too.
That said, legacy systems can live on for years, leaving many back channels and exposing rafts of applications on an ongoing basis. Organizations however must tackle this seemingly insurmountable challenge. Remember, today’s hackers are resourceful and relentless, continuously creating clever new variants of exploits. We should expect Spectre to morph, evolve and grow – not go away.
(Willy Leichter is vice president of marketing for Virsec Systems. He is a frequent speaker at industry events and author on IT security and compliance issues.)