The Deafening Silence on Spectre & Meltdown – What’s the Industry Afraid Of?
During last week’s RSA Conference in San Francisco I heard the usual cacophony of vendors, saw the spending of more money on larger glitzier booths, more gimmicky presentations, jugglers, magicians and piles of give-away swag. Clearly the security industry is thriving, but the messages sound much the same as they have for the last 20 years.
What really struck me was the complete silence from almost all vendors about Spectre & Meltdown – arguably the largest and most far-reaching vulnerabilities exposed in many years. Given all the news about Spectre & Meltdown, you would expect some vendors to at least pay lip service to the problem, or claim partial coverage, but mostly there were crickets.
(Note: for the purposes of this blog I’ll use the name Spectre to refer to all the variants of Spectre & Meltdown – recognizing that they have differences but are all part of a new class of vulnerabilities.)
At RSA, Virsec introduced a rare solution to the seemingly intractable, chip-level exposure caused by Spectre & Meltdown. We built a powerful, working version of Spectre and demonstrated it live, along with our solution to selectively fence vulnerable code from speculative execution – the source of the problem.
Because of the uniqueness of our solution, we earned the top spot on CRN’s “20 Hot New Security Products at RSA 2018.” While we’re honored by the recognition, we’re also surprised to hear little from the rest of the industry on the topic. Following are some questions and attitudes about Spectre that we think should be dispelled.
Is the Problem of Spectre and Meltdown Unfixable?
It’s clear that most of the security industry has stayed quiet about Spectre because they don’t have solutions. Initial OS patches had many unintended consequences, did not solve all the problems, caused big performance hits and were quickly withdrawn. Attempts to patch the microcode by chip manufacturers were even worse, causing many systems to stop operating – even becoming “bricks.” Any patch is risky and changing microcode is not something most IT professionals want to touch.
Beyond patches, many pundits have recommended recompiling application code to prevent speculative execution. While this is possible, it’s a non-starter for most organizations that don’t write most of their code and rely on a stack of third-party tools for their applications.
That leaves us hoping to refresh hardware and being patient as chip vendors create new, less vulnerable chips in the future. These fixes haven’t even been produced yet, and the prospect of replacing all affected hardware processors is daunting – bordering on impossible. Adding to the challenge, many critical infrastructure systems run on older hardware, often deemed “un-patchable” with unsupported operating systems, that often cannot be taken offline. They are certified to do one thing, which they have always done, so there is strong disincentive to making changes.
Despite all of this, Spectre is not unfixable, but it requires deep understanding of memory attacks, the ability to bridge the gap between applications, processes, and memory, and the ability to protect any application “as is.” This is exactly what Virsec does.
Is Hacking a Microcode Flaw Too Theoretical?
It’s true that Spectre was created in the lab by researchers both in Austria and independently at Google and it requires some specialized skills to pull it off. But we’ve built it, and there’s absolutely no reason to believe that others won’t as well, based on the published research. This is a subtle vulnerability that requires some expertise, but certainly not beyond the grasp of well-educated, well-organized and well-funded criminal organizations around the world that have come up with myriad ingenious, fileless and memory-level exploits.
Frankly, the press has done a pretty good job covering Spectre – treating it as being different and on a new scale from past vulnerabilities. Noted security journalist, Byron Acohido, has been beating the drum in Security Boulevard that Spectre is alive and well and likely to grow rapidly. While the news cycle for Spectre has been surprisingly long, inevitably it gets drowned out by the next exploit to make headlines. This plays right into the attacker’s hands – they wait, they dwell, they’re patient and they exploit whatever works. Spectre will absolutely be part of the arsenal for advanced hackers.
Does a Solution Require a Different Level of Understanding?
Spectre is way below the radar of most security products, and beyond the expertise of most security engineers. I guess it’s understandable, given the inability to grasp it, to build it, or to protect from it, that they would not want to talk about it.
Most security suffers from a bit of myopia, focusing on what happened most recently, and generally looking backwards. We’re all guilty of assuming the technology platforms we build upon are stable and secure and we don’t need to fully understand how they are built – securing them is someone else’s problem. But that’s naïve if these underlying layers show cracks. Tunneling beneath where most people are looking is both a good way to escape from prison, and an obvious path for hackers.
So Now What?
The bottom line is that Spectre is real, exploitable and can be used to leak sensitive information in ways that are almost undetectable. A year ago, memory-based attacks were considered arcane and unlikely, until WannaCry, NotPetya, Industroyer and many other memory exploits exploded that myth.
Our advice to the market is don’t forget about Spectre & Meltdown and don’t accept silence as a solution.. These exploits are alive and well – we’ve built them at RSA and have no illusions that they won’t be exploited by the bad guys. New exploits using this dangerous new class of attacks are almost certainly being built, improved upon, and evolving in the wild every day. Do not accept shrugs from security vendors who don’t know how to talk about this – let alone solve the problem.
Educate yourself – this is complicated stuff, and most of us aren’t trained at the processor level. It’s a whole technology world unto itself, but now it’s incumbent on security professionals to learn how these processes work and to be prepared to implement solutions.
Finally, find a solution that protects your critical applications as they are. We live in an imperfect world – there will always be vulnerabilities and leaks in our perimeter defenses and now we know the chip foundations that we’ve built much of our infrastructure upon are vulnerable. Welcome to the real world.
Just like you’ll never create perfect code, if you operate assuming the outside world has risks and vulnerabilities, you can focus on protecting what’s important. The focus needs to shift to protecting critical applications from the inside out and look for vendors like Virsec that are not only talking about the problem, but have practical, immediate solutions to protect applications from the vulnerabilities created by Spectre & Meltdown.