Hriday Biyani

Meltdown & Spectre CPU Security Flaws and Mitigation Steps

Blog Post created by Hriday Biyani on Jan 18, 2018

Most of us were just about settling down from the New Year partying hangover when news of a serious security flaw in modern processors shook the entire IT industry. On Jan 4, 2018 Meltdown and Spectre - two major processor security flaws were disclosed, affecting nearly every device made in the past 20 years. The attack affected all the major chip architectures(Intel, ARM, AMD), software vendors (Linux, Windows, macOS, Android)  and devices (computers, mobiles, tablets).

 

Basically, one of the important functions of processors is the ability to branch i.e to choose between two different code paths. When a user works on a computer the processor simultaneously branches out paths the user might take. This is known as branch prediction as the processor predicts the path the user might take saving alot of processing time. This is an architectural technique known as speculation execution.

 

The attacker may access valuable information like passwords, etc.

 

What is Meltdown and Spectre security vulnerabilities?

 

Meltdown and Spectre are processor security flaws exploiting an architectural technique known as “speculative execution” which has been designed into chips for decades.

 

These days computers are designed to perform tasks as fast as they can. In the process of delivering faster results processors are designed in a way that they can anticipate user actions make necessary calculations and keep the results in the cache for faster results.This process of anticipating results beforehand is called speculative execution.

Taking advantage of this attackers executes a malicious code into the system where they make processors anticipate wrong paths or branches and get valuable information like passwords, protected files, etc.

 

Normally processors anticipate various results or paths and as the user moves forward it dumps the wrong paths or unnecessary results. Attackers retrieve these wrong paths or dumped information and access it for a long time. This can be business critical data which can be used to cause serious security breaches to the company. 

 

Am I affected by Meltdown and Spectre?

 

Almost the whole industry has been affected by it from the major chip manufacturers, OS companies and cloud providers.  Chip manufacturers(Intel, AMD, ARM) has confirmed they their chips are vulnerable to this attack. Also, all the operating system Linux, Windows, macOS, Android has been affected. Basically, all the computers designed for more than 20 years have affected by this including our mobile phones. They only devices that have not been impacted are the IOT (Internet of Things) devices i.e devices that are based on Artificial Intelligence as they work on the concept of edge computing.


How can I protect Myself from Meltdown and Spectre?

 

All the operating system companies have launched their updates to their software. Make sure you update your system with these patches immediately as they are released. These patches though will not totally eliminate the risk but is like a temporary fix. One of the drawbacks of the patches is it will make your processor slower to a certain extent. This will be simply because the processor's inability to make branch predictions. 

 

Talking about long-term solutions for this, the next generation of processors will need to be designed in such a way that will eliminate this loophole.


What has Diadem done to mitigate the Spectre and Meltdown CPU Security flaws?

 

We at Diadem Technologies to mitigate the attack have implemented the following patches : 

 

Linux:

We have updated our Linux servers with the yum update command and the specific updates to patch this vulnerability is specified below:

kernel-headers.x86_64 0:3.10.0-693.11.6.el7

kernel-tools.x86_64 0:3.10.0-693.11.6.el7

kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7

perf.x86_64 0:3.10.0-693.11.6.el7

python-perf.x86_64 0:3.10.0-693.11.6.el7

kernel.x86_64 0:3.10.0-693.11.6.el7

kernel-devel.x86_64 0:3.10.0-693.11.6.el7

 

On Windows Server:

Most of our servers are running updated versions of Windows 2012 R2 / 2016 OS are already patched by Microsoft.  Intel also released a testing tool for identifying the vulnerability in a server OS. If the server is running any unsupported older OS, the firmware update for the motherboard is available from both Supermicro and Intel and has been patched on the affected servers.

Also, Antivirus software has provided an updated version to catchup with this updates by Microsoft and server hardware manufactures.

 

Rest assured, we will ensure that our servers are continuously being monitored for security and critical patches and applied on a proactive basis.

Outcomes