Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Spectre, Meltdown Vulnerabilities Will Haunt Industry for Years

Chip makers such as Intel have released patches and fixes to mitigate Spectre and Meltdown issues, but the problem won't be solved until they come out with new architectures, which is two to three years away.

A year ago, the public first heard about Spectre and Meltdown, channel-side vulnerabilities in most of the processors used in servers and PCs for almost two decades. The disclosure of the vulnerabilities, first detected by Google's Project Zero team in mid-2017, and officially disclosed in early 2018, sent shockwaves through the industry.

The effects will continue to be felt over the next few years as chip makers from Intel and AMD to ARM and IBM rearchitect their processors to harden the technology that led to the vulnerabilities, a process that will take another three or so years, according to Paul Teich, principal analyst at Liftr Cloud Insights.

After that comes the arduous task of refreshing PCs and data center servers throughout the world with systems powered by the new processors, which could take a decade or more.

"We're going to be living with Spectre and Meltdown for a long time," Teich told Security Now.

The vulnerabilities arise out of the speculative execution that is used to ramp up the performance of the processors. Through Spectre, the isolation between applications that is managed through the CPU memory can be broken, while Meltdown splits the isolation between applications and the operating system. Chip makers scrambled to put in fixes through microcode and software changed to mitigate some of the risk from Spectre and Meltdown, but more permanent solutions are years down the road. In addition, variants of the vulnerabilities have continued to spring up, complicating the already complex task of addressing the problems. (See New Spectre & Meltdown Attacks Show Limits of CPU Vulnerabilities.)

Security concerns
Spectre and Meltdown also changed the discussion around security to a degree.

Until last year, much of the talk about vulnerabilities and exploits centered around software, through the issue of the security of Internet of Things (IoT) devices has been a growing issue. However, Spectre and Meltdown brought security concerns into the core of enterprise hardware and raised the difficult question of finding a middle ground between performance and security. Intel and others have tried to lessen the impact on performance through such steps as adding more memory, but it's a challenge, Teich said.

"A worrying pattern that the Spectre and Meltdown vulnerabilities brought to light is how attackers piggyback on computing advancements and exploit the fact that there's often a lag between performance improvements and corresponding security improvements," Abhishek Iyer, technical marketing manager at cybersecurity vendor Demisto, told Security Now in an email. "The Intel SGX brought an innovation to market -- the Abort Page Semantics that allowed increased performance through speculative execution while thwarting Spectre and Meltdown attacks -- but the Foreshadow (L1TF) [variant] explicitly misused that innovation and resulted in the minor performance hit that comes with microcodes and patches. This balance between improving performance and maintaining security is something that organizations will continue to explore gingerly with attackers waiting in the sidelines."

It also put a focus on the need to address security throughout the development process to address possible vulnerabilities before the products are shipped, Charles King, principal analyst with Pund-IT, told Security Now.

"It's a new world that continues to evolve," King said. "It behooves people to keep that in mind. Don't think it's going to get any less complex or dangerous."

Assessing the response
The industry's initial response to Spectre and Meltdown was good, according to Liftr Cloud's Teich. Google researchers worked with hardware and software vendors to remediate as many of the problems as possible before going public with the vulnerabilities, and chip makers have continued to issue fixes and put in protections into their products.

Still, the various fixes frustrated C-level executives and IT professionals, according to Jon King, cybersecurity consulting manager at investment firm Moss Adams. For executives, the impact on performance and cost may have convinced some to "ride out the storm [rather] than fully understand the risk," King told Security Now in an email. (See Intel's 9th Gen Processors Offer Protections Against Spectre & Meltdown .)

The continual release of inconsistent patches also impacted IT, as King noted, these updates:

Desensitizing them to the potential impact of side channel disclosure due to the frustration of reapplying patches and registry edits across the enterprise. Going forward, we should expect and even encourage vendors to address classes of vulnerabilities affecting broad swaths of the industry in a thorough, effective manner. The emphasis should be on addressing the risk, not simply patching the vulnerability.

Teich added that the next iteration of processors from Intel and AMD will bring greater protections against the vulnerabilities -- he called them "half steps" -- but it will be the processor rollouts after that -- in mid- to late-2020 -- that will include new core architectures that will protect the various points in the speculative execution pipeline. Then comes the long process of enterprises refreshing their data centers with new systems that include the new chips.

The good news is that, so far, there doesn't seem to have been any attacks in the wild exploiting the Spectre or Meltdown vulnerabilities.

Part of that may be how difficult such an attack would be, Teich said, calling the vulnerabilities "low-risk, high-impact." Such an attack would involve the transferring of huge amounts of data from the system over the network, something that modern security solutions would most likely be able to detect.

In addition, most threat actors know the data they're looking to extract. Exploiting Spectre or Meltdown would mean stealing massive amounts of data that an attacker may not know what do with. "The whole point of [an attack] is to send data home," Teich said, adding that attackers tend to run "pinpoint surgical operations."

Chris Morales, head of security analytics for cybersecurity vendor Vectra, agreed.

"The reality is, while these are scary attacks conceptual, the ability to execute an attack utilizing these flaws is still hard," Morales told Security Now in an email. "The data rate for extraction of data from system memory is very low, meaning stealing anything more than a simple password could take days or much longer."

For now, the industry will have to push on with Spectre and Meltdown always looming, at least for the next several years.

"The problem isn't going to go away until Intel and other companies with technology susceptible to Spectre and Meltdown change the [chip] architecture," Pund-IT's King said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...