Meltdown and Spectre: What We Know, and What To Do

Last week, a team of security researchers revealed two critical security flaws affecting every Intel processor released in the past 20 years. Since Intel is the leading producer of microprocessors, it is extremely likely that every business, government, and other organization is affected. It also means that your personal computers, smart phones, and other “smart” devices are affected.

Both flaws exploit the processor’s ability to guess the fastest execution path through a program, such as Microsoft Word. Underneath the hood, these programs are just a list of instructions for the processor to execute. Some instructions let the program make decisions: for example, Microsoft Word asks for confirmation before closing an unsaved Document. At this point, the program will have two sets of instructions that may be executed: one if the user confirms closing the Document, and one if she doesn’t. Only one of these branches will be executed, so if one choice is more likely–for example, if users typically do want close unsaved Documents–then the processor can speed up the program by starting to execute the instructions to close the Document before the user confirms her choice. If she doesn’t confirm, the processor can “back up” and execute the other branch. This is called speculative execution, and because of it, Intel processors are able to run certain types of programs much faster than they otherwise could.

Of course, it takes thousands of instructions for a program like Microsoft Word to do anything substantial. In practice, the decisions it makes are about memory usage, or other technical matters. The user never sees any of this.

Both Meltdown and Spectre exploit speculative execution in order to circumvent restrictions on memory access. On modern computers, the operating system (e.g. Windows) runs in a protected part of memory that isn’t directly accessible by other programs. When a program wants to do something, it makes a system call to the operating system. This increases security, and also lets the operating system prioritize certain tasks, such as downloading critical updates. By circumventing this restrictions, both Meltdown and Spectre can access system resources directly. Furthermore, since the flaw is in the computer hardware itself, software restrictions (such as user permissions) are ineffective.

At this point, your best option is to make sure your computers and smart devices have installed the latest updates. Note that the security patch may cause some programs to run more slowly: this is because it effectively disables some types of speculative execution. Unfortunately, until Intel can design and release a new processor without this flaw, this is the only solution.

You can find more details about both Meltdown and Spectre (including the official white papers) at Meltdown Attack

Stay informed. Stay safe.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *