Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

1/8/2019
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Spectre, Meltdown Vulnerabilities Will Haunt Industry for Years

Chip makers such as Intel have released patches and fixes to mitigate Spectre and Meltdown issues, but the problem won't be solved until they come out with new architectures, which is two to three years away.

A year ago, the public first heard about Spectre and Meltdown, channel-side vulnerabilities in most of the processors used in servers and PCs for almost two decades. The disclosure of the vulnerabilities, first detected by Google's Project Zero team in mid-2017, and officially disclosed in early 2018, sent shockwaves through the industry.

The effects will continue to be felt over the next few years as chip makers from Intel and AMD to ARM and IBM rearchitect their processors to harden the technology that led to the vulnerabilities, a process that will take another three or so years, according to Paul Teich, principal analyst at Liftr Cloud Insights.

After that comes the arduous task of refreshing PCs and data center servers throughout the world with systems powered by the new processors, which could take a decade or more.

"We're going to be living with Spectre and Meltdown for a long time," Teich told Security Now.

The vulnerabilities arise out of the speculative execution that is used to ramp up the performance of the processors. Through Spectre, the isolation between applications that is managed through the CPU memory can be broken, while Meltdown splits the isolation between applications and the operating system. Chip makers scrambled to put in fixes through microcode and software changed to mitigate some of the risk from Spectre and Meltdown, but more permanent solutions are years down the road. In addition, variants of the vulnerabilities have continued to spring up, complicating the already complex task of addressing the problems. (See New Spectre & Meltdown Attacks Show Limits of CPU Vulnerabilities.)

Security concerns
Spectre and Meltdown also changed the discussion around security to a degree.

Until last year, much of the talk about vulnerabilities and exploits centered around software, through the issue of the security of Internet of Things (IoT) devices has been a growing issue. However, Spectre and Meltdown brought security concerns into the core of enterprise hardware and raised the difficult question of finding a middle ground between performance and security. Intel and others have tried to lessen the impact on performance through such steps as adding more memory, but it's a challenge, Teich said.

"A worrying pattern that the Spectre and Meltdown vulnerabilities brought to light is how attackers piggyback on computing advancements and exploit the fact that there's often a lag between performance improvements and corresponding security improvements," Abhishek Iyer, technical marketing manager at cybersecurity vendor Demisto, told Security Now in an email. "The Intel SGX brought an innovation to market -- the Abort Page Semantics that allowed increased performance through speculative execution while thwarting Spectre and Meltdown attacks -- but the Foreshadow (L1TF) [variant] explicitly misused that innovation and resulted in the minor performance hit that comes with microcodes and patches. This balance between improving performance and maintaining security is something that organizations will continue to explore gingerly with attackers waiting in the sidelines."

It also put a focus on the need to address security throughout the development process to address possible vulnerabilities before the products are shipped, Charles King, principal analyst with Pund-IT, told Security Now.

"It's a new world that continues to evolve," King said. "It behooves people to keep that in mind. Don't think it's going to get any less complex or dangerous."

Assessing the response
The industry's initial response to Spectre and Meltdown was good, according to Liftr Cloud's Teich. Google researchers worked with hardware and software vendors to remediate as many of the problems as possible before going public with the vulnerabilities, and chip makers have continued to issue fixes and put in protections into their products.

Still, the various fixes frustrated C-level executives and IT professionals, according to Jon King, cybersecurity consulting manager at investment firm Moss Adams. For executives, the impact on performance and cost may have convinced some to "ride out the storm [rather] than fully understand the risk," King told Security Now in an email. (See Intel's 9th Gen Processors Offer Protections Against Spectre & Meltdown .)

The continual release of inconsistent patches also impacted IT, as King noted, these updates:

Desensitizing them to the potential impact of side channel disclosure due to the frustration of reapplying patches and registry edits across the enterprise. Going forward, we should expect and even encourage vendors to address classes of vulnerabilities affecting broad swaths of the industry in a thorough, effective manner. The emphasis should be on addressing the risk, not simply patching the vulnerability.

Teich added that the next iteration of processors from Intel and AMD will bring greater protections against the vulnerabilities -- he called them "half steps" -- but it will be the processor rollouts after that -- in mid- to late-2020 -- that will include new core architectures that will protect the various points in the speculative execution pipeline. Then comes the long process of enterprises refreshing their data centers with new systems that include the new chips.

The good news is that, so far, there doesn't seem to have been any attacks in the wild exploiting the Spectre or Meltdown vulnerabilities.

Part of that may be how difficult such an attack would be, Teich said, calling the vulnerabilities "low-risk, high-impact." Such an attack would involve the transferring of huge amounts of data from the system over the network, something that modern security solutions would most likely be able to detect.

In addition, most threat actors know the data they're looking to extract. Exploiting Spectre or Meltdown would mean stealing massive amounts of data that an attacker may not know what do with. "The whole point of [an attack] is to send data home," Teich said, adding that attackers tend to run "pinpoint surgical operations."

Chris Morales, head of security analytics for cybersecurity vendor Vectra, agreed.

"The reality is, while these are scary attacks conceptual, the ability to execute an attack utilizing these flaws is still hard," Morales told Security Now in an email. "The data rate for extraction of data from system memory is very low, meaning stealing anything more than a simple password could take days or much longer."

For now, the industry will have to push on with Spectre and Meltdown always looming, at least for the next several years.

"The problem isn't going to go away until Intel and other companies with technology susceptible to Spectre and Meltdown change the [chip] architecture," Pund-IT's King said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...