Problem: Over the past week, you’ve likely heard of serious security bugs affecting CPUs called Meltdown and Spectre. Meltdown affects CPUs manufactured by Intel and Apple, while Spectre affects most CPUs manufactured over the last twenty years.
Impact: Both exploits can allow a remote attacker to compromise your system through something as innocuous as an advertisement.
What to do: Install updates when prompted on all your devices.
A deep dive into Meltdown & Spectre
How did we get here:
Pushing CPU speeds past a few gigahertz is difficult due to heat dissipation and energy consumption, so manufacturers must look at other ways to increase performance. The fastest 2005 era Pentium 4 clocked in at 3.73 GHz and the standard 2017 i5 clocks in at 2.8 GHz, yet the i5 is many times faster than the Pentium 4 while using less electricity and generating less heat.
One way to increase performance is to shrink the size of the transistors so that you can squeeze more into a chip (P4’s 184 million vs i5’s 1.75 billion). Another is to reduce the number of steps a CPU must take to execute an instruction (The P4’s ‘conveyor belt’ has 32 stages – The i7 has 19). However, these improvements only take you so far, so manufacturers have looked at more exotic methods to optimise performance.
The ‘exotic method’ at the root of Meltdown and Spectre is ‘Speculative execution.’ Every CPU manufacturer has used speculative execution for over 20 years – everything from the Qualcomm chip in your phone to the Intel CPU in your server uses some form of it. Speculative execution works by ‘guessing’ and subsequently processing the next step in parallel while the CPU is waiting for the result of another action. If it guesses correctly, it saves time by pre-executing instructions. If it doesn’t, it can just discard the work.
Bert Hubert has an excellent example here, which I’m going to borrow:
Let’s imagine that you’re preparing a dish using the following recipe:
- Seed and dice a pumpkin, chop into cubes
- Cook for 5 minutes in melted butter
- Blend cubes in a food processor
- Put chicken in an oven at 180 degrees for 3 hours
- Make chicken broth
- Add broth to blender until pumpkin soup reaches desired consistency
You’ll note that you can put the chicken in the oven, and – while you’re waiting for it to finish cooking – you can perform most of the other steps. In effect, this is what speculative execution involves: making an educated guess on what work a CPU can perform in advance while it’s waiting for something else to happen.
To an outside observer, the CPU performs these actions sequentially, parallelising the work is all handled internally. From the perspective of the application, the cooked chicken appears out of thin air, taking no time to execute. It will not tell you whether it used speculative execution, nor whether it discarded unnecessary work because it guessed incorrectly.
Now let’s imagine that we add another step
Pour the pumpkin blend over the chicken before cooking – suddenly the CPU’s speculation failed, and it has to discard the pre-cooked chicken. Disposing work isn’t an issue as long as the said actions leave no trace and do not affect other tasks. Until recently, everyone assumed this was the case. Meltdown and Spectre prove that this assumption is false.
Modern operating systems and CPUs have methods in place to fence off applications (Sandboxing) from one another. It’s important to do so; an ad on a web page shouldn’t be able to pull your Wi-Fi password out of your RAM. However, the Meltdown and Spectre bugs exploit speculative execution to infer your Wi-Fi password. An ad can’t ask your CPU “What’s the Wi-Fi password,” but what it can ask is “If the Wi-Fi password starts with ‘A’, read the first pixel.” The CPU will still say “You can’t do that”, but it will speculatively check the Wi-Fi password and read the first pixel just in case.
The CPU – trying to be helpful – loads the first pixel into its local cache. The ad can ask to read the first pixel, and then time how long it takes to respond. If the response is instant, you can infer that the CPU loaded the pixel into its local cache, and therefore the Wi-Fi password must start with A.
Unfortunately, manufacturers hardwire this behaviour into the CPU, and you can’t fix it with a software patch. The only long-term solution is to create a more secure method of speculative execution in new CPUs. However, it’s a serious exploit, potentially allowing an attacker to compromise multiple and completely separate systems on an endpoint. Software vendors have rolled out patches which prevent an application from performing speculative execution if said speculation can potentially compromise a system.
Because CPUs use speculative execution to boost performance, the patches can have a severe impact on specific workloads. For most users, they will not see much performance impact on their devices. However, tasks that rely heavily on speculative execution (Such as database analytics or Java applications) may see performance decreases in the range of 10 – 20%. In extreme cases, the penalty can hit 50% of expected performance.
Unfortunately, due to the extreme danger posed by hardware bug – which can allow an attacker to remotely compromise an entire PC through an advertisement on a web page – not installing the requisite patches to avoid the performance hit is not an option. Please ensure that you install updates when prompted on each of your devices. Microsoft, Apple, and Google have all released appropriate patches for their respective operating systems. Though if you’re on an Android phone, you’re at the mercy of your manufacturer and carrier.