Meltdown & Spectre
While Meltdown and Spectre are different on a technical level and both have several variants, the core idea is always the same: A timing based side channel is exploited in order to use arbitrary memory. Let’s translate that into more common terms.
Modern CPUs use a multitude of different tricks to achieve high speeds. One of these tricks is called branch prediction. A computer program can be seen as very large collection of choices. Add 1 to a number or don’t. Click a link or don”t. Send a file or don’t. Traditionally, processors would execute one instruction at a time and then decide which action to take any time a branch was reached.
However as processors moved towards doing several things at once, this linear flow of execution quickly became a bottleneck. Let’s heavily over-simplify the technology to create an easier example:
Imagine that a CPU can process up to 10 instructions at once at any given time.
As long as we keep going straight forward, the CPU can execute code at 10 times the “normal” speed.
But every time we hit a branch and decide on a new direction, all previous instructions have to be executed so that the correct path to take at the branch can be decided. This means that the CPU slows down to normal speed.
If we were to just randomly pick a side at every branch and keep executing at full speed until eventually all the data is ready for the right side to be correctly evaluated, we’d have a 50% percent chance of being right. When we are right, the CPU effectively worked 10 times faster than normal. If we are wrong, nothing is lost as the CPU merely slows down to “normal” speeds. This process happens in any modern CPU thousands of times every second. Only that the technology is much more complicated than in our given example.
Usually, if a wrong branch was taken, all data related to it should be forgotten by the CPU once the branch is correctly evaluated. However researchers discovered that by looking at how long it took the CPU to read and write certain data right after a wrong path was taken, data generated during the path could be recovered. This is the basis for both the Spectre and Meltdown attacks.
For a more in-depth explanation, we highly recommend this writeup by Cloudflare.
Who is affected?
Basically, everyone is affected by these attacks.
Branch prediction has been a core feature of CPUs for about two decades and almost any CPU manufactured during this time frame is affected by one form of the attacks or another.
While the difficulty to exploit the vulnerability differs from CPU to CPU, these differences are of no concern to end-users.
Why is this critical?
What all of the technical explanations boil down to is this:
Anyone able to execute code on your PC can potentially read any data in the PC's memory. Data to be read may include passwords, credit card numbers, cryptographic keys, private messages / photos or literally anything else stored on the computer.
What can I do to protect myself?
The vulnerabilities were discovered simultaneously by several researchers as early as April 2017. The manufacturers of affected CPUs as well as the developers of the major operating systems have been working on fixes since.
The only reasonable course of action for end users is to keep their computers up to date and apply any patches and updates as they become available. This applies not only to Operating Systems but also to other software interacting with untrusted contents - most notably, web browsers.
Be aware that the fixes are likely to have a negative impact on the performance of computers but must still be applied. Without them, the risk for end users is very high.
For server administrators, we recommend a precise analysis of whether servers run untrusted code. If not, you might be able to delay the updates until clearer figures on the performance impact become available. If you run untrusted code or are unsure if you do, the updates should be applied immediately.
The myth of perfect security
The Meltdown and Spectre attacks demonstrate one of the core messages we keep repeating:
There is no absolute security. Even if you installed every patch, followed every guideline and perfectly audited all of your code - on December 31st 2017 every single one of your servers and workstations was vulnerable. They were most likely vulnerable ever since they were built, as were the machines they replaced and the ones before that.
Relying on “doing everything right” is not enough to keep yourself or your organization secure from attacks. The only reasonable way to do so is to implement several layers of defense, create strong policies and adequately train all of your staff - so that appropriate action can be taken once the next big vulnerability hits.