Meltdown and Spectre: Detailed Report on Processor Security Flaws
VerifiedAdded on 2021/04/16
|16
|4130
|63
Report
AI Summary
This report provides a detailed analysis of the Meltdown and Spectre vulnerabilities, two significant processor-level security flaws that affect a wide range of operating systems and devices. The report begins with an introduction to the vulnerabilities, explaining their origins in speculative execution and branch prediction. It then delves into the mechanisms of both Meltdown and Spectre, describing how they exploit hardware features to access sensitive data. The report also discusses the countermeasures implemented by major vendors like Google, Apple, and Microsoft, including software patches and firmware updates. Furthermore, the report evaluates the potential future impacts of these vulnerabilities and recommends appropriate mitigation strategies, emphasizing the challenges of addressing hardware-level flaws. The report concludes by summarizing the key findings and implications of Meltdown and Spectre, providing a comprehensive overview of the security landscape and the ongoing efforts to protect against these threats.
Running head: MELTDOWN AND SPECTRE
MELTDOWN AND SPECTRE
Name of the University
Name of the student
Author Note
MELTDOWN AND SPECTRE
Name of the University
Name of the student
Author Note
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1
MELTDOWN AND SPECTRE
Table of Contents
Introduction................................................................................................................................2
Aim of the Report...................................................................................................................2
Scope of the Report................................................................................................................3
Discussion..................................................................................................................................3
Brief on Spectre......................................................................................................................3
Brief on Meltdown.................................................................................................................5
The Countermeasures for Spectre and Meltdown..................................................................7
The Future impacts of Spectre and Meltdown.....................................................................10
Conclusion................................................................................................................................11
References................................................................................................................................12
MELTDOWN AND SPECTRE
Table of Contents
Introduction................................................................................................................................2
Aim of the Report...................................................................................................................2
Scope of the Report................................................................................................................3
Discussion..................................................................................................................................3
Brief on Spectre......................................................................................................................3
Brief on Meltdown.................................................................................................................5
The Countermeasures for Spectre and Meltdown..................................................................7
The Future impacts of Spectre and Meltdown.....................................................................10
Conclusion................................................................................................................................11
References................................................................................................................................12
2
MELTDOWN AND SPECTRE
Introduction
Two processor level flaws have been highlighted by cyber security researchers known
as Spectre and Meltdown. These vulnerabilities have affected almost all known operating
systems such as MacOS, iOS, Linux, Android and Windows. According to the researchers, a
feature known as Speculative Execution is one of the main reasons for the vulnerabilities that
are present in the almost all of the processors that are used today. Apple recently confirmed
that the malicious software need to be in the system which is affected to exploit its data.
Project Zero which is run by Google confirmed through independent testing that the attacker
has to physically access the device to run the stated vulnerabilities. Most of the vendors have
denied any allegation that the vulnerabilities have been used to extract data from consumer
devices. Contrary to these clams, Google Zero has already devised a working form of the
vulnerability which has the ability to bring down an entire server network. Apple has already
acknowledged that Meltdown has more potential to cause damage than Spectre (CNET,
2018). Many devices are not eligible for getting updates from their respective vendors so this
puts many people at risk. Google recently stated that devices which are running the latest
updates of their operating systems are immune from these vulnerabilities. Speculative
execution process is utilized by both Spectre as well as Meltdown but where Meltdown uses
the privilege escalation of Intel, Spectre uses two methods in combination to initiate the
attack namely, Speculative execution and Branch Prediction.
In the report, details about Spectre and Meltdown have been discussed and possible
mitigation strategies as well as their future impacts has been evaluated.
Aim of the Report
The aim of the report is to:-
MELTDOWN AND SPECTRE
Introduction
Two processor level flaws have been highlighted by cyber security researchers known
as Spectre and Meltdown. These vulnerabilities have affected almost all known operating
systems such as MacOS, iOS, Linux, Android and Windows. According to the researchers, a
feature known as Speculative Execution is one of the main reasons for the vulnerabilities that
are present in the almost all of the processors that are used today. Apple recently confirmed
that the malicious software need to be in the system which is affected to exploit its data.
Project Zero which is run by Google confirmed through independent testing that the attacker
has to physically access the device to run the stated vulnerabilities. Most of the vendors have
denied any allegation that the vulnerabilities have been used to extract data from consumer
devices. Contrary to these clams, Google Zero has already devised a working form of the
vulnerability which has the ability to bring down an entire server network. Apple has already
acknowledged that Meltdown has more potential to cause damage than Spectre (CNET,
2018). Many devices are not eligible for getting updates from their respective vendors so this
puts many people at risk. Google recently stated that devices which are running the latest
updates of their operating systems are immune from these vulnerabilities. Speculative
execution process is utilized by both Spectre as well as Meltdown but where Meltdown uses
the privilege escalation of Intel, Spectre uses two methods in combination to initiate the
attack namely, Speculative execution and Branch Prediction.
In the report, details about Spectre and Meltdown have been discussed and possible
mitigation strategies as well as their future impacts has been evaluated.
Aim of the Report
The aim of the report is to:-
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3
MELTDOWN AND SPECTRE
Evaluate the threats from Meltdown and Spectre
Understand the security policies and security techniques that are used for
mitigating the vulnerabilities
Evaluating their future impacts
Proper recommend counter measures for the vulnerabilities
Scope of the Report
The scope of the report is to provide information to prospective researchers about
Spectre and Meltdown and provide them with ample information so that they can devise
mitigation strategies for the vulnerabilities.
Discussion
Brief on Spectre
The vulnerability named Spectre gets its name from a hardware process named
Speculatve Execution. Spectre tricks other programs by using random memory locations of
the program. The attacker can collect sensitive information from the contents of the memory
pace which has been accessed. It uses the speculative execution exploit and usually consists
of more than one vulnerability. Spectre uses branch prediction specifically which is a case of
speculative execution. Unlike Meltdown, it does not rely on a single processor for memory
management (Hruska, 2018). Spectre uses branch prediction mechanism and starts its point of
attack from a side channel attack present in the processors. Even when Spectre is erased form
the device, loaded cache lines are left behind due to side effects from the speculative
execution mechanism which also affects the nonfunctional elements present in the operating
systems.
MELTDOWN AND SPECTRE
Evaluate the threats from Meltdown and Spectre
Understand the security policies and security techniques that are used for
mitigating the vulnerabilities
Evaluating their future impacts
Proper recommend counter measures for the vulnerabilities
Scope of the Report
The scope of the report is to provide information to prospective researchers about
Spectre and Meltdown and provide them with ample information so that they can devise
mitigation strategies for the vulnerabilities.
Discussion
Brief on Spectre
The vulnerability named Spectre gets its name from a hardware process named
Speculatve Execution. Spectre tricks other programs by using random memory locations of
the program. The attacker can collect sensitive information from the contents of the memory
pace which has been accessed. It uses the speculative execution exploit and usually consists
of more than one vulnerability. Spectre uses branch prediction specifically which is a case of
speculative execution. Unlike Meltdown, it does not rely on a single processor for memory
management (Hruska, 2018). Spectre uses branch prediction mechanism and starts its point of
attack from a side channel attack present in the processors. Even when Spectre is erased form
the device, loaded cache lines are left behind due to side effects from the speculative
execution mechanism which also affects the nonfunctional elements present in the operating
systems.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4
MELTDOWN AND SPECTRE
The working mechanism of a processor needs to be understood to understand how
Spectre functions. Four basic things need to be performed to execute a program in the
processor. Suppose there is an addition program which has two variables x and y. At first, the
program has to shift the value of x to the processor (into a register called R1) form the main
memory. The same process is done with e the value is saved into R1 (Scientific-
computing.com, 2018). To complete the program, the computer has o tore the value of R1
back into the main memory. Some features have to be added by the processor designers to
hide the discrepancies caused by different speeds of main memory and the processor (the
processor is 100 times faster than the main memory).
These features are cache and speculation. Spectre uses both these technologies to
extract sensitive data from people. Caches are used to store values which are frequently used
and are much faster than the main memory. If the values of x and y are inserted in the cache,
then the need to write back the values in the slow main memory is diminished which results
in the program executing itself faster. This difference in accessing speed is used by Spectre to
exploit data. Variant 2 of Spectre use speculative execution which speculates what tasks
might lie ahead even before the CPU actually makes the request. It kind of serves like a scout
operating well in front of the CPU’s many other functions and capabilities. Its goal is to
speed things up for the entire system by exploring lots of potential CPU tasks in advance.
Back in the 1960s when speculative execution was invented computers were very self-
contained. Since it was not possible for anyone to check what the data was thrown away
nobody thought it can pose as a risk and it was never secured (Trippel, Lustig and Martonosi,
2018). Nowadays, mobile device and computers share system resources with many
applications and environments. Sharing is good but when data via speculative execution nds
up in shared memory, attackers use a side channel to sneak in and hijack the data.
MELTDOWN AND SPECTRE
The working mechanism of a processor needs to be understood to understand how
Spectre functions. Four basic things need to be performed to execute a program in the
processor. Suppose there is an addition program which has two variables x and y. At first, the
program has to shift the value of x to the processor (into a register called R1) form the main
memory. The same process is done with e the value is saved into R1 (Scientific-
computing.com, 2018). To complete the program, the computer has o tore the value of R1
back into the main memory. Some features have to be added by the processor designers to
hide the discrepancies caused by different speeds of main memory and the processor (the
processor is 100 times faster than the main memory).
These features are cache and speculation. Spectre uses both these technologies to
extract sensitive data from people. Caches are used to store values which are frequently used
and are much faster than the main memory. If the values of x and y are inserted in the cache,
then the need to write back the values in the slow main memory is diminished which results
in the program executing itself faster. This difference in accessing speed is used by Spectre to
exploit data. Variant 2 of Spectre use speculative execution which speculates what tasks
might lie ahead even before the CPU actually makes the request. It kind of serves like a scout
operating well in front of the CPU’s many other functions and capabilities. Its goal is to
speed things up for the entire system by exploring lots of potential CPU tasks in advance.
Back in the 1960s when speculative execution was invented computers were very self-
contained. Since it was not possible for anyone to check what the data was thrown away
nobody thought it can pose as a risk and it was never secured (Trippel, Lustig and Martonosi,
2018). Nowadays, mobile device and computers share system resources with many
applications and environments. Sharing is good but when data via speculative execution nds
up in shared memory, attackers use a side channel to sneak in and hijack the data.
5
MELTDOWN AND SPECTRE
Spectre can be accessed remotely. As soon as the user visits the infected website with
the Spectre code, the information starts leaking through cookies and passwords. As the
vulnerability is hardware based and not software based, no software workarounds can be
installed to mitigate its effects. Responding to Spectre, Intel has released micro codes which
does not entirely destroy the vulnerability but reduces its impacts (Theregister.co.uk 2018).
Spectre cannot be totally eliminated without totally erasing caching and speculative execution
which are vital operations that are required for processing.
Brief on Meltdown
The vulnerability named Meltdown got its name from the fact that it basically
melts the security boundaries of the hardware. The attacker can access any data from around
the computer which he or she is not authorized to see with the help of this vulnerability,
including administrative data. The vulnerability only works with certain kinds of chips
(Simakov et al., 2018).
The x86 processors of Intel, Microprocessors of ARM and IBM are specifically
attacked by Meltdown. Meltdown actually gives permission to a malicious process to read
user data without their permission and is a hardware based vulnerability. The processors
which are made by AMD are not affected by the virus (Griffin, 2018). This vulnerability can
affect processors which were made in the last 10 years. The race condition of the CPU
(between instruction execution and privilege checking) is exploited by this vulnerability. The
unauthorized data is read normally before the privilege check can happen.
MELTDOWN AND SPECTRE
Spectre can be accessed remotely. As soon as the user visits the infected website with
the Spectre code, the information starts leaking through cookies and passwords. As the
vulnerability is hardware based and not software based, no software workarounds can be
installed to mitigate its effects. Responding to Spectre, Intel has released micro codes which
does not entirely destroy the vulnerability but reduces its impacts (Theregister.co.uk 2018).
Spectre cannot be totally eliminated without totally erasing caching and speculative execution
which are vital operations that are required for processing.
Brief on Meltdown
The vulnerability named Meltdown got its name from the fact that it basically
melts the security boundaries of the hardware. The attacker can access any data from around
the computer which he or she is not authorized to see with the help of this vulnerability,
including administrative data. The vulnerability only works with certain kinds of chips
(Simakov et al., 2018).
The x86 processors of Intel, Microprocessors of ARM and IBM are specifically
attacked by Meltdown. Meltdown actually gives permission to a malicious process to read
user data without their permission and is a hardware based vulnerability. The processors
which are made by AMD are not affected by the virus (Griffin, 2018). This vulnerability can
affect processors which were made in the last 10 years. The race condition of the CPU
(between instruction execution and privilege checking) is exploited by this vulnerability. The
unauthorized data is read normally before the privilege check can happen.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6
MELTDOWN AND SPECTRE
Figure 1: Working of Meltdown
(Source: Created by the author)
The processor is convinced to load the secret data with the help of Meltdown.
This access will be eventually blocked by the processor and it will not allow the process to
check the memory or register that is controlled by the attacker. But in step 2, the processor is
convinced by the attacker to index the array that is under control of the attacker using the step
1 data. The timing difference between the array accesses is observed by the attacker to collect
the secret data even though the processor did not load it clearly. Step 2 and Step 3 are
collectively called as side channel attack. Flush reload side channel attack is specifically used
by Meltdown (Kocher et al., 2018). Through the flush operation, the processor cache is
cleared by the vulnerability. The next process is to use the element of the infected array to
trick the processor in using secret data. This allows the processor to load the infected element
of the array into the cache. The amount of time to access each element of the array is
observed by the attacker effortlessly. The most important step within the 3 steps of Meltdown
MELTDOWN AND SPECTRE
Figure 1: Working of Meltdown
(Source: Created by the author)
The processor is convinced to load the secret data with the help of Meltdown.
This access will be eventually blocked by the processor and it will not allow the process to
check the memory or register that is controlled by the attacker. But in step 2, the processor is
convinced by the attacker to index the array that is under control of the attacker using the step
1 data. The timing difference between the array accesses is observed by the attacker to collect
the secret data even though the processor did not load it clearly. Step 2 and Step 3 are
collectively called as side channel attack. Flush reload side channel attack is specifically used
by Meltdown (Kocher et al., 2018). Through the flush operation, the processor cache is
cleared by the vulnerability. The next process is to use the element of the infected array to
trick the processor in using secret data. This allows the processor to load the infected element
of the array into the cache. The amount of time to access each element of the array is
observed by the attacker effortlessly. The most important step within the 3 steps of Meltdown
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
MELTDOWN AND SPECTRE
mechanism is the first step as it gives the attacker access to the kernel (Fruhlinger, 2018). The
kernel controls the hardware and authenticates which memory is accessed by whom.
The kernel address is computed by Meltdown and it forces the processor to load the
data into a register through speculative execution. When the data is being loaded from the
main memory to the register, it is temporarily saved in the processor’s cache memory. This
data is exploited by the attacker to get access time without proper privileges (O'Donnell et al.,
2018). Sensitive information such as cookies and passwords can be present in the stolen
kernel data. A virtual environment is created by the attacker inside the physical memory
where he or she can move data whenever he or she wants. Hence, the data can be saved in the
cache just like an Oracle Database and used to bypass the standard controls of the operating
systems.
The Countermeasures for Spectre and Meltdown
A complete patch to disable both the vulnerabilities is not possible as they are present
at a hardware level. In spite of this, major vendors such as Google, Apple and Microsoft has
released several patches to address these issues. The KAISER patch which was released for
Linux operating system in 2017 automatically prevented Meltdown but didn’t do much for
mitigating Spectre. Cloud servers are patched first as they are more vulnerable to the attacks
than physical networks. Rendition Infosec has released an organizational strategy which can
protect organizational systems from damage and contains basic guidelines. A good
countermeasure is to keep the browsers updated as Spectre uses JavaScript and browser
plugins to initiate the attack (Information Management, 2018). The operating systems which
will never be patched and will remain vulnerable to the attacks are Windows XP and budget
phones running the older versions of Android. Several patches have been released by
Microsoft for Windows 7 and above. The Edge browsers along with Explorer browsers have
MELTDOWN AND SPECTRE
mechanism is the first step as it gives the attacker access to the kernel (Fruhlinger, 2018). The
kernel controls the hardware and authenticates which memory is accessed by whom.
The kernel address is computed by Meltdown and it forces the processor to load the
data into a register through speculative execution. When the data is being loaded from the
main memory to the register, it is temporarily saved in the processor’s cache memory. This
data is exploited by the attacker to get access time without proper privileges (O'Donnell et al.,
2018). Sensitive information such as cookies and passwords can be present in the stolen
kernel data. A virtual environment is created by the attacker inside the physical memory
where he or she can move data whenever he or she wants. Hence, the data can be saved in the
cache just like an Oracle Database and used to bypass the standard controls of the operating
systems.
The Countermeasures for Spectre and Meltdown
A complete patch to disable both the vulnerabilities is not possible as they are present
at a hardware level. In spite of this, major vendors such as Google, Apple and Microsoft has
released several patches to address these issues. The KAISER patch which was released for
Linux operating system in 2017 automatically prevented Meltdown but didn’t do much for
mitigating Spectre. Cloud servers are patched first as they are more vulnerable to the attacks
than physical networks. Rendition Infosec has released an organizational strategy which can
protect organizational systems from damage and contains basic guidelines. A good
countermeasure is to keep the browsers updated as Spectre uses JavaScript and browser
plugins to initiate the attack (Information Management, 2018). The operating systems which
will never be patched and will remain vulnerable to the attacks are Windows XP and budget
phones running the older versions of Android. Several patches have been released by
Microsoft for Windows 7 and above. The Edge browsers along with Explorer browsers have
8
MELTDOWN AND SPECTRE
been updated as well. Major manufacturers such as AMD has dispatched firmware updates on
January 11th although some of them have been temporarily removed as they were not working
properly (Meltdownattack.com, 2018). Apple has similarly released patches for its operating
systems such as MacOS, tvOS and iOS as well as for it browsers on 3rd January. Google has
released patches for its chrome books too although vulnerability was not assessed for
ChromeOS. On 23rd January, Firefox has also released a patch for its browsers and a beta
version is already available (Support.microsoft.com, 2018).
Management of memory between the application software and the OS needs to be
changed fundamentally to eradicate vulnerabilities from Meltdown completely. A technology
called Kernel Page table isolation (KPTI) is used to prevent loading of data in the caches of a
microchip when a user data is present or running. When an application software asks the
operating system to do something on its behalf, the KPTI immediately gets into action to
prevent such activities. For iOS 10 and above, Apple has issues several patches. Microsoft
has released several patches which use unsupported kernel cells and do not work with third
party programmes. A little amount of memory will be left exposed as the vulnerability is not
software based. Serializing the permission check and the register fetch can prevent the
vulnerability (Lipp et al., 2018). But this will significantly affect the performance of the
systems as it will implement lot of memory overhead to the memory addresses which will
slow down the fetching process.
Creating a hard split between the user space and the kernel space is a proper
countermeasure. With the help of modern kernels, a new kernel bit can be introduced in the
CPU control register. When the hard split bit is introduced, the kernel will be forced to stay in
the upper part of the address which will allow the system to identify an unprivileged memory
fetch. Minimal performance impact is expected (The Verge, 2018). Introducing KAISER is
another counter measure that can be considered. It is a kernel that has been modified to stay
MELTDOWN AND SPECTRE
been updated as well. Major manufacturers such as AMD has dispatched firmware updates on
January 11th although some of them have been temporarily removed as they were not working
properly (Meltdownattack.com, 2018). Apple has similarly released patches for its operating
systems such as MacOS, tvOS and iOS as well as for it browsers on 3rd January. Google has
released patches for its chrome books too although vulnerability was not assessed for
ChromeOS. On 23rd January, Firefox has also released a patch for its browsers and a beta
version is already available (Support.microsoft.com, 2018).
Management of memory between the application software and the OS needs to be
changed fundamentally to eradicate vulnerabilities from Meltdown completely. A technology
called Kernel Page table isolation (KPTI) is used to prevent loading of data in the caches of a
microchip when a user data is present or running. When an application software asks the
operating system to do something on its behalf, the KPTI immediately gets into action to
prevent such activities. For iOS 10 and above, Apple has issues several patches. Microsoft
has released several patches which use unsupported kernel cells and do not work with third
party programmes. A little amount of memory will be left exposed as the vulnerability is not
software based. Serializing the permission check and the register fetch can prevent the
vulnerability (Lipp et al., 2018). But this will significantly affect the performance of the
systems as it will implement lot of memory overhead to the memory addresses which will
slow down the fetching process.
Creating a hard split between the user space and the kernel space is a proper
countermeasure. With the help of modern kernels, a new kernel bit can be introduced in the
CPU control register. When the hard split bit is introduced, the kernel will be forced to stay in
the upper part of the address which will allow the system to identify an unprivileged memory
fetch. Minimal performance impact is expected (The Verge, 2018). Introducing KAISER is
another counter measure that can be considered. It is a kernel that has been modified to stay
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9
MELTDOWN AND SPECTRE
outside the user space and prevents Meltdown by not giving any valid mapping to the kernel
space (physical). Other operating systems have adopted similar approaches. Although the
counter measures are not permanent, it can at least prevent the attack by not allowing kernel
pointers to operate in the user space.
Spectre has two types of variants, namely Variant 1 and 2. Load fences are put around
the kernel to mitigate Variant 1 of Spectre. When a first load is already applied, the
speculation programme is prevented from applying a secondary load to it (HPE, 2018).
Putting minimum and small changes in the kernel source is part of the mitigation technique.
For removing the vulnerabilities associated with Variant 2, the hardware related to branch
predicting is deactivated by the operating system when it checks malicious activities coming
from a software (Leonhard, 2018). The technique is very effective but it decreases the
performance of the system. To counter this issue, the system administrator should be present
who can turn the patches on and off if the system performance suffers. Intel has created a new
set of hardware features that work with the operating system to create virtual fences
protecting the system and the data it contains from speculative execution attack. This
prevents the attackers by keeping them away from any decision making processes entirely so
they cannot influence the task that the application takes. This helps retain the many
advantages of Speculative execution while preventing the vulnerabilities caused by Variant 2
of Spectre.
On January (2018), Intel announced that as a countermeasure they will start shipping
new processors by the end of the year which are not vulnerable to Meltdown as well as
Spectre (Watson et al., 2018). With software changes, the variant 1 of Spectre can be
mitigated and with hardware changes, the variant 2 of Spectre can be mitigated. As part of the
mitigation technique, Intel announced that they have redesigned some portions of the
processor to introduce proper security checks for both the vulnerabilities. Intel also said that
MELTDOWN AND SPECTRE
outside the user space and prevents Meltdown by not giving any valid mapping to the kernel
space (physical). Other operating systems have adopted similar approaches. Although the
counter measures are not permanent, it can at least prevent the attack by not allowing kernel
pointers to operate in the user space.
Spectre has two types of variants, namely Variant 1 and 2. Load fences are put around
the kernel to mitigate Variant 1 of Spectre. When a first load is already applied, the
speculation programme is prevented from applying a secondary load to it (HPE, 2018).
Putting minimum and small changes in the kernel source is part of the mitigation technique.
For removing the vulnerabilities associated with Variant 2, the hardware related to branch
predicting is deactivated by the operating system when it checks malicious activities coming
from a software (Leonhard, 2018). The technique is very effective but it decreases the
performance of the system. To counter this issue, the system administrator should be present
who can turn the patches on and off if the system performance suffers. Intel has created a new
set of hardware features that work with the operating system to create virtual fences
protecting the system and the data it contains from speculative execution attack. This
prevents the attackers by keeping them away from any decision making processes entirely so
they cannot influence the task that the application takes. This helps retain the many
advantages of Speculative execution while preventing the vulnerabilities caused by Variant 2
of Spectre.
On January (2018), Intel announced that as a countermeasure they will start shipping
new processors by the end of the year which are not vulnerable to Meltdown as well as
Spectre (Watson et al., 2018). With software changes, the variant 1 of Spectre can be
mitigated and with hardware changes, the variant 2 of Spectre can be mitigated. As part of the
mitigation technique, Intel announced that they have redesigned some portions of the
processor to introduce proper security checks for both the vulnerabilities. Intel also said that
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10
MELTDOWN AND SPECTRE
micro codes have been enacted in all the products of Intel that have been released in the past
five years (Gibbs, 2018). A permanent counter measure for Spectre is still unavailable.
The Future impacts of Spectre and Meltdown
In the future, cloud providers will be severely affected from Spectre than Meltdown
because Spectre sends data by using a hypervisor to a rogue guest system whereas Meltdown
only obtains personal data from physical memory spaces of the cloud (Engadget, 2018).
In the coming years, the threat from more hardware attacks will increase rather than
attacks which are software based. Intel’s management system recently discovered a new
vulnerability that was similar like Spectre and Meltdown (Knowledge@Wharton, 2018).
These vulnerabilities are unexplored and rather new, hence researchers and intelligence
agencies will try their best to research this new area and possibly find more exploits.
The second impact will arise from requiring a coordinated effort from all the major
manufacturers for designing a patch that works for all microprocessors. Although Intel and
AMD has released their respective patches, it will still take some time for the computer
manufacturers and application vendors to customize the patch so that the user can use them
effectively. This is difficult as keeping the vulnerabilities a secret is a difficult task before the
required patches are released (Design News, 2018). Due to the early announcement of
Spectre and Meltdown, attackers get enough time to devise an attack before the patches are
rolled out safely.
The other future impacts of these vulnerabilities will be that the global infrastructure
consisting of the IoT devices, cars, appliances and smart watches will be affected as well
beside the computers. The cloud providers can be hacked anytime to release personal data
compromising the security system of the infrastructure (dzone.com, 2018). The future design
MELTDOWN AND SPECTRE
micro codes have been enacted in all the products of Intel that have been released in the past
five years (Gibbs, 2018). A permanent counter measure for Spectre is still unavailable.
The Future impacts of Spectre and Meltdown
In the future, cloud providers will be severely affected from Spectre than Meltdown
because Spectre sends data by using a hypervisor to a rogue guest system whereas Meltdown
only obtains personal data from physical memory spaces of the cloud (Engadget, 2018).
In the coming years, the threat from more hardware attacks will increase rather than
attacks which are software based. Intel’s management system recently discovered a new
vulnerability that was similar like Spectre and Meltdown (Knowledge@Wharton, 2018).
These vulnerabilities are unexplored and rather new, hence researchers and intelligence
agencies will try their best to research this new area and possibly find more exploits.
The second impact will arise from requiring a coordinated effort from all the major
manufacturers for designing a patch that works for all microprocessors. Although Intel and
AMD has released their respective patches, it will still take some time for the computer
manufacturers and application vendors to customize the patch so that the user can use them
effectively. This is difficult as keeping the vulnerabilities a secret is a difficult task before the
required patches are released (Design News, 2018). Due to the early announcement of
Spectre and Meltdown, attackers get enough time to devise an attack before the patches are
rolled out safely.
The other future impacts of these vulnerabilities will be that the global infrastructure
consisting of the IoT devices, cars, appliances and smart watches will be affected as well
beside the computers. The cloud providers can be hacked anytime to release personal data
compromising the security system of the infrastructure (dzone.com, 2018). The future design
11
MELTDOWN AND SPECTRE
of microprocessors will be affected as well. As the total cost of the implementation of new
devices will be significantly large, small scale businesses which handle sensitive data will
suffer (TechRepublic, 2018). In the future, more side channel attacks will follow and an
appreciation for designing a secure system (by the researchers) to erase speculative execution
will improve significantly.
Conclusion
To conclude the report, it can be stated that with the discovery of side channel attacks
to extract sensitive data, hardware and software design systems will evolve in the coming
years. For the individuals using personal computers the implication of the vulnerabilities will
be significant. Depending on the specification of the workload and the hardware, the
performance impact on the machines will be significant as well. The desktop users will be
severely affected as Spectre normally uses browser plugins to access the user data with
JavaScript. In the future, researchers may be able to unravel new exploits that are not covered
under the mitigation strategies. The vulnerabilities need to be confirmed independently by the
researchers who can assign the same project to different teams and analyse the final results.
Moreover, the vulnerabilities may not get patched completely as they are hardware specific.
Researchers are still trying their best to change the operating system totally so that the user
code will be unable to access the kernel memory. To reduce the exposure risk, some
manufacturers are even considering implementing a BIOS modification to their devices. The
short term mitigation strategies which will be effective for now are to patch the firmware of
the devices as well as their respective operating systems. Amazon AWS and Microsoft Azure
(two renowned cloud providers) are the most vulnerable to these attacks as the attacks can be
remotely executed from one user to the next. The users need to be careful as well as the
malicious code needs to be executed in the user’s machine so the attacker has to be physically
MELTDOWN AND SPECTRE
of microprocessors will be affected as well. As the total cost of the implementation of new
devices will be significantly large, small scale businesses which handle sensitive data will
suffer (TechRepublic, 2018). In the future, more side channel attacks will follow and an
appreciation for designing a secure system (by the researchers) to erase speculative execution
will improve significantly.
Conclusion
To conclude the report, it can be stated that with the discovery of side channel attacks
to extract sensitive data, hardware and software design systems will evolve in the coming
years. For the individuals using personal computers the implication of the vulnerabilities will
be significant. Depending on the specification of the workload and the hardware, the
performance impact on the machines will be significant as well. The desktop users will be
severely affected as Spectre normally uses browser plugins to access the user data with
JavaScript. In the future, researchers may be able to unravel new exploits that are not covered
under the mitigation strategies. The vulnerabilities need to be confirmed independently by the
researchers who can assign the same project to different teams and analyse the final results.
Moreover, the vulnerabilities may not get patched completely as they are hardware specific.
Researchers are still trying their best to change the operating system totally so that the user
code will be unable to access the kernel memory. To reduce the exposure risk, some
manufacturers are even considering implementing a BIOS modification to their devices. The
short term mitigation strategies which will be effective for now are to patch the firmware of
the devices as well as their respective operating systems. Amazon AWS and Microsoft Azure
(two renowned cloud providers) are the most vulnerable to these attacks as the attacks can be
remotely executed from one user to the next. The users need to be careful as well as the
malicious code needs to be executed in the user’s machine so the attacker has to be physically
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 16
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.