Computer security: Meltdown and Spectre
Page 1 of 1
Computer security: Meltdown and Spectre
Cutekitty Sun Jan 07, 2018 10:28 pm
I originally posted this on Facebook for friends and offline acquaintances, but I'll post it here as well. Just in case you all haven't heard.
It's not something to panic and run from the Internet over, but it's probably best to be aware of this.
----
For those of you who have heard about the Meltdown and Spectre exploits, check out this xkcd comic (if you haven’t yet):
https://xkcd.com/1938/
For those of you who don’t know what I’m talking about, check out the comic anyway, as it’s both hilarious and fairly accurate, but also read on here:
In essence, some people have discovered these two related security vulnerabilities that affect all computers that use Intel processors (which is… um. The vast majority, I believe). AMD chips (and others) have limited, but nonzero, vulnerability. Operating systems such as Mac, Linux, and Windows are coming up with various security patches to help address this, so keep your eyes open for updates. Also check how the updates may affect your computer’s performance and weigh performance against security, and consider how vulnerable your processor is in the first place, before installing.
Both Meltdown and Spectre are methods of exploiting something called “speculative execution.” Speculative execution is when a computer predicts what it might need to do next and prepares the results in advance; if it turns out those results are unneeded, it will simply discard them. This speeds up processing because instead of having to wait for needed information and leave pipelines idle (think of a pipeline as a single thread of logic or sequential computation), it can keep more pipelines running and have instructions executed ahead of time. Processors can only go so fast due to physical constraints (processors comprise a bunch of gates—just picture a bajillion “yes/no” switches that have to go one way or the other, and charges have to move), so keeping more of the processor active and preparing whatever it can ahead of time helps to work around that limitation.
That’s a brief, and probably not very clear, summary. There’s a more detailed explanation here that I like:
https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/
It reviews different types of processors and provides examples of speculative execution with Python code. It goes into technical detail but stays nicely readable.
There’s a bunch of stuff the computer kernel (the logical “heart” of the machine) computes that not just anyone is supposed to see. This includes, in many cases, sets of instructions prepared and stashed by speculative processors. Meltdown and Spectre access these speculations and use them to find information that guest users really shouldn’t be able to obtain.
Here’s a webpage that explains these two exploits:
https://meltdownattack.com/
And here’s an article that also discusses Meltdown and Spectre and their ramifications:
https://gizmodo.com/what-we-know-so-far-about-meltdown-and-spectre-the-dev-1821759062
The news and explanatory links (xkcd aside) came from my coworkers exploding the work chat earlier this week. (Thanks, coworkers, you are awesome and very, very useful. I wouldn't have heard about this otherwise.)
Here’s another article that’s just a couple of days old, so a bit more recent:
http://www.zdnet.com/article/how-the-meltdown-and-spectre-security-holes-fixes-will-affect-you/
Also, for some more information about what various platforms and hardware companies are doing about this:
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
The main takeaway here is be careful with JavaScript web applications, which could potentially execute these exploits, and keep track of this issue. But your laptop isn’t about to spontaneously combust and litter the world with your confidential information. Apply some common sense and stay away from shady corners of the Internet, as per usual. AdBlock is your friend. And again, check for updates—both OS and browser.
I never studied CS or software engineering formally. I have been picking up some knowledge of computer internals and database software at work, and I’ve been working for just the past year and a half. So, if anybody has anything to add or quibbles with/corrections for anything I’m saying here, feel free to leave a comment so I and other people can learn more. Thanks!
Anyway, just thought you ought to know.
It's not something to panic and run from the Internet over, but it's probably best to be aware of this.
----
For those of you who have heard about the Meltdown and Spectre exploits, check out this xkcd comic (if you haven’t yet):
https://xkcd.com/1938/
For those of you who don’t know what I’m talking about, check out the comic anyway, as it’s both hilarious and fairly accurate, but also read on here:
In essence, some people have discovered these two related security vulnerabilities that affect all computers that use Intel processors (which is… um. The vast majority, I believe). AMD chips (and others) have limited, but nonzero, vulnerability. Operating systems such as Mac, Linux, and Windows are coming up with various security patches to help address this, so keep your eyes open for updates. Also check how the updates may affect your computer’s performance and weigh performance against security, and consider how vulnerable your processor is in the first place, before installing.
Both Meltdown and Spectre are methods of exploiting something called “speculative execution.” Speculative execution is when a computer predicts what it might need to do next and prepares the results in advance; if it turns out those results are unneeded, it will simply discard them. This speeds up processing because instead of having to wait for needed information and leave pipelines idle (think of a pipeline as a single thread of logic or sequential computation), it can keep more pipelines running and have instructions executed ahead of time. Processors can only go so fast due to physical constraints (processors comprise a bunch of gates—just picture a bajillion “yes/no” switches that have to go one way or the other, and charges have to move), so keeping more of the processor active and preparing whatever it can ahead of time helps to work around that limitation.
That’s a brief, and probably not very clear, summary. There’s a more detailed explanation here that I like:
https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/
It reviews different types of processors and provides examples of speculative execution with Python code. It goes into technical detail but stays nicely readable.
There’s a bunch of stuff the computer kernel (the logical “heart” of the machine) computes that not just anyone is supposed to see. This includes, in many cases, sets of instructions prepared and stashed by speculative processors. Meltdown and Spectre access these speculations and use them to find information that guest users really shouldn’t be able to obtain.
Here’s a webpage that explains these two exploits:
https://meltdownattack.com/
And here’s an article that also discusses Meltdown and Spectre and their ramifications:
https://gizmodo.com/what-we-know-so-far-about-meltdown-and-spectre-the-dev-1821759062
The news and explanatory links (xkcd aside) came from my coworkers exploding the work chat earlier this week. (Thanks, coworkers, you are awesome and very, very useful. I wouldn't have heard about this otherwise.)
Here’s another article that’s just a couple of days old, so a bit more recent:
http://www.zdnet.com/article/how-the-meltdown-and-spectre-security-holes-fixes-will-affect-you/
Also, for some more information about what various platforms and hardware companies are doing about this:
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
The main takeaway here is be careful with JavaScript web applications, which could potentially execute these exploits, and keep track of this issue. But your laptop isn’t about to spontaneously combust and litter the world with your confidential information. Apply some common sense and stay away from shady corners of the Internet, as per usual. AdBlock is your friend. And again, check for updates—both OS and browser.
I never studied CS or software engineering formally. I have been picking up some knowledge of computer internals and database software at work, and I’ve been working for just the past year and a half. So, if anybody has anything to add or quibbles with/corrections for anything I’m saying here, feel free to leave a comment so I and other people can learn more. Thanks!
Anyway, just thought you ought to know.
Last edited by Cutekitty on Sun Jan 07, 2018 10:57 pm; edited 3 times in total
Cutekitty- Posts : 478
Join date : 2011-03-25
Age : 30
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum