eWhite House Watch - Full Article

Meltdown & Spectre: NSA and Cyber Experts React to Intel Processor Chip Vulnerabilities

By: Angela M. Cooper

1/17/2018

 

Recent news has sent Intel stock dropping and cyber-threat analysis upgrading the threat level. The ‘Intel chip’ vulnerability, which allows personal data to be accessible on devices using Intel chips, has been evolving through recent updates. It now includes more than just Intel chips, unlike the original reports seem to indicate. The vulnerability may have been characterized as an ‘Intel’ issue, but it is not limited to Intel’s processor chips. Indeed, the vulnerability is for most processor chips found in most computing devices. Different processors, including AMD and ARM, may have varying levels of vulnerability and are currently under review.

 

Intel, who had planned to publicize the vulnerabilities before the media reports released the information, has stated that they were made aware of security research that implicated the chips. Separate research teams independently discovered and reported two similar but distinct vulnerabilities, Meltdown and Spectre, to Intel. On the joint-researcher’s informational website, the teams thank Intel for awarding them bug bounties, a reward for researchers and ‘hackers’ when they report vulnerabilities. Currently there are no reports of these exploits being used.

 

Meltdown and Spectre come from the ability for bad actors to use software programs to access and gather, but not edit or destroy, sensitive data. Specifically, the vulnerabilities can allow a program to access the data stored in the memory of other programs or the operating system running on your device. This occurs because of the way processor chips are designed and how they organize and handle their operations. Meltdown occurs between the user programs and the operating system; while Spectre occurs between different applications. The researcher’s website explains the difference:

 

Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

 

The exploits are working to engage a vulnerability in the ‘kernel’, a portion of your operating system that acts as an intermediary between your computer programs, the hardware of the device (including processor, memory, keyboard, device buttons, cameras), and the permissions each has. Because of the kernel’s importance for so many things in your computer, the faster it can perform the better your computer will run. Paul Kocher, one of the researchers who discovered Spectre, interviewed with Scientific American and explained that:

 

“[c]hipmakers protect the kernel by isolating it from other programs running on the computer, unless those programs are given specific permission—or “privilege”—to access the kernel. Meltdown dissolves that isolation, potentially letting an attacker’s malicious software breach the kernel and steal whatever information it finds there—including personal data and passwords. Spectre impairs the kernel’s ability to stop a malicious program from stealing data from other software that uses the processor.”

 

Indeed, Mr. Kocher identifies that the reason this was compromised was due to the optimizations processor chips were using to speed up the computer. Specifically, the concept of ‘speculative execution’ which allows a processor to speculate on future actions instead of waiting for the work to be chosen and pre-process that work. When that happens, the computer will already have much of the selected work done and there will be little delay for the user. This form of processing has been used in all modern Intel processors. Researchers successfully deployed the exploit on chips as old as 2011, and many other processors (ARM somewhat, Apple, and AMD the least, if at all) to varying degrees. For more information from a technical perspective, the researcher’s website has a 16-page research paper for each vulnerability that explains the technical aspects in detail and Paul Kocher’s full statement to Scientific American can be accessed here.

 

Meltdown is the easier vulnerability to exploit and gives immediate access to more data, but is also easier to patch since it targets the operating system. Spectre however, gives access to data at a greatly reduced amount requiring more time and effort to obtain each piece of data, but will be a harder fix. While Meltdown patches have already been released for the big operating systems, Spectre is a hardware issue and will take time, possibly new hardware, and user diligence to defend against. Even the Meltdown patch is not a cure-all, the exploit is targeting one of the methods to optimize computer processing so the patches will impact computer speed and responsiveness. Part of the current solution includes slowing down the computer’s processing.

 

The National Security Agency (NSA), an executive agency, has specifically commented about their knowledge and deployment of Meltdown and Spectre by stating that they have not used the vulnerabilities in any operations. Additionally the NSA brought up their ‘Vulnerabilities Equities Process’ (VEP) which are guidelines for the NSA to determine what should be reported to companies about the ability for an actor to breach their devices or software and what they can keep secret. However, the concern of Meltdown and Spectre is not limited to just the NSA, all executive agencies will need to analyze and take measures to protect their systems in light of this vulnerability. Many devices employed, and handling sensitive personal data, are going to have to be patched and monitored. Indeed, this brings up previous described logistical concerns for a wide range of agencies and government functions; specifically, it brings to mind retired Brigadier General Gregory Touhill’s, the first chief information security officer of the U.S, recommendation for a centralized IT agency.

 

The wider ramifications of these vulnerabilities have yet to become crystalized. Processing chips may have to be redesigned to reach peak optimization without this level of security flaws. We have yet to have reports that the vulnerability is being deployed by bad actors, but that does not limit the necessity for people to be actively seeking patches and monitoring banking information. An article by Peter Bright on ArsTechnica has been tracking the actions and reports of major company stakeholders, including Intel, Microsoft, ARM, Amazon, AMD, Google, and Apple; this is a good place to get specific information and official statements about devices and services you use.

Leave a Reply