This past month the cyber security community has been buzzing about a major exploit just discovered in most processors. You might have heard about it in the news. There are actually two problems at hand here, somewhat related, called Meltdown and Spectre. I was made aware by this article in The New York Times. Slightly frustrated by their lack of detail of what exactly the problems were, I was brought to this article by The Register. Most of this article is speculation, but what it does provide is a great understanding of how processors by most providers. What it fails to provide still is a clear answer to what Meltdown and Spectre are.
Okay, that's fine. We all have had to do some google fu. Let's start by searching for.... you guessed it. Meltdown and Spectre.
To put simply, this is a hardware vulnerability affection all Intel x86 and ARM-based microprocessors. Said vulnerability allows a rogue process to read all memory, even when its not authorized to do so. Yes, all data, including passwords, login keys, files cached from disk, the list can go on.
Spectre is a software vulnerability which takes advantage of something known as speculative execution. I'll leave it to the article linked previously by CNET to explain the impact of this.
To make computer processes run faster, a chip will essentially guess what information the computer needs to perform its next function. That's called speculative execution. As the chip guesses, that sensitive information is momentarily easier to access.
This vulnerability leaves attackers the ability to trick processors into starting the speculative execution to retrieve secure information.
Who does this impact?
Everyone. Well okay, not everyone, but if you have an Intel x86 or ARM-based microprocessor then you are exposed. This include cloud services like Amazons, Googles, and the like. Fortunately the fix for Spectre is simple. The microprocessing providers have rushed out patches to fix this. The downside is that without speculative execution your processing time goes up by as much as 30%.
What about Meltdown? Unfortunately because this is a hardware related issue this might take many years to fix.
I encourage you to read more about the topic if you are interested, the links I provided go into much better detail than I ever could. The cnet link (provided again here) even has links to academic papers in the first paragraph hyperlinked to their respective names.
When I had started this blog I had planned on writing on Meltdown and Spectre, the impact, how to fix them, but then something caught my attention. Everyone was talking about the impact of Meltdown and Spectre, but no one was talking about how these vulnerabilities were discovered.
In comes Jann Horn, a 22 year old Google Cyber security researcher. You read that right, twenty-two.
Horn discovered these vulnerabilities by simply reading the Intel Corp. processor manuals. His intention was to make sure his code could be handled by his hardware. Particularly he was interested in the aspect of speculative execution. One question led to another and now we have the next celebrity in the cyber security world.
Keep your eyes out for Jann Horn, because he is the future.