Spectre and Meltdown

Context:

  • As serious security issues have been discovered with processors, tech companies have been trying to fix them. Intel’s processors are the worst affected with almost all the chips manufactured post-1995 at risk of an attack.

What happened?

  • On January 4, 2018, researchers from Google’s Project Zero team reported that they discovered serious security flaws which affected processors built by Intel and other chipmakers.
  • These flaws could allow hackers to steal data from as far back as 1995.

What are Spectre and Meltdown?

  • Meltdown could allow hackers to circumvent the hardware barrier between applications run by users and the computer’s core memory. It is named ‘Meltdown’ because the “vulnerability basically melts security boundaries which are normally enforced by the hardware,” states the official website hosted by the Graz University of Technology. “This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.”
  • Spectre can cause applications to be tricked into giving up secret information. Spectre’s name comes from the phrase ‘speculative execution.’

What was the issue?

  • Tech companies usually withhold information about security issues until they have a fix to deter hackers from exploiting them. In this case, Intel had to disclose the flaw after British technology site The Register reported it. Intel’s stock fell, and the company admitted to the existence of the flaw.
  • One of the researchers who found the flaw said that it is “probably one of the worst CPU bugs ever found.”

Who found it?

  • Meltdown was independently discovered and reported by three teams — Jann Horn from Google Project Zero; Werner Haas and Thomas Prescher from Cyberus Technology; Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology.
  • Spectre was independently discovered and reported by two people — Jann Horn from Google Project Zero); Paul Kocher in collaboration with Daniel Genkin from University of Pennsylvania and University of Maryland, Mike Hamburg from Rambus, Moritz Lipp from Graz University of Technology, and Yuval Yarom from University of Adelaide and Data61.

What have tech companies done?

  • Google has issued patches to fix the flaws on their devices. Users of Android OS on devices not manufactured by Google still have to wait for fixes. Apple has issued a security update. Cloud services such as Amazon Web Services and Google’s Cloud Platform have said that they are in the process of patching systems.

Source:TH

Leave a Reply