How early were Spectre and Meltdown discovered?

Photo by alexey_boldin/Getty Images

By Allison Berke, Executive Director of the Stanford Cyber Initiative.

Spectre and Meltdown, vulnerabilities in computer processors that were revealed at the beginning of January, are so widespread that they serve as a metaphor for our large-scale cybersecurity problems. These problems result from a period of digital maximalism — when everything that could be brought online was, with little regard to the potential downsides of universal connectivity. The vulnerabilities take advantage of simultaneous execution — a clever trick that processors use to save time — and use properties of memory allocation to spy on restricted memory segments. Simultaneous execution has been so widely adopted that ten years’ worth of devices are affected. Although patches have been released, the long tail of non-compliant or hard-to-patch devices that make botnets hard to eradicate will enable this threat to stick around for a long time. Companies that track the popularity and usage of vulnerabilities, like HP and Microsoft, continually find that some of the most popular bugs are five- or ten-year-old flaws with patches available for equally as long. Hackers won’t invent something new if they can get into a system with something old.

Exactly how new Spectre and Meltdown are, though, is difficult to determine. The vulnerabilities were discovered more or less simultaneously by three independent groups of researchers, and disclosed to Intel and other parties directly involved in June 2017. Simultaneous discoveries have happened before, both in cybersecurity and in other realms of technology (in a famous example, Newton and Leibniz simultaneously and independently formalized calculus). Researchers talk to one another, build off of other current discoveries, and are guided by the priorities of their community. On the other hand, three groups coming upon the same flaw within weeks of one another opens up the possibility that others had discovered it even earlier, and failed to disclose it, potentially to save the vulnerability for their own exploitation. The disclosure process followed by the U.S. government, which is similar to other nations’, does not mandate disclosure. This is particularly troubling where vulnerabilities serve a national security interest: that is, where they can fruitfully be exploited in the computers of military or espionage targets.

It’s hard to determine the probability of simultaneous bug discovery when even the unknowns are unknown. The total number of bugs in a piece of software, for example, and the number of bugs discovered but not reported are both statistics that are unknowable for any real-world examples. Simultaneous bug discovery sometimes indicates that the vulnerability is simple to exploit, or is a variation on a broader category of vulnerability that has already been discovered. Neither is the case for Spectre and Meltdown. So, there is a non-zero chance that an unscrupulous hacker, or a group of state-sponsored ones, had already discovered some type of speculative execution vulnerability prior to the disclosure of Spectre and Meltdown.

Given the prestige of finding a vulnerability like this and the fact that there are easier ways to get most victims’ passwords than reading them bit by bit from kernel cache, if someone did make the discovery earlier, it is more likely to be a state-sponsored group than a rogue individual hacker. And if a state-sponsored group of hackers had discovered a widespread and damaging vulnerability like Spectre and Meltdown, how would we know? Such an exploit would likely be used selectively — making its use even more difficult to identify — as overall patterns of traffic from known hacker groups wouldn’t significantly differ. If we saw a decrease in malware that targeted a specific and fruitful process or device, we could guess that the group had shifted its operations to make use of a new exploit with the same target as part of a new piece of malware. Similarly, the activation of a honeypot or canary — a trap built into a network designed to be attractive to hackers and sound an alarm when it is breached — could be the first indication of the use of a new vulnerability.

Interestingly for Spectre and Meltdown in particular, while many commonly-used processors are affected, a few aren’t. The majority of ARM processors, which are found in certain Android devices among others, are unaffected. During the period of time after initial disclosure and before widespread publication of the vulnerabilities, an analysis of anomalies experienced by unaffected ARM processors or devices using those processors, in combination with a shift away from devices using affected processors, could serve as an indication that the vulnerability had been discovered by another group. Suppliers with known government contracts may be wary of platform shifts that don’t appear to follow performance trends or version release dates; these could indicate a vulnerability in the discarded platform that is unknown to the supplier. For example, the NSA prohibited employees from using Kaspersky software years before the general public were warned about its vulnerabilities.

Not only the total number of bugs, but also the size and relative importance of those bugs, are unknown unknowns within a given device or piece of software. Rather than seeing the realm of existing but undiscovered bugs as an overfished ocean, it’s better to think of it as an ocean trench. There are small curiosities at every layer, but there can also be behemoths, in previously unexpected shapes.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
FSI Stanford

FSI Stanford

The Freeman Spogli Institute for International Studies is Stanford’s premier research institute for international affairs. Faculty views are their own.