In a Nutshell… ‘The Great Processor Flaw: Meltdown and Spectre’

No time to read? Don’t worry, you can listen to this article here on NOA.

“‘Speculative execution’ improves the speed of programmes and applications by allowing them to anticipate some of the tasks that they may be required to do, ahead of time”

One way in which rival processor companies differentiate themselves is speed. But as they raced against each other to capture market share in the laptop, smartphone, and cloud computing spaces they threw caution to the wind in one critical area; security.

In June 2017, a team of researchers at Google’s Project Zero discovered two security vulnerabilities caused by “speculative execution”, a technique employed over the past decade by most processing chips (CPUs) to improve performance.

CPUs (often referred to simply as processors or chips) are the brains of computing devices — from laptops, desktops and smartphones to servers and cloud computers.

Speculative execution improves the speed of programmes and applications by allowing them to anticipate some of the tasks that they may be required to do, ahead of time. The main idea is that the programme makes an educated guess about the work that is likely to be required very soon, so as to prevent a delay. In order to do so, however, programmes must be provided with access to data stored in the operating-systems private memory before it is actually needed. The vulnerabilities stem from the ability of hackers to create software that can then read this otherwise inaccessible data after the programme has called on it. Depending on the programme, this data could include login passwords, encryption keys, credit card numbers, or other sensitive information.

The two security flaws have been dubbed “Meltdown” and “Spectre”. Meltdown relies on a single programme to read the users sensitive information, but can be addressed using software updates. Spectre on the other hand makes it possible for a programme to access data in a separate programme running on the chip, making it far more difficult to fix with a single solution. While not ideal, the best defence from hackers relying on the Spectre vulnerability may be restricted to detection, as opposed to prevention. The only sure way to alleviate the security risk is to replace the machine or device — a costly endeavour for firms.

The flaws, which were first reported by tech news site The Reporter on Tuesday January 2nd, 2018, affect chips supplied by the three major manufacturers; Intel, AMD and Arm Holdings. Google had originally planned a coordinated disclosure of the full Project Zero report on Tuesday January 9th, 2018, but said it had been working with both hardware and software companies to mitigate the risks over a number of months.

***

This article is also available over audio on NOA, along with a wide selection of professionally narrated articles covering The Great Processor Flaw from Bloomberg and The Financial Times.