Security MEA speaks with Sunil Bhide, Vice President and Business Head – SOC at Paladion about the latest discovery of flaws in the world of processors that can have a substantial impact.
What has been the extent of impact of the Meltdown and Spectre CPU flaws?
The recently discovered Meltdown and Spectre CPU flaws identifies security risks found in processors designed by Intel, AMD and ARM.
- Meltdown impacts all Intel processors manufactured since 1995 (excluding Itanium server chips and Atom processors) as well as ARM Cortex A75 core.
- Spectre affects most modern processors made by Intel, AMD and ARM.
Effectively, both are expected to impact everything from smartphones, PC’s to cloud computing. However, a substantial portion of current mid-range Android handsets use ARM Cortex A53/55 – both of which are not impacted by the flaws.
Due to this security issue, what according to you is the scope of impact?
Meltdown and Spectre will have significant impact on cloud-based services. Meltdown allows unauthorized applications to read from privileged memory from other processes running on the same cloud server; and Spectre allows malicious programs to abuse hypervisors to transmit the data to a guest system running on top of it
In case of Meltdown, applications that are heavily dependent on user programs and which don’t call the kernel often will see very little impact; games, for example, should see very little change. But, applications that call into the operating system extensively, typically to perform disk or network operations, will see substantial impact. In synthetic benchmarks that do nothing but make kernel calls, the difference can be substantial, dropping from five million kernel calls per second to two-to-three million.
Spectre attacks can be used both to leak information from the kernel to user programs, and also from virtualization hypervisors to guest systems.
The available patches are expected to impact systems by potentially slowing down processing power by anywhere between 5%- 30%. For time critical and data intensive businesses e.g. Financial services and Banking domain, this might mean inability to finish large overnight computation batches before the start of a trading day.
Which areas of computing does this flaw affect?
These flaws primarily impact the CPU (as majority of CPUs since late 1990s until early 2018 contains the flawed design), operating systems (as most OSes use privilege levels and virtual memory mappings and these vulnerabilities are designed to abuse all information and processes that are memory mapped), virtual machines and embedded devices.
What needs to be done to mitigate the risks involved?
Mitigation of this vulnerability requires changes to operating system kernel code, including increased isolation of kernel memory from user-mode processes. This is referred to as kernel page-table isolation (KPTI).
Out of these two vulnerabilities, Meltdown is easy to mitigate. Recently, OS vendors including Microsoft, Apple and various Linux distros have released patches to provide protection against Meltdown attacks. Microsoft has also provided PowerShell scripts to validate or determine the status of the patch level.