It has not been the happiest start to 2018 for the IT industry.
Security researchers from Google’s Project Zero published a detailed paper identifying a flaw in the design of every modern microprocessor that could be exploited to gain privileged access to a computer’s memory.
Not since StuxNet in 2010 has the IT world been so disrupted. At that time, researchers showed how everything from lifts and building systems to electricity grids, banking networks and nuclear power stations could be directly compromised.
It has been known for two decades that electronic devices such as microprocessors have tell-tale signatures that can be exploited. Security researcher Paul Kocher published a paper in 1996 describing such a risk, known as a side-channel attack. He said the time it takes for a microprocessor instruction to run can be used to reverse engineer cryptographic keys, such as RSA tokens.
The security team that discovered Meltdown said they were able to leak secure information at a rate of 503Kbps with an error rate of 0.02%. In other words, their proof-of-concept exploit of the flaw could get at information almost 100% of the time. Because it is a hardware exploit, it works on Windows , Linux and containers such as Docker.
Luckily, Meltdown can be patched – but Spectre requires a generation of secure processors.
The patches issued across the industry are just that. They are patches; they do not fix the fundamental problem that the microprocessor is broken. The ingenious techniques applied by microprocessor designers to extract maximum performance from every processor invented since 1995 can be used to leak secure information. Everyone will need to upgrade, but this will take years. In the meantime, the patches and hot fixes may have some detrimental effect on the performance of all our IT systems.