Spectre and Meltdown - what the Tech Titans dont want you to know

Leonardtown, MD - In late November of 2017 Thomas Prescher a former senior Intel engineer, in his hotel room in Dresden, Germany exclaimed, "It can’t be true, it can’t be true." Prescher had spent half the night working on code which led him to the discovery that what many of his colleagues across the tech industry were speculating was true

Last week, his worst fears were proven right when Intel, one of the world’s largest chip makers, said all modern processors can be attacked by techniques dubbed Meltdown and Spectre, exposing crucial data, such as passwords and encryption keys. The biggest technology companies, including Microsoft Corp., Apple Inc., Google and Inc. are rushing out fixes for personal computers, smartphones and the servers that power the Internet

Prescher was one of at least 10 researchers and engineers working around the globe--sometimes independently, sometimes together--who uncovered Meltdown and Spectre.

Interviews with several of these experts reveal a chip industry that, while talking up efforts to secure computers, failed to spot that a common feature of their products had made machines so vulnerable.

All processor makers have tried to speed up the way chips crunch data and run programs by making them guess. Using speculative execution, the microprocessor fetches data it predicts it’s going to need next.

Spectre fools the processor into running speculative operations--ones it wouldn’t normally perform--and then uses information about how long the hardware takes to retrieve the data to infer the details of that information. Meltdown exposes data directly by undermining the way information in different applications is kept separate by what’s known as a kernel, the key software at the core of every computer.

"That would be such a major f*ck-up by Intel that it can’t be possible," one researcher recalled saying. So the team didn’t dedicate much time to it.

By November, Microsoft, Amazon, Google, ARM and Oracle Corp. were submitting so many of their own Linux updates to the community that more cybersecurity researchers began to realize something big--and strange--was happening.

A group of 10 researchers coalesced and kept in touch via Skype every two days. “It was a lot of work on Christmas. There wasn’t a single day where we didn’t work. Holidays were canceled," one said. 

Their public security updates soon attracted the attention of The Register, a U.K.-based technology news site, which wrote a story on Jan. 2 saying Intel products were at risk.

Usually, flaws and their fixes are announced at the same time, so hackers don’t quickly abuse the vulnerabilities. This time, the details emerged early and patches weren’t ready. That led to a day and a night of frantic activity to arrange what all the companies would say in unison.

Intel put the statement out at 12 p.m. Pacific Time Jan. 3 and held a conference call two hours later to explain what it said was a problem that could impact the whole industry. Underlining the panic that spread following the announcement, Intel had to follow up with calming statements. The next day, the company said it had made "significant progress" in deploying updates, adding that by the end of this week 90 percent of processors made in the last five years will have been secured.

Steve Smith and Donald Parker, the two Intel executives questioned on the call, argued things progressed in the measured way that Intel approaches any report of a threat to its technology. The difference this time was that their work ended up "in the spotlight,” according to Smith. They would have preferred to complete the work in secret.

Indeed, Intel’s reticence rankled some outside researchers. The company operates on a need-to-know basis, said Cyberus’s Haas, who worked at Intel for about a decade. "I’m not a huge fan of that."

“Our first priority has been to have a complete mitigation in place,” said Intel’s Parker. “We’ve delivered a solution.”

Some in the cybersecurity community aren’t so sure. One of the researchers who helped discover Spectre, thinks this is just the beginning of the industry’s woes. Now that new ways to exploit chips have been exposed, there’ll be more variations and more flaws that will require more patches and mitigation.

"This is just like peeling the lid off the can of worms," he said.

For in depth technical information follow these links

Link one

Link two

This article is based on research performed by Bloomberg Technology — With assistance by Mark Bergen, and Dina Bass

Around the Web


0 Comments Write your comment

    1. Loading...