Posted by Taylor Armerding on Monday, July 16th, 2018
It’s now more than six months since the major design flaw in computer chips labeled Spectre became public. And as predicted, it is still haunting the world of information technology.
That’s largely because, as experts explained at the time, Spectre is not a software bug that can be fixed by rolling out a patch or update. This flaw is in hardware—the chip or CPU (central processing unit), which is frequently called the “brain” or “spinal cord” of a computer, smartphone, or any other digital device.
It is a flaw that, when exploited, can enable the theft of sensitive corporate or personal information.
And a long-term fix for a design flaw isn’t a matter of weeks, or even months—the CPU refresh cycle is five years or more. So the only options are workarounds—patches that do improve security but also tend to slow down processing. Which is another problem, since the feature everybody most wants from their devices is speed.
Bottom line: Spectre is likely to be with us for some time.
I’ll be hosting a webinar on Wednesday, July 25, at noon EDT to talk a bit about that, and about what’s happened since Google’s Project Zero made a public announcement about Spectre on Jan. 3 (the team discovered it on June 1, 2017). You can register here: It’s free!
This webinar is aimed at those who don’t have a technical background—which is most people. While it takes considerable technical skill to understand in depth what’s wrong, why, and how to confront a potentially catastrophic problem, it is possible for the rest of us to understand the general principles. We all are, after all, potential targets.
So we will look at what Spectre is and isn’t. We’ll talk about terms many people had never heard before—“speculative execution” and “cache timing attack,” anyone? We’ll discuss how attackers can exploit Spectre to collect your sensitive information, and we’ll look at developments, both positive and negative, since January.
In brief, it is clear that things are not hopeless—there are ways to work around it. As soon as Spectre became public, everybody from the major players, like Google, Apple, and Microsoft, to smaller developers and manufacturers began rolling out updates to operating systems and browsers, plus software patches.
But rolling out those updates and patches has been a bumpy ride—first, because the Spectre flaw is an unintended consequence of a design feature to make processing speed faster. We’ll talk about why that is, but what it means is that most of the patches make the CPU run slower—although the performance hit in many cases hasn’t been as bad as some had predicted.
Second, not all the patches were free of bugs. Intel had fixes for most PCs and servers powered by its chips made in the previous five years available by Jan. 13. But a couple of weeks later, they had to halt some updates because they were causing devices to reboot.
Then in May, a team of researchers discovered eight new Spectre-class vulnerabilities in Intel CPUs that they said might also affect some ARM and AMD processors. Intel ranked four as “high risk” and the rest as “medium.”
That set off another patching scramble.
There was also what sounded like some encouraging news in June, when another team of researchers came out with a white paper that said they had found a way to make speculative execution immune to Spectre, or side-channel attacks.
But that is unlikely to be a quick fix either. James Croall, director of product management at Synopsys Software Integrity Group (SIG), said the concept is sound but will require a redesign, not just a patch, which would take at least 18 months.
Other good news is that at least so far, there haven’t been any documented attacks attributed to exploiting the Spectre flaws.
Still, the Spectre flaw is expected to be with us for some time, and most experts say just because attacks haven’t happened yet doesn’t mean they won’t.
Indeed, just a couple of weeks ago, a team of researchers discovered two subvariants of one of Spectre’s known variants.
The good news is that the disclosure was a classic example of the “good guys” working together. Chip giant Intel paid the researchers $100,000 for the “responsible disclosure” of the vulnerabilities.
But as Gary McGraw, vice president of security technology with Synopsys SIG, noted, these flaws are the results of “efficiency boundaries coming to be treated as trust boundaries over time. Trust boundaries are subtle and tricky things to get right.”
“We will continue to see ‘retroactive design flaws’ discovered for years to come as we untangle efficiency and trust. They are real problems that need to be taken seriously,” he said.
To get any protection, users have to install updates—historically, not all of them do. And in some cases, they won’t get updates: Older systems, such as Windows XP, will almost certainly never be patched. The same is likely true of millions of third-party, cheaper Android phones that don’t get security updates from Google.
So while Spectre still looms over the entire CPU landscape, organizations that need more robust security against these vulnerabilities should use a tool known as static analysis, which can help detect code patterns that might be vulnerable to Spectre.
While there are multiple options available, look for a static analysis solution that has checkers specifically for Spectre and Meltdown code patterns. In one test run on a real-life codebase, the analysis detected an average of just one defect in tens of thousands of lines of code—a manageable level.
Best of all, static analysis lets organizations fix vulnerable code without slowing down the CPU. So you don’t have to trade speed for better security.
Get the latest AppSec news and trends sent directly to you.