Boffins split on whether Spectre fix needs tweaked hardware

Analysis Processor security experts – including one cited in the Meltdown paper – are split on whether the resolution of the Spectre vulnerability may need to involve hardware modifications or the software defences being rolled out are adequate.

The Meltdown vulnerability, which by contrast is already comprehensively defended against, could become the focus of malware attacking the operations of processors on unpatched systems, experts warn.

"The theory behind Spectre and Meltdown is hard to understand," according to Anders Fogh, a security researcher at G-Data and expert in processor security. "If it was used in the past it was only in advanced attacks. Now that research has been released, Meltdown is likely to be abused by commodity malware relatively quickly."

Meltdown – like Spectre – is an information disclosure flaw that isn't by itself suited to remote code execution, so the concern is that it might be combined as part of other attacks and used to lift secrets such as passwords and cryptographic credentials from unpatched systems.

Meltdown is easy to exploit but relatively easy to patch. Spectre is tougher in both respects. Daniel Genkin, a postdoctoral researcher at the University of Pennsylvania and the University of Maryland, previously told El Reg that a lasting fix against Spectre would require a hardware redesign.

Fogh disputed this during a phone interview with El Reg, adding that mitigations already in place are increasing the difficulty of mounting an attack. "A processor recall is not possible anyway," he said. "The next step is getting customers to adopt patches."

Werner Haas, CTO at Cyberus Technology and a member of one of the three teams that independently discovered and reported Meltdown, told El Reg that achieving comprehensive protection against Spectre is far from straightforward and likely to involve an "ongoing process" involving a combination of software fixes and hardware modifications.

"The [Spectre] attack scenario is not as simple as user code reading kernel data, as it is conceivable to have cross-application attacks without OS involvement," Haas said. "On the other hand, branch prediction or speculation is such an integral part of high-performance CPUs that I lack the fantasy for a straightforward micro-architectural fix.

"So a generic solution as with Meltdown (either fix protection information processing in the pipeline, or change virtual memory handling in the OS) seems unlikely. As a consequence, I expect combined hardware/software mitigations with the caveat that plugging Spectre holes might become an ongoing process."

Defending against Spectre will involve trade-offs beyond the already widely reported processor performance hits, Haas added.

"I suspect we will see a compromise between legacy software support, energy efficiency goals, and security requirements. The three new capabilities (= MSRs) announced by Intel smell like testability features that help address some of the issues immediately. As such they are probably not ideally suited to counter Spectre attacks. Longer term, I wish there was a broader discussion on what kind of Branch Prediction Unit control would be useful."

Haas laments that security in processor design was not baked in from the beginning – expressing nostalgia for the days of RISC processor development.

"Generally speaking, I am a bit worried that security has been an afterthought with current designs. It might be top priority now but originally, security was more like nice-to-have. I dream (and made suggestions) of an architecture with security in its genes and thus closely follow the RISC-V development."

Chip vendor response scorecard

Anders Fogh was among the first to probe the security issues involved in speculative execution by modern processors and is an expert in the area even though he didn't directly contribute to either the Meltdown or Spectre research papers. He praised the response by vendors as "heroic".

"The response has been amazing both in terms of handling the complexity of the disclosure process and in getting patches out in time," Fogh told El Reg.

Vendor security staff as well as researchers deserve to be considered "heroes" who worked over many months since last June, skipping holidays in the process, to get mitigations out early in the new year. Many are now "all too understandably tired", Fogh reports.

Haas said the disclosure process had been less than ideal but praised Intel and ARM's overall response.

"Complaints about keeping the issues secret for too long do not take into account that the Meltdown patches were finalised only recently so we would have had tons of computers without protection for an extended period of time.

"I disapprove the secrecy with respect to implementation details, though. I know that there are trade secrets involved but on the other hand, at Cyberus Technology, we are forced to spend considerable resources on reverse engineering where we would prefer focusing on the solution space. There has to be a way to work jointly together instead of the one-way flow of information we experienced in our interaction with Intel."

Haas is far more critical of AMD's handling of the problem.

"AMD's reaction has been a complete disappointment. I still have not figured out whether I should feel insulted by their claim about 'a highly knowledgeable team with detailed, non-public information about the processors targeted'.

"Well, of course we feel flattered by the first part, but I strongly reject the notion that we at Cyberus used any kind of internal details from our previous jobs at Intel! And calling 'Information Security is a Priority' while discounting the research findings three sentences later does not quite match in my eyes."

The Cyberus team's Meltdown discovery started as a hobby project at the security startup. Haas predicts Meltdown may inspire others to look for processor security flaws while noting that this work was already under way before the Meltdown/Spectre revelations.

"I would argue that it does not require Meltdown to motivate looking into low-level attacks," Haas said. "Just look at recent attacks against Intel's Management Engine or AMD's Platform Security Processor. But I do expect additional interest in exploring the corners of x86 execution. Successful research, however, likely requires more insight into the inner workings of a CPU than many security people have." ®