What the hell are Meltdown and Spectre?
Since I wrote the post about the Meltdown and Spectre attacks, a few days ago, quite a few people asked me to explain them in the simplest possible way what it is all about?
Speculation everywhere....
In the quest for performance, since 1995 most CPU makers have introduced a feature called "speculative execution".
At the lowest level, a CPU has multiple components that can work in parallel and are organized in pipelines. To keep pipelines full (to go faster!), the CPU will fully execute program elements that are likely to be executed but eventually dismiss the result of such computation if eventually the program takes a different turn.
What the security researchers did, by using side effects of speculative execution, was to:
- First, make the CPU read places they should not normally have access to (even if that data is eventually dismissed in the normal course of execution), and
- Second, find a way to listen to the stream of dismissed data.
both of which are supposed to be impossible.... but ... oh well...
Meltdown and Spectre both use variants of above attack method on different target to achieve very different goals
Meltdown
Simply said, this issue enable the attacker to "melt down" the security barriers that should normally be enforced at the chip level. By using this attack, it is possible to dump the entire memory content available to the operating system including critical data such as passwords / credit card number and to read from the (normally inaccessible) memory of any other software running on the system.
It is by far the most serious one and really only affects recent Intel CPUs due to the fact that Intel took unfortunate shortcuts in their chip design. AMD has clearly stated that they are not affected by the issue.
Most OS vendors have issued patches for their OS that prevents the Meltdown (at the cost of some (5%-20%) performance) attack from being effective. So keep your OS updates up!
Spectre
Although Spectre is not able to read from other processes, it makes it possible for systems such as virtual machines (that should really be virtual jails) to be escaped from. The researchers have said it is harder to set up but also harder to prevent!
A concept attack was shown that uses Javascript program to search your browser memory data for passwords and credit card numbers.
Any system that allows "plug-ins" etc. to run in the same process will now be at risk from being attacked by Spectre.
While it sounds like less dangerous by Meltdown... the real issue is that... there is NO WAY to FULLY patch this. That is why it was called Spectre ... it is because this will probably haunt software design for a long time.
The first counter-defenses are being devised so more than ever, keeping your web browser up to date is super important. Also, avoid visiting those "strange" websites, okay?
What does this mean for my digital signage network?
For your typical signage network, both of the issues are unlikely to cause major troubles. Simply because normal digital signage software system are embedded systems and normally running a single piece of software, not random pieces of software from different users. On systems purely relying on HTML5 and running external Javascript code, it is possible (albeit quite unlikely) that critical information available within the process could be disclosed. Obviously, it goes without sayign that it is always a good move to manage and keep your critical data off your signage network. At some point, it may be also appropriate to prepare the budget and time to do an audit of the Javascript code that is running on your network.
tl;dr: Meltdown: VERY BAD but only for less than 5-year old Intel CPUs. Spectre: LESS BAD... but forever with us.... which is BAD. For digital signage, the impact is likely to be small but keep updated!
edited to remove the bad spellings. Thanks @ryan-mcgonigle