Meltdown and Spectre: What Processor Design Flaws Mean for Partners

Meltdown Cybersecurity Attack
  • … CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.”
  • Google said that Google Cloud Platform (GCP), G Suite applications, and the Google Chrome and Chrome OS products have been updated, but that Compute Engine users would need to patch instance OSes. Regarding the most significant and potentially disruptive mitigation, so-called Kernel Page Table Isolation (KPTI), Google states that “performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”
  • Microsoft has issued patches for both Windows Client and Server and has applied mitigations to its Azure services. Of the later, it states, “The majority of Azure customers should not see a noticeable performance impact with this update. We’ve worked to optimize the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied.”
  • Amazon has applied mitigations to its services and developed patches for Amazon Linux that should be used on EC2 instances. Amazon has also linked to patches for other OSes. It too says: “We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.”
  • ARM processors are not affected by Meltdown, and ARM has released Linux kernel patches for Spectre. The situation is similar for AMD processors.
  • Apple included fixes in recent updates to iOS (11.2), macOS (10.13.2) and tvOS (11.2) and will shortly release an update to Safari that defends against the Spectre vulnerability. In testing using public system-level and browser benchmarks, Apple says that the fixes resulted in no measurable degradation in system performance and a less than 2.5 percent hit in Safari on only one benchmark.
  • Android has developed source code patches for the vulnerabilities that have been released to hardware partners and, recently, to the Android Open Source Project (AOSP) repository. Google will incorporate the fixes for Nexus and Pixel devices in the forthcoming January OTA security update.

Links to patches and statements from other OS vendors can be found here.

What’s It Mean to Partners?

These exploits strike at the heart of modern system design. That makes them particularly significant since they affect every server, PC and mobile device in use. Because they exploit security weaknesses or oversights in processor design, we can expect to see new copycat vulnerabilities in the coming year that exploit quirks of microarchitecture. We agree with security expert Bruce Schneier: “As bad as Spectre and Meltdown are, I think we got lucky. But more are coming, and they’ll be worse. 2018 will be the year of …

Pages: Previous 1 2 3 Next

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 67567