A year ago, the public first heard about Spectre and Meltdown, channel-side vulnerabilities in most of the processors used in servers and PCs for almost two decades. The disclosure of the vulnerabilities, first detected by Google's Project Zero team in mid-2017, and officially disclosed in early 2018, sent shockwaves through the industry.
The effects will continue to be felt over the next few years as chip makers from Intel and AMD to ARM and IBM rearchitect their processors to harden the technology that led to the vulnerabilities, a process that will take another three or so years, according to Paul Teich, principal analyst at Liftr Cloud Insights.
After that comes the arduous task of refreshing PCs and data center servers throughout the world with systems powered by the new processors, which could take a decade or more.
"We're going to be living with Spectre and Meltdown for a long time," Teich told Security Now.
The vulnerabilities arise out of the speculative execution that is used to ramp up the performance of the processors. Through Spectre, the isolation between applications that is managed through the CPU memory can be broken, while Meltdown splits the isolation between applications and the operating system. Chip makers scrambled to put in fixes through microcode and software changed to mitigate some of the risk from Spectre and Meltdown, but more permanent solutions are years down the road. In addition, variants of the vulnerabilities have continued to spring up, complicating the already complex task of addressing the problems. (See New Spectre & Meltdown Attacks Show Limits of CPU Vulnerabilities.)
Spectre and Meltdown also changed the discussion around security to a degree.
Until last year, much of the talk about vulnerabilities and exploits centered around software, through the issue of the security of Internet of Things (IoT) devices has been a growing issue. However, Spectre and Meltdown brought security concerns into the core of enterprise hardware and raised the difficult question of finding a middle ground between performance and security. Intel and others have tried to lessen the impact on performance through such steps as adding more memory, but it's a challenge, Teich said.
"A worrying pattern that the Spectre and Meltdown vulnerabilities brought to light is how attackers piggyback on computing advancements and exploit the fact that there's often a lag between performance improvements and corresponding security improvements," Abhishek Iyer, technical marketing manager at cybersecurity vendor Demisto, told Security Now in an email. "The Intel SGX brought an innovation to market -- the Abort Page Semantics that allowed increased performance through speculative execution while thwarting Spectre and Meltdown attacks -- but the Foreshadow (L1TF) [variant] explicitly misused that innovation and resulted in the minor performance hit that comes with microcodes and patches. This balance between improving performance and maintaining security is something that organizations will continue to explore gingerly with attackers waiting in the sidelines."
It also put a focus on the need to address security throughout the development process to address possible vulnerabilities before the products are shipped, Charles King, principal analyst with Pund-IT, told Security Now.
"It's a new world that continues to evolve," King said. "It behooves people to keep that in mind. Don't think it's going to get any less complex or dangerous."
Assessing the response
The industry's initial response to Spectre and Meltdown was good, according to Liftr Cloud's Teich. Google researchers worked with hardware and software vendors to remediate as many of the problems as possible before going public with the vulnerabilities, and chip makers have continued to issue fixes and put in protections into their products.
Still, the various fixes frustrated C-level executives and IT professionals, according to Jon King, cybersecurity consulting manager at investment firm Moss Adams. For executives, the impact on performance and cost may have convinced some to "ride out the storm [rather] than fully understand the risk," King told Security Now in an email. (See Intel's 9th Gen Processors Offer Protections Against Spectre & Meltdown .)
The continual release of inconsistent patches also impacted IT, as King noted, these updates:
Desensitizing them to the potential impact of side channel disclosure due to the frustration of reapplying patches and registry edits across the enterprise. Going forward, we should expect and even encourage vendors to address classes of vulnerabilities affecting broad swaths of the industry in a thorough, effective manner. The emphasis should be on addressing the risk, not simply patching the vulnerability.
Teich added that the next iteration of processors from Intel and AMD will bring greater protections against the vulnerabilities -- he called them "half steps" -- but it will be the processor rollouts after that -- in mid- to late-2020 -- that will include new core architectures that will protect the various points in the speculative execution pipeline. Then comes the long process of enterprises refreshing their data centers with new systems that include the new chips.
The good news is that, so far, there doesn't seem to have been any attacks in the wild exploiting the Spectre or Meltdown vulnerabilities.
Part of that may be how difficult such an attack would be, Teich said, calling the vulnerabilities "low-risk, high-impact." Such an attack would involve the transferring of huge amounts of data from the system over the network, something that modern security solutions would most likely be able to detect.
In addition, most threat actors know the data they're looking to extract. Exploiting Spectre or Meltdown would mean stealing massive amounts of data that an attacker may not know what do with. "The whole point of [an attack] is to send data home," Teich said, adding that attackers tend to run "pinpoint surgical operations."
Chris Morales, head of security analytics for cybersecurity vendor Vectra, agreed.
"The reality is, while these are scary attacks conceptual, the ability to execute an attack utilizing these flaws is still hard," Morales told Security Now in an email. "The data rate for extraction of data from system memory is very low, meaning stealing anything more than a simple password could take days or much longer."
For now, the industry will have to push on with Spectre and Meltdown always looming, at least for the next several years.
"The problem isn't going to go away until Intel and other companies with technology susceptible to Spectre and Meltdown change the [chip] architecture," Pund-IT's King said.
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.