January 9, 2018
By Kurt Marko for Channel Partners Online
The tech world had a collective panic attack this past week with the announcement of several serious security vulnerabilities that exploit fundamental elements of modern processor design, with Intel’s x86 architecture shown to be the most exposed. Dubbed Meltdown and Spectre, the vulnerabilities could enable an attack that allows any program running on a system to read data from other running processes, even those protected by system- or kernel-level privilege.
Doomsday scenarios include an attack by a program running on a cloud service, like AWS EC2 or Google Cloud Engine, that steals information from other instances running on the same physical system, or client-based malware that uses tainted Web pages to piggyback off of the browser process to access data on a PC or phone. Think records from a password manager, or personal emails. Indeed, several code examples exploiting the vulnerabilities have already turned up on Github, including one for reading data from a browser and another for reading system memory.
Now that we have established the seriousness factor, back off the ledge. The world isn’t ending.
As usual in an era of shoot-from-the-hip articles and social media feedback loops, initial reports painted a dire situation in which software mitigations would impose crushing performance penalties, with a complete fix necessitating the premature obsolescence of hardware that would need to be replaced by systems with CPUs redesigned from scratch. Upon further review from people who actually know what they’re talking about, such as the Google team and university researchers that independently discovered the flaws, neither of these is entirely accurate — although it is true that the Spectre variant can’t be eliminated entirely without changes to all modern CPU micro-architectures, not just x86 systems.
These vulnerabilities were actually discovered months ago. In keeping with responsible disclosure, details were shared among hardware and cloud vendors so that patches could be developed and applied before the information become widely known. Although the news leaked a week before insiders intended, the lead time allowed all parties to develop fixes and patch cloud services beforehand. The days following the initial stories featured a cavalcade of status and patch announcements from major players that we summarize here:
Intel, the vendor at the center of the storm given that all of its mainstream client and server processors for the last decade or more are vulnerable to all three of the identified exploits, issued a press release with the indefensible claim that these are not the result of a bug or flaw in its design, and later released a white paper with technical details. Regardless of its public posturing, it’s virtually guaranteed that Intel will make design changes to future processors that minimize, if not eliminate, the vulnerabilities. Indeed, Linus Torvalds holds Intel responsible for the mess, writing to a Linux mailing list, “I think somebody inside of Intel needs to really take a long hard look at their …
… CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.”
Google said that Google Cloud Platform (GCP), G Suite applications, and the Google Chrome and Chrome OS products have been updated, but that Compute Engine users would need to patch instance OSes. Regarding the most significant and potentially disruptive mitigation, so-called Kernel Page Table Isolation (KPTI), Google states that “performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”
Microsoft has issued patches for both Windows Client and Server and has applied mitigations to its Azure services. Of the later, it states, “The majority of Azure customers should not see a noticeable performance impact with this update. We’ve worked to optimize the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied.”
Apple included fixes in recent updates to iOS (11.2), macOS (10.13.2) and tvOS (11.2) and will shortly release an update to Safari that defends against the Spectre vulnerability. In testing using public system-level and browser benchmarks, Apple says that the fixes resulted in no measurable degradation in system performance and a less than 2.5 percent hit in Safari on only one benchmark.
Links to patches and statements from other OS vendors can be found here.
What’s It Mean to Partners?
These exploits strike at the heart of modern system design. That makes them particularly significant since they affect every server, PC and mobile device in use. Because they exploit security weaknesses or oversights in processor design, we can expect to see new copycat vulnerabilities in the coming year that exploit quirks of microarchitecture. We agree with security expert Bruce Schneier: “As bad as Spectre and Meltdown are, I think we got lucky. But more are coming, and they’ll be worse. 2018 will be the year of …
… microprocessor vulnerabilities, and it’s going to be a wild ride.”
For partners and IT departments, it means yet another fire drill of patch application and hardware inventory. The fact that such security drills have become so prevalent underscores the necessity of having automated processes that allow for applying software updates en masse to minimize admin overhead. For customers with a lackadaisical attitude toward patching, let’s hope this drives a change.
While cloud vendors insist the performance implications of security patches are minimal, partners should verify these claims with client workloads, particularly transaction-heavy database applications. Anecdotal tales of significant – as in 10 percent to 20 percent – changes in CPU utilization have already shown up online and in social media, so be prepared to add capacity should application responsiveness become unacceptable. Likewise, those with custom enterprise applications should monitor for the availability of new compilers that incorporate mitigations for the Spectre variant since, as UK National Cyber Security Center guidance points out, these will require recompilation from source code.
Kurt Marko is an IT analyst, consultant and regular contributor to a number of technology publications. See his take on 5 top SDN trends for 2018 in this report.
Read more about:Agents
You May Also Like