Spectre of IT vulnerability looms large

It has not been the happiest start to 2018 for the IT industry.

Security researchers from Google’s Project Zero published a detailed paper identifying a flaw in the design of every modern microprocessor that could be exploited to gain privileged access to a computer’s memory.

Not since StuxNet in 2010 has the IT world been so disrupted. At that time, researchers showed how everything from lifts and building systems to electricity grids, banking networks and nuclear power stations could be directly compromised.

Although the threat from cyber terrorism attacks on critical national infrastructure is very real, in some ways the Meltdown and Spectre flaws represent a risk that goes to the very heart of computing. This microprocessor flaw has resulted in major network, server, PC and mobile hardware firms releasing firmware updates; operating system providers issuing hot fixes; and browser companies tightening security around JavaScript. Some anti-virus companies had to update their software to prevent Windows Update from locking up PCs.

It has been known for two decades that electronic devices such as microprocessors have tell-tale signatures that can be exploited. Security researcher Paul Kocher published a paper in 1996 describing such a risk, known as a side-channel attack. He said the time it takes for a microprocessor instruction to run can be used to reverse engineer cryptographic keys, such as RSA tokens.

The security team that discovered Meltdown said they were able to leak secure information at a rate of 503Kbps with an error rate of 0.02%. In other words, their proof-of-concept exploit of the flaw could get at information almost 100% of the time. Because it is a hardware exploit, it works on Windows , Linux and containers such as Docker.

Luckily, Meltdown can be patched – but Spectre requires a generation of secure processors.

The patches issued across the industry are just that. They are patches; they do not fix the fundamental problem that the microprocessor is broken. The ingenious techniques applied by microprocessor designers to extract maximum performance from every processor invented since 1995 can be used to leak secure information. Everyone will need to upgrade, but this will take years. In the meantime, the patches and hot fixes may have some detrimental effect on the performance of all our IT systems.