Spectre & Meltdown - are you vunlnarable too?

in #spectre7 years ago

Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) are probably already the most interesting security issues in this year but what are these vulnerabilities and is really everyone vulnerable?

Let's start with the basic concept of these two attacks:

as Googles researcher of their "Project Zero" put it: "In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions,".

So basically every newish CPU (if you bought your computer after 1995 your CPU is one of them) executes commands which are not proven to be needed but there is a high possibility that this command could be needed later. So in the end it is a technique which makes your computer run faster and is based on speculation.

So is everyone vulnerable?

Basically yes BUT there have already been patches published by every major operating system vendor. So you would be safe if you install these updates. What these updates do, is kind of removing the feature of executing speculative commands and thus slowing down your computer. Researchers found out that it could slow down your computer by up to 30%.

So how to be safe and not lose computing power?

That's the one question where it gets tricky because you actually would have to buy a new CPU which can be expensive and for many user can be complicated because changing a CPU is that easy especially if your not really familiar with your insides of your computer.

Please leave a comment if you did like this write up or if you want more information on these two attacks (code examples or deeper analysis).

Sort:  

Good overview. I'd love some code examples of this and to be honest I think thats the only way I'll be able to bridge this gap

I'll write one in a few days! Stay tuned