By Lambert Strether of Corrente.
Yesterday, Yves posted a “primers on Meltdown and Spectre”, which included several explanations of the two bugs from different viewpoints; if you feel you don’t have a handle on them, please review it. Today, I want to give an overview of the two bugs. I will dig into the details of these two bugs in the form of a FAQ, and then I’ll open a discussion of the larger business and political economy issues raised in the form of a MetaFAQ. First, I should make one point: Meltdown is a bug; Specture is a class of bugs (or, if you prefer, a strategy). ThreatPost explains:
“ where a user-mode program can access privileged kernel-mode memory. This makes patching Meltdown much easier than Spectre by ensuring kernel memory is unmapped from a user-mode, which is what we see in the form of kernel page-table isolation (KPTI),” said Jeff Tang, senior security researcher at Cylance.
Ben Carr, VP of strategy at Cyberbit, said there is not a single patch that can be applied for Spectre and mitigation efforts will require ongoing efforts. He said Spectre attacks do not rely on a specific feature of a single processor’s memory management and protection system, making future attacks part of a generalized strategy to undermine a CPU.
“… Exploits are based on the side effects of speculative execution, specifically branch prediction. This type of exploit will be tailored and continue to morph and change making patching extremely difficult,” Carr said.
Researchers say Spectre also represents a larger challenge to the industry because it requires a greater degree of coordination among stakeholders to mitigate.
This distinction is important to make because press coverage, in lumping the two together, will have the tendency to make people think that both are fixed when only Meltdown is fixed, when in fact Spectre will require years of remediation.
The Meltdown and Spectre FAQ
1. Is there a really idiotic headline that shows how problematic press coverage is?
Yes. Here it is: “CES 2018: Intel to make flawed chips safe in a week”, from the BBC. It’s idiotic because at best what Intel will have done is release patches that when downloaded and installed by system owners patch the problem. And patching systems isn’t always easy. Bruce Schneir explains:
[S]ome of the patches require updating the computer’s firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors. But it couldn’t get that update directly to users; it had to work with the individual hardware companies, and some of them just weren’t capable of getting the update to their customers.
We’re already seeing this. Some patches require users to disable the computer’s password, which means organizations can’t automate the patch. Some anti-virus software blocks the patch, or — worse — crashes the computer. This results in a three-step process: patch your andi-virus software, patch your operating system, and then patch the computer’s firmware.
“You can’t bring down a power grid just to try out a patch,” says Agarwal. “Industrial systems, hospital machines, airline control systems—they will have to wait. They can’t just patch and hope that things will work out.”
2. How bad are are the Meltdown and Spectre bugs?
They are very bad. From the Guardian:
Meltdown is “probably ever found”, said Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw.
They will stay bad for a long time. The Register:
The critical Meltdown and Spectre vulnerabilities recently found in Intel and other CPUs represent a significant security risk. Because the flaws are in the underlying system architecture, they will be .
3. How many chips are affected?
Billions and trillions. MIT Technology Review:
How many chips are affected? The number is something of a moving target. But from the information released so far by tech companies and estimates from chip industry analysts, it looks as if at least now in use are vulnerable to attack by Spectre, which is the more widespread of the two flaws.
CPUs made by AMD, ARM, Intel, and probably others, are affected by these vulnerabilities: specifically, ARM CPUs are used in a lot of IoT devices, and those are devices that everybody has, but they forget they have them once they are operating, and this leaves a giant gap for cybercriminals to exploit. . Granted, not all ARM CPUs are affected, but if even 0.1% of them are, it still means a Billion (1,000,000,000) affected devices.
(Yes, an insecure IoT matters.)
4. Am I at risk?
Only if you browse the Internet or store data in the cloud. Kidding! Those are the highest risks:
For both Meltdown and Spectre,] an attacker actually needs to run some code on the target machine to exploit these vulnerabilities. This makes vulnerabilities highest risk for the following:Anything that runs untrusted code on your machine (a browser typically),Anything running in virtualization or clouds.So, for a typical company, on your Domain Controller (for example), the risk is actually very, very low: since you are not running untrusted code there (hopefully), an attacker should not be able to exploit these vulnerabilities in the first place.
My personal advice is the same advice some investors give: Don’t do anything that means you won’t sleep at night. For me, that would mean not patching any initially released patch, for the same reason I never upgrade to a *.0 release; only the *.1 release will have the bugs worked out! But your business or the firm for which you work may demand different priorities; see the example of the power grid, above. And do be extra, extra careful to watch for phishing email.
5. Is there a fix?
Yes, and it looks like there are going to be many, many such fixes for quite some time; see the discussion of patches at #1. Since the bug fix situation is so dynamic, I won’t go into detail; here is a good roundup of consumer-grade fixes. Here is a linux roundup, and the site of the stable branch maintainer. Here are news stories on Apple’s MacOS and iOS and Apple’s browser, Safari. Windows is, of course, a breed apart, and has been having its problems. Microsoft’s patching process has been complicated by requirements for Anti-Virus software (status list), and has been temporarily halted for AMD devices because it bricks them. It’s not clear whether IBM mainframes are affected or not..And if you own bitcoin, consider a hardware wallet.
6. Do the Meltdown and Spectre fixes cause a performance hit?
Yes. The Register collected a good deal of anecdotal data, and concluded:
These figures are in keeping with the estimates first reported by The Register, a performance hit of roughly five to 30 per cent, with the caveat that any such results are highly variable and depend on a number of factors such as the workload in question and the technology involved.
(However, if you’re a gamer, you should not be affected, unless you’re gaming in the cloud, I suppose:
For most end users, they’ll never notice a difference. “The client type desktop applications, gaming included, execute almost entirely inside of the user space,” Alcorn said. “So they’re not really doing a lot of calls to the kernel. They don’t issue a lot of system calls. The performance impact is negligible.”
(Cloud vendors say they have no performance hits; but they would say that. I would like to hear that from customers, since cloud vendors bill by the second and the hour. Even though cloud vendors have enormous resources to brute force a solution, somehow I don’t think they’ll want to eat any costs.)
7. Will there be more bugs like Meltdown and Spectre?
Yes, of course. Bruce Schnier:
Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the research into the Intel ME vulnerability — have shown researchers where to look, more is coming — and what they’ll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.
8. Is there an XKCD comic?
Yes, of course there is.
The following questions move out of the technical space, and into the business and political economy space:
9. Could Anyone Have Arbitraged Meltdown and Spectre?
Yes. There are several actors who employed or could have employed what might be called predictive execution based on prior knowledge of the bugs later named Meltdown and Spectre.
A) Intel CEO Brian Krzanich. Business Insider:
Intel CEO Brian Krzanich sold off a large portion of his stake in the company months after Google had informed the chipmaker of a significant security vulnerability in its flagship PC processors — but before the problem was publicly known. Intel’s CEO saw a $24 million windfall November 29 through a combination of selling shares he owned outright and exercising stock options. The stock sale raised eyebrows when it was disclosed, primarily because it left Krzanich with just 250,000 shares of Intel stock — the minimum the company requires him to hold under his employment agreement.
B) Analysts who watched Linux closely. It was clear in retrospect something was up
Something to reflect on: The biggest apparent signal that something strange was going on in the open source community, was that a complex security hardening measure with perf trade-offs was being committed & Linus _wasn't publicly cursing out it's authors_
— Matt Linton (but not the Gospel Rock singer) (@0xMatt) January 8, 2018
Commenter duffoloniou linked to this fine example of measured, linux-style language, on the KAISER path for isolating user space from kernel space, back in November:
Even so, there will be a performance penalty to pay when KAISER is in use:
KAISER will affect performance for anything that does system calls or interrupts: everything. Just the new instructions (CR3 manipulation) add a few hundred cycles to a syscall or interrupt. Most workloads that we have run show single-digit regressions. 5% is a good round number for what is typical. The worst we have seen is a roughly 30% regression on a loopback networking test that did a ton of syscalls and context switches.
. Times have changed, though, and most developers have realized that a hardened kernel is no longer optional. Even so, there will be options to enable or disable KAISER, perhaps even at run time, for those who are unwilling to take the performance hit.
All told, . It emerged nearly fully formed and has immediately seen a lot of attention from a number of core kernel developers. Linus Torvalds is clearly in support of the idea, though he naturally has pointed out a number of things that, in his opinion, could be improved. Nobody has talked publicly about time frames for merging this code, but 4.15 might not be entirely out of the question.
Now, do I know that there were any analysts who doped out that they might want to short Intel, whose stock did indeed take a hit when Spectre and Meltdown became public? No. Could there have been? Yes. Should there have been? Indeed, yes (and see #7, supra).
C) No Such Agency
Current and former U.S. officials also said the NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas. The agency often uses computer flaws to break into targeted machines, but it also has a mandate to warn companies about particularly dangerous or widespread flaws so that they can be fixed.
Rob Joyce, White House cybersecurity coordinator, said, “NSA did not know about the flaw, has not exploited it and certainly the U.S. government put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”
“Would never” is a fine example of what I call the Beltway Subjunctive, because whether or not the NSA would have, they have. Tech Dirt:
While it is conceivable the NSA did not know about the flaw (leading to it being unable to exploit it), it’s laughable to assert the NSA wouldn’t “put a major company in a position of risk” by withholding details on an exploit. We only have the entire history of the NSA’s use of exploits/vulnerabilities and its hesitant compliance with the Vulnerability Equities Process to serve as a counterargument.
The NSA has left major companies in vulnerable positions, often for years — something exposed in the very recent past when an employee/contractor left the NSA in a vulnerable position by leaving TAO tools out in the open. The Shadow Brokers have been flogging NSA exploits for months and recent worldwide malware/ransomware attacks are tied to exploits the agency never informed major players like Microsoft about until the code was already out in the open.
These recently-discovered exploits may be the ones that got away — ones the NSA never uncovered and never used. But this statement portrays the NSA as an honest broker, which it isn’t. If the NSA had access to these exploits, it most certainly would have used them before informing affected companies. That’s just how this works.
10. What Are The Costs of the Meltdown and Spectre Bugs?
A few billions. The Next Platform does some arithmetic:
First, let’s assume that the average performance hit is somewhere around 10 percent for a server based on microbenchmarks, and that the heavily virtualized environment in most enterprise datacenters washes out against the lower impact expected for enterprise workloads. Call it something on the order of $60 billion a year in worldwide system sales. So the impact is $6 billion a year in the value of the computing that is being lost, at the grossest, highest denominator level. For modern machines, this is like giving up two, four, or maybe even six cores out of the machine, if the performance hit pans out as we expect on existing machines across a wide variety of workloads. Add this up over the three or four generations of servers sitting out there in the 40 million or so servers in the world, and maybe the hit is more to the tune of $25 billion without taking into account the depreciated value of the installed base. Even if you do, it is still probably north of $10 billion in damages.
Three separate class-action lawsuits have been filed by plaintiffs in California, Oregon and Indiana seeking compensation, with more expected. All three cite the security vulnerability and Intel’s delay in public disclosure from when it was first notified by researchers of the flaws in June. Intel said in a statement it “can confirm it is aware of the class actions but as these proceedings are ongoing, it would be inappropriate to comment”.
The plaintiffs also cite the alleged computer slowdown that will be caused by the fixes needed to address the security concerns, which Intel disputes is a major factor.
11. Are There Winners?
Hard to tell at this point, but if everybody has to buy a new machine (unlikely) than, perversely, Intel might be a winner, because all those machines will need new chips. Speculating freely, I’d guess that Cloud vendors would be winnners. From a Google FAQ that reads like a marketing pitch:
Spectre and Meltdown are new and troubling vulnerabilities, but it’s important to remember that there are many different types of threats that Google (and other cloud providers) protect against every single day. Google’s cloud infrastructure doesn’t rely on any single technology to make it secure. Our stack builds security through progressive layers that deliver defense in depth. From the physical premises to the purpose-built servers, networking equipment, and custom security chips to the low-level software stack running on every machine, our entire hardware infrastructure is Google-controlled, -secured, -built and -hardened.
In other words, a monoculture inside a walled garden. But I can see management finding such a pitch very attractive.
12. Is Code a Lemon Market?
Yes, any market that sells code is a lemon market. From George Akerlof’s famous paper:
The Lemons model can be used to make some comments on the costs of dishonesty. Consider a market in which goods are sold honestly or dishonestly; quality may be represented, or it may be misrepresented. The purchaser’s problem, of course, is to identify quality. The presence of people in the market who are willing to offer inferior goods tends to drive the market out of existence -as in the case of our automobile “lemons.” It is this possibility that represents the major costs of dishonesty -for dishonest dealings tend to drive honest dealings out of the market. There may be potential buyers of good quality products and there may be potential sellers of such products in the appropriate price range; however, the presence of people who wish to pawn bad wares as good wares tends to drive out the legitimate business. The cost of dishonesty, therefore, lies not only in the amount by which the purchaser is cheated; the cost also must include the loss incurred from driving legitimate business out of existence.
For me, the essence of the personal computer is that it’s personal; and the same goes for my tablet, would go for my cell phone, if I had one, and would go for my machine in the Cloud, if I had one. Quoting from Google’s writeup on Spectre and Meltdown at Project Zero:
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) in various contexts.
To me, that means my personal data is no longer personal. That means that the processor in my PC (or tablet, or cell, or virtual machine) is not fit for purpose (even though somebody with more knowledge about it that I have sold it to me as being so). This an inferior good sold to me by a dishonest (in this case, artificial) person under conditions of information asymmetry. It is a lemon. It’s just as much a lemon as a used car with a cracked engine block (J.B. Weld or no.)
And so we have crapification at scale: The largest lemon market in the history of the world. As far as thoughts on policy, I confess that at present I have none, though I hope to work through these issues in future posts. It’s easy to say Intel is a ginormous monopoly and a monoculture; but fab plants don’t come cheap. It’s easy to say we should open-source our chip designs, but is IP really the main cost driver here? It’s easy to say software engineering shouldn’t be an oxymoron, but how is that to be accomplished? It’s easy to say that we should give up our devices — we got along perfectly well without them until about half-way through the neoliberal era — but what about our “standard of living”? Frankly, the billions — or is it trillions — of insecure processors and devices out in the wild, the great bulk of them lemons and none likely to be recalled, it’s hard to see what to do. Other than put our noses to the digital grindstone and patch, patch, patch.
 Here’s material on patches in the financial industry, from Dark Reading:
Take the FS-ISAC, the financial services industry organization that shares threat intelligence among banks and other financial institutions, which said it’s well aware of the possible performance and productivity hits and costs, as well as testing, for the processor patches.
“There will need to be consideration and balance between fixing the potential security threat versus the performance and other possible impact to systems,” the FS-ISAC said in a statement last week. Cloud-based and shared, virtualized platforms, are likely to be more at risk than dedicated servers and endpoints.
William Nelson, president and CEO of FS-ISAC, says while Meltdown and Spectre “are a big deal,” the good news is that it’s a vulnerability discovery and has no known exploits in the wild as yet, which gives financial institutions some breathing room to assess and analyze their risk and any performance tradeoffs with patching.
I think alert reader Clive can translate this much better than I can; but I’d certainly like to know more detail about that mysterious “balance” of which the FS-ISAC speaks.
 More from We Live Security:
Now I can hear already someone say “What kind of sensitive data can be stolen from my Wi-Fi-controlled light? Or my refrigerator? Or from my digital photo frame? Or from my Smart TV?” The answer is simple: lots. Think about your Wi-Fi password (which would make it possible for anyone to get onto your local network), your photos (luckily you only put the decent photos on the digital photo frame in your living room, right? Or did you configure it to connect automatically to Instagram or DropBox to fetch your newly-taken pictures?), your credentials to Netflix? Your… Eh… There is a lot of information people nowadays store on IoT devices.
 See this important, classic paper from Ken Thompson: “You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)”
 A post at Planet Mainframe that said the following has been retracted:
For mainframe IT shops, there’s some good news, but bad news as well. The good news is that the folks at IBM long ago put protections in place for things like out-of-order executions and other security risks. Doubly good news is that with mainframe hardware memory encryption, you’re in pretty good shape either way. The bad news is that your consoles may be vulnerable, especially if they’re x86-based, and they connect to your mainframe systems; so you need to pay special attention there
 And indeed a kind reader sent me a heads-up, which IIRC I published in Water Cooler, but for which I am too lazy to find the link just now.