What are the Spectre and Meltdown threats?
| Floris van den Broek |
Security researchers have recently uncovered security issues known as Meltdown and Spectre. These issues apply to all modern processors and allow attackers to gain read access to parts of memory that were meant to be secret. To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim’s processor.
What are Spectre and Meltdown?
The Spectre and Meltdown bugs (vulnerabilites) are fundamental flaws in processor hardware. These bugs allow unprivileged code to read any data that is currently being processed (i.e. that is in RAM and which is being used).The bugs, or rather unintended side-effects, are caused by advanced performance features in modern processors.
Does this allow hackers to hack me?
Not directly. This is because this is not a (Remote) Code Execution Vulnerability. However, if hackers already have a way of running code on you server (for instance when it is a shared server) you could be vulnerable. They might be able to use this attack to recover sensitive information, such as keys even when they are supposed to be in a protected part of the shared server.
So, indirectly, yes.
So what would an attack look like?
Will my current security solution help?
Essentially, no. The amount of code needed is very small and a signature that has few false positives is therefore not very easy to create. Also, and most importantly, it is an almost completely passive hardware bug exploit so most software does not come into play.
What can you do to protect yourself?
Unless you are a chipmaker like Intel, you cannot take direct action. You should have an update policy as part of your overall security policy. Follow this policy and update diligently. Most vendors will send patches to mitigate the vulnerabilities. These patches will not fix the hardware problem, they will however prevent these vulnerabilities from being exploited.
In the meantime, do not install new apps (not even from known sources, unless the developer is well-known as well) and limit visits to sites where there are lots of external ‘partners’ (advertisers, content syndicators etc.).
Threat detection remains of utmost importance. You may think of specialised threat detection services, using Redsocks or other quality threat intelligence. There are also several possibilities to verify source code of applications, which is a good idea if you have source code available. See also the article on our site on Source code analysis.
image credit: master1305 via Envato
Dr. Floris van den Broek received his PhD in Computer Science at TU Delft and his Masters of business Administration at University of California, Berkeley. He is a a co-founder and director of ICT Institute with a focus on sales and business development. Next to his work at ICT Institute, Floris is on the board of various ICT companies and has been active in private equity. He is also a certified ISO 27001 lead auditor.