How am I affected by Meltdown and Spectre?

News published on January 3, 2018 shook the IT world: Meltdown and Spectre, both hardware security issues, were made public and demonstrated simultaneously by Google Project Zero and several university research teams. But what are Meltdown and Spectre? Meltdown “melts” the boundaries between the user and the kernel space, allowing a program with no privileges to execute kernel code. Spectre exploits the speculative branching found in modern processors to access memory areas that should be off limits. Due to the kernel level execution of those exploits, the user has no chance to detect an attack, i.e. the exploit cannot be detected by an anti-virus program or a log-file. So, if we can’t do anything, what is being done by people who can do something?

Intel, AMD, and ARM are working on hardware fixes for the Meltdown and Spectre vulnerabilities. Intel claims to have them ready this year, but as these security flaws are severe, the patches need to come out soon. This is only possible with software patches, which Intel released recently for both vulnerabilities. These software patches come with a trade-off: While they published quickly, they can impact the performance of the OS and the software running on top of it. These slowdowns come from two different mechanisms. For the meltdown patches, the kernel page table must be isolated, leading to additional memory operations when changing from kernel to user space and vice versa (reloading of TLB). As memory operations are the most expensive in terms of time in modern processors, this will impact the performance of systems. Additionally, the Spectre patches are not easily fixed with software, as they lie deep in the mechanism how processors execute code. If speculative branching is shut down, the Spectre exploit is fixed, but this creates a serious performance decrease for modern processors. (Kocher, 2018) (Lipp, 2018)

Which devices are affected?

All Intel devices fabricated in the last 5-10 years are affected by both Meltdown and Spectre. While ARM and AMD processors are not affected by Meltdown, they are also vulnerable to Spectre. So basically, all your electronic devices with more than basic functionality are affected. So not only your laptop is compromised, but also your phone and most importantly, your cloud services.

For people who just use their devices for personal, everyday computer work, these vulnerabilities are severe and should be patched. The performance impact of the patches will only affect you when large files are shoveled from the hard drive to the primary memory to the cache of the processor, e.g. for encryption, decryption or loading of an application. However, since the Meltdown vulnerability is only present in devices with Intel processors, only their users are affected by these performance impacts (Coldewey, 2018).

People in academics or in the industrial engineering sector will also feel the impact of Spectre and Meltdown. Because of the speculative branching, programs with many iterative passages are processed faster. With the Spectre fixes, this won’t be the case anymore. The result is an increase in computation time for all kinds of numerical solvers. Furthermore, the same problem as for personal computing also applies.

The last aspect a consumer will feel is the impact of Spectre and Meltdown on Cloud services.  Google reports that the impact of Spectre is more severe on cloud services and has already rolled out a public patch for their cloud services. However, their software fix only works for servers with a proprietary backend, i.e. big companies like Google themselves or Dropbox. Smaller companies which use open-source or share-ware programs to run their services will not be able to benefit from the fix. Therefore, users utilizing cloud services from smaller companies or individuals will be most impacted by the performance decrease due to a Spectre fix.

Conclusion

As multiple sources claim that the fixes for Meltdown and Spectre can brick computers, we recommend informing yourself about the patch for your specific computer before applying it. The performance impact of the patch itself should not impact your everyday life too much. You will sometimes feel the laptop being slower, especially during application startup, but this is outweighed by the fact that your passwords won’t be leaked. Other than applying the patches you can’t do much, as these exploits are neither triggering anti-viruses nor show up on logs. If you want a permanent fix for these exploits, you will have to wait for the hardware-fixes prepared by Intel, AMD and ARM. But even if you haven’t installed the patches up to this point, do not panic: Both exploits are technically very difficult to implement and are not yet seen “in the wild” (Technology, 2018).

References

• Chan, L., 2018. Toms Hardware. [Online]
• Coldewey, D., 2018. Techbrunch. [Online]
• Kocher, P., 2018. Spectre Attacks: Exploiting Speculative Execution. arXiv.Lipp, M., 2018. Meltdown. arXiv.
• Sloss, B. T., 2018. Google. [Online]
  Technology, G. U. o., 2018. Meltdown and Spectre. [Online]
• official Melt Down Spectre Website of the discoverer

[Accessed 22 Feb 2018]. 

Manufacturer support

• Intel
• Microsoft
• HP
• Lenovo
• Dell
• tool for testing your potential infection