There has been plenty of (digital) ink spilled in recent days about widespread processor flaws known as “Meltdown” and “Spectre.” We round up five articles that will help you understand these security vulnerabilities, how they were discovered and their likely impact.
The flaws, which affect processors by Intel, AMD, ARM and a wide range of other vendors could be used to siphon sensitive data from the device’s memory. But, as often happens with major and widespread flaws like this (think “Heartbleed”) it can be easy to lose the forest for the trees when so many different experts are stepping forward to offer their insights and advice.
That’s why we’ve decided to pull together some of the best writing about the Spectre and Meltdown flaws into one place. Below you’ll find five articles that we here at Security Ledger have come across and read that provide what we consider critical context and understanding of the flaw, with a minimum of hyperbole. While this list isn’t comprehensive, it should provide you with a solid understanding of the underlying security holes and their impact on your organization (or on you, individually).
Chapter 1: Where it all started: John Leyden’s Scoop on El Reg
Props to the ever vigilant John Leyden over at The Register for his January 2 article “Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign,” which blew the lid off the processor flaws. Leyden was tipped off to the problem by messages on the Linux Kernel mailing list, where a fix for the flaw dubbed “KAISER” (or KPTI) was being hurried out, despite the prospect of serious performance hits to affected systems. His story – though focused mostly on Intel processors – holds up well a week later and does a great job explaining the security holes, their impact, likely attack vectors and more.
Chapter 2: Google’s Security and Project Zero Blogs
Google researchers helped discover the Meltdown and Spectre blogs and had some of the earliest and most comprehensive information on what they were, what systems they affected and how to mitigate the potential harm of the flaws. Check out: “Reading privileged memory with a side-channel” on the Project Zero blog, which gave the first explanation of the holes. Also check out the post “More details about mitigations for the CPU Speculative Execution issue” on Google’s Security Blog from January 4th for a more in-depth discussion of the three, separate vulnerabilities that were discovered and possible mitigations for them.
Chapter 3: The Home Page: Meltdownattack.com
Sometimes a security hole is so big it deserves its own brand. We saw that with Heartbleed, the widespread hole in the OpenSSL open source package. With Meltdown and Spectre, the decision was made again to brand the holes and, as with Heartbleed, to create a web site that explains the flaws and provides links out to other useful information on patches and other mitigations. That website, meltdownattack.com provides a wealth of information including links to technical papers on the flaws co-authored by the researchers who discovered them, a FAQ and more.
Chapter 4: OK, but what does it all mean?
Google and the researchers did a great job explaining the details of Meltdown and Spectre. But, no surprise, all that information simply prompted more questions. A couple blogs put together solid, second day write ups that helped fill in the blanks and provide actionable information on how to respond to the flaws. In particular, I found two blog posts with nearly identical titles worth reading: Craig Young’s write up on the Tripwire State of Security blog “Spectre and Meltdown: What you need to know” and John Bambanek (of Fidelis)’s write up on the SANS Internet Storm Center’s blog “Spectre and Meltdown: What You Need to Know Right Now“. Craig does a great job describing the flaws and the limitations of fixes like KAISER. John raises some interesting questions about the long term impacts of these flaws, particularly when it comes to the Internet of Things, where patching is often difficult if not impossible.
Chapter 5: The back-story at Wired.com
As he often does, Andy Greenberg at Wired got the story behind the discovery of the processor flaws, setting the scene “on a cold Sunday” in December in the “small Austrian city of Graz.” In this article: “Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip,” Greenberg does a great job explaining the impact of Meltdown and Spectre, but his focus is something even more interesting: how it was that researchers around the world independently discovered the same holes at around the same time – more than two decades after they were likely introduced. The trail leads from Germany to Austria to California and back, and its fascinating.