The latest headline news about the Meltdown and Spectre vulnerabilities has people speculating about the severity and probability of potential damages. Because this latest security issue has been picked up by mainstream media, even non-security computer users are worried about the long-term effects.
In an effort to remove the FUD[i] from the equation, Infosec Insider has asked longtime security veteran, Aaron Turner, Founder and CEO of IntegriCell and Faculty at IANS, what he’s learned after consulting industry sources and doing his own research into the realities of the matter.
InfoSec Insider: Meltdown and Spectre have hit the news as the latest security catastrophe. To level set (in a nutshell) what are Meltdown and Spectre, and why are they important?
Aaron Turner: Meltdown and Spectre are hardware-level processor design flaws which create vulnerabilities which can reveal secrets between processes.
II: In reality—not worst-case scenario—what are the potential implications? We know about, “if in the hands of an attacker,” but what are we facing, really?
AR: I’ve spoken with my sources at Microsoft, Palo Alto, Google, and Amazon and they are all in agreement that this is not a major, wormable vulnerability which could cause significant damage to systems and networks. The real exploit cases are fairly narrow. For example, the worst-case scenario is for public Infrastructure-as-a-Service (IaaS) systems such as AWS, Azure, and Google Cloud. This is due to the fact that in order to exploit the Meltdown and Spectre vulnerabilities, you have to already have a privileged process running on the server. Using existing elevated privileges in one process, these vulnerabilities would allow an attacker to view secrets (like credentials or private keys) that are in use or stored in memory by other processes. Think about an AWS server that is hosting virtual machines from multiple clients. It is conceivable that one client could use their privileges to exploit the vulnerability to view credentials and private keys of another client’s virtual machines.
For the average user, there are much more efficient ways for attackers to steal secrets rather than run a double-exploit attack like Meltdown or Spectre. By double-exploit, I mean that the attacker would first have to run a remotely-exploitable vulnerability and then stack the Meltdown or Spectre vulnerability on top of the initial attack. In the real world, if someone has already successfully run a remote exploit, there would be relatively few reasons to stack the Meltdown or Spectre attacks on top of the initial one (outside of the shared infrastructure scenario outlined above). For mobile devices, IoT, and other embedded systems, we still have more troubling vulnerabilities which are much easier to exploit (hard-coded credentials, lack of visibility into kernel processes, etc.)
II: It’s still early and Intel, along with other companies like Amazon and McAfee, have issued updates and said they are working on patches. Could updates and patches fix the problem?
AR: This is a very complex problem; it lies at the intersection of where hardware and software have to work together. One senior Linux contributor I know stated that this problem has made people think about computer science problems no one has really thought about before. This is probably just the beginning of this type of vulnerability, and we’ll likely see more come along in the future. Updates and patches will fix the tactical problems of today, but this class of vulnerabilities points to an entirely new world of exploits which will cause significant disruption to hardware and software developers and vendors.
II: What about systems that are more than 5 years old? (Intel has said it is working on a resolution for hardware that has been released in the last 5 years.)
AR: My sources at Microsoft and in the Linux community indicated that if the system is properly configured and not vulnerable to another remotely exploitable vulnerability, then the impact of this vulnerability on older systems will be minimal. So, good software hygiene is essential to protect those older systems.
II: From a practical point of view, what can organizations do (aside from waiting for patches)? What about end users who aren’t aided by enterprise security teams?
AR: The biggest problem lies in cloud computing situations. Probably the best thing to do for most organizations is to evaluate what “secrets” are contained in their VMs and containers running in public IaaS systems and then evaluate if any of those “secrets” are sensitive enough that those computing workloads should be moved from public IaaS to on-premises datacenter environments.
II: In your view, what do mass vulnerabilities like Meltdown and Spectre say about the state of IT architecture and information security today?
AR: In speaking with Marcus Ranum about this vulnerability, I agree with his analogy that infoSec is like building a castle on the shifting sands of a beach. You can try to build the strongest fortification possible, but if the sand washes away from underneath the walls, they just tumble by themselves.
Computing systems have become so complex that very few mere mortals can understand them as they’re implemented, let alone the hardware and software supply chains that underpin the ecosystem. We are now seeing a reality where many technologies are essentially pre-compromised by vendors at the behest of nation/state organizations. What is the real impact of a vulnerability like Meltdown or Spectre if the very foundations of our security architectures are compromised (through pre-compromised encryption algorithms and injecting hostile root-of-trust authorities into systems)? This scenario makes me ask the question: how many more fundamental security problems are we going to have to suffer until someone disrupts the ecosystem and delivers a truly trustable computing framework? I’m not smart enough to do that… so I’ll just be waiting and watching like the rest of us.
[i] Fear, uncertainty, and doubt—a common scare tactic.
Interested in learning more from subject matter experts like Aaron Turner? Join us at InfoSec World 2018 in Orlando, Florida. You can view the entire agenda here.