Thursday, January 4, 2018

The CPU security bug from hell

There is a spectacularly dangerous security bug in Intel CPUs that is the talk of the security community.  What makes this bug so dangerous is that it bypasses the security controls that everyone relies on to keep programs from causing mischief.  I've been in security for a long time, and this is one of the worst bugs I can remember.

For the technically inclined (and likely only the technically inclined), here's a good overview of Spectre and Meltdown.

The short version for everyone else is that this bug allows a computer program to spy on the operating system and on other programs.  Worse, it likely allows the program to tamper with these.  Like I said, this is pretty serious stuff, so serious that Intel released a Press Release that is getting mocked by lots of people.  It's bad when a company has to get PR flacks involved for a security issue, and it's worse when Linux Torvalds tells the world that you're L4m3.

So what is the impact to you?  Well, it depends on what you do with your computer.

I just email/browse the web/Facebook: You don't need to worry for now if you get the patch.  It seems likely that this bug can be weaponized on desktop computers, but the patch will fix this and not have noticeable impact to you.  If this changes, I'll do another post, but don't sweat this - just get the patch.  The patch will come from your regular software update (Windows Update or Linux patch from your distro).

I run servers for my company: You have a problem, and need to apply the security patch.  It seems unlikely that you can just monitor logs, because this bug bypasses kernel security and so you logs would be suspect.  Note that the patch will slow your servers down, maybe by a lot (I'm hearing 20% or more for database servers).  If you run cloud servers like AWS, expect to pay another 5-10% in monthly CPU costs due to the slow down.  You will need to update the software on any Hypervisor - VMWare, Xen, Docker, etc.

This said, what we're seeing is a new class of security vulnerability that we've never seen before.  I expect that this isn't the only vulnerability of this type, and so we can expect to see more of these in the future.  Right now this is just for Intel (if you have AMD CPUs then you're not vulnerable) but there is no reason to thing that AMD is immune - likely nobody has (yet) looked at that hardware.  At least that we know (*cough* NSA *cough*).

The other implication is that self driving cars are probably MUCH less safe than we think (and some of us don't think that they're very safe).  More specifically, their security models are not robust, and so  we can expect them to be a target rich environment for all sorts of mischief.

UPDATE 4 January 2018 12:22: Microsoft is releasing an out-of-normal-schedule update to fix this later today.  This is very unusual and shows how serious this issue is.  If you have autoupdate enabled (you almost certainly do) then this will automatically download and install tonight.  Your computer will have to reboot.

And note that Apple has already patched this in MacOS 10.13.2 which came out a month ago.


Old NFO said...

Thanks, I need to check the laptop, since I haven't used it in a while... sigh

Unknown said...

If you read the google team’s release you’ll see that AMDs aren’t immune. They got a PoC to work on one ARM too

This seems to be a byproduct of a cpu that runs speculative branching. One wonders if the Sparcs/mips/power/itanium CPU’s would be affected but we don’t know because no one runs them any more.

juvat said...

Might want to change the update date to January, as someone might think they've already got it with the December date you posted.

Borepatch said...

Thanks, Juvat. Fixed.