Meltdown and Spectre
maddog's Doghouse
A serious security problem requires your attention.
I was lying in my bed in the early morning of January 3rd, 2018 when a tweet woke me from my sleep; not a tweet from a bird (nor from the president of the United States), but a tweet from a security researcher discussing two rather bad hardware issues with a large number of CPU chips.
These issues, now known as "Meltdown" and "Spectre," have been rocking the computing world for the past couple of days. Unlike many other security exploits, these are not really "fixable" by a simple software patch, are not operating-system specific, and cannot be avoided by telling your mother not to post her password on her computer screen.
Both have to do with modern hardware architecture and an issue called "out-of-order instruction execution," used to speed up the processor. Sometimes this feature is used to fetch instructions on both sides of a branch (both the "true" and the "false" side), so as soon as the condition is known, the instructions are ready to execute. Access to this "pre-fetched" data could allow a carefully crafted user-level program to access kernel memory, and once that happens, any data on the machine is vulnerable to be read, including passwords, security certificates, and so forth.
At first this was painted as a problem mostly or even solely with Intel processors, but as people investigated it was projected that at least some AMD and some ARM processors are affected. AMD has now stated that none of its processors have this problem. It also depends on when the processor was designed (starting in 1965) and what class of processor it is (Intel 64-bit processors seem to be prime culprits), as not all processors perform out-of-order execution.
The bad news is that the more powerful and expensive the processor is (think server systems, high-end desktops, gaming systems, and superior grade notebooks), the more likely it is to have this feature. Cloud server systems are particularly vulnerable, since they typically run lots of applications at one time.
It is conceivable that even applets and web-based applications could trigger this type of exploit, although the Apache Software Foundation (as an example) has taken steps to make sure that Apache based applications cannot exploit this by restricting access to the high-precision timers that can be used for the exploit. Google has also applied these types of fixes to their systems.
As with many security exploits, this was "embargoed" by the security research groups as people scrambled, first to understand the problem and then to find a solution. Eventually, as solutions were found, the problem was "leaked," which resulted in my early morning tweet. Before I wrote anything or contacted anyone, I checked sources for the "leak," and, feeling assured that the information was both true and correct, I sent out messages to other people I knew.
Understand that these are reasonably hard exploits to utilize, and the application trying to exploit them needs to be on the local machine. But in the day of shared cloud servers, the heavy use of containers, and web-based applications, this is not a rare occurrence.
There are now tens of thousands of people in the world who have the expertise to exploit this, and perhaps hundreds who would have the expertise and the desire. With todays Internet, you really only need a few such people.
The Linux kernel has released a patch that stops most of the exploits, and Microsoft and Apple will do the same. By the time you read this, your favorite distribution should have a replacement kernel ready for you.
Lack of detailed information about which processor is in your server, desktop, tablet, or device, and whether that processor is affected by this exploit, will make it harder to determine if you need the patches. This is a problem on two fronts.
Current patches in the Linux kernel (and I assume in other affected operating systems) cause a slowdown. The slowdown occurs because the kernel no longer shares address space with user programs, and this causes overhead for the hardware as the system shifts back and forth between kernel memory and user memory during interrupts and system calls. The percentage of slowdown depends on the programs being executed, and typically heavy I/O programs (such as database engines or network-heavy programs) take the brunt of the slowdown.
You can partially disable these patches by booting with nopti
as a kernel boot option if your environment is secure or you are using a processor that is unaffected.
This exploit has roots back to 1995; there are thousands of systems still being used that will not get their kernel updated. Desktops running Microsoft Windows XP (yes, they are still out there), as well as older Apple systems, are just two examples.
Caveat emptor.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.