Two of the most publicised vulnerabilities in the 2010s were very closely related to each other. Rather than being security vulnerabilities in software, Spectre and Meltdown are vulnerabilities in the fundamental design of CPUs making the issue’s more difficult to resolve. The issues themselves are particularly severe, allowing for memory disclosure from other applications and the operating system.
CPUs use incredibly advanced designs to achieve the highest performance including techniques including speculative execution and branch prediction. Speculative execution is where the CPU starts running a process before it knows if it needs to, in an attempt to save time when it does determine that it needs to. Branch prediction is a sub-set of speculative execution that attempts to predict the outcome of a process and then starts computing the next step based on that predicted value allowing the CPU to execute a series of instructions out of order.
The Spectre vulnerability comes from the implementation of these two features. It allows an application to breach the memory isolation techniques built-in to most modern software allowing the disclosure of memory, including secrets like passwords and encryption keys. One of the issues with Spectre, is that data can be access from applications that don’t have any security vulnerabilities as only a malicious program is required.
The Meltdown vulnerability is based on some memory techniques, as well as the speculative execution system mentioned above. It utilises a “race condition” between the process execution and the privilege check and allows a malicious program to access the memory of other applications and the operating system.
Tip: A “race condition” is an issue where one task is supposed to rely on another, but the correct execution order isn’t enforced. This can result in the “second” process running first and using uninitialised memory that should have contained the result of the “first” process, leaking the previous contents of that memory. In this specific case, the process shouldn’t run until a permissions check has verified that it is allowed to, but the permission check can happen second due to performance optimisations.
In mid-2017 multiple teams independently discovered and reported both Meltdown and Spectre privately to CPU manufacturers who developed patches. Due to the patches targeting performance optimisations, they ended up reducing the performance of CPUs by up to 30% in the worst-case scenarios, with a 2-14% performance decrease being more representative of people’s experiences.
The vulnerabilities affected many x86 CPUs, IBM POWER CPUs, and some ARM-based CPUs. Meltdown affects the hardware typically found in personal computers as well as cloud servers. Spectre affects personal computers, cloud servers, and mobile devices. All intel CPUs from 1995 to mid-2018 were vulnerable to the issues (with the exclusion of the Itanium and Atom lines before 2013). AMD CPUs were not affected by Meltdown but were vulnerable to Spectre.
Software mitigation patches were developed and released through operating system providers that resolve the majority of the issues. Since mid-2018 Intel has updated their CPU design to include hardware mitigations for the issues.