How chip flaws Spectre and Meltdown work

Photo: Getty Images
Photo: Getty Images

Smartphones, tablets, PCs and servers across the world have received software updates in recent days to plug security gaps on computer chips that cyber security researchers have described as the most serious threat in years.

Researchers identified the problem last year, shared details with chip manufacturers in mid-2017 and then made a public announcement on January 3.

Intel Corp has admitted that the recently issued patches for flaws in its chips could cause computers using its older Broadwell and Haswell processors to reboot more often than normal and that Intel may need to issue updates to fix the buggy patches.

In a statement on Intel's website on Thursday, Navin Shenoy, general manager of the company's data center group, said Intel had received reports about the issue and was working directly with data center customers to "discuss" the issue.

"We are working quickly with these customers to understand, diagnose and address this reboot issue," Shenoy said in the statement. "If this requires a revised firmware update from Intel, we will distribute that update through the normal channels."

   
What's the problem?

The vulnerabilities, known as Meltdown and Spectre, can allow passwords and other sensitive data on chips to be read.

The flaws result from the way computers try to guess what users are likely to do next, a process called speculative execution.

Simon Segars, the chief executive of chip designer ARM Holdings, described speculative execution as the equivalent of spinning a bunch of plates in the air, with the plates holding data.

Watching the order in which the plates land lets observers infer the data, he told Reuters during an interview on Wednesday at the tech industry's CES conference in Las Vegas.

How bad is it?

Affected chipmakers and large technology companies including Alphabet Inc's Google say they have not seen any malicious hackers use Meltdown or Spectre in attacks, but the vulnerabilities affect most modern computing devices.

Security analysts have said that Meltdown, which only affects Intel Corp chips, is easier to exploit because the program to steal passwords and other data can be hidden on a website.

Spectre, meanwhile, requires more direct access to the microchip, but affects central processing units from Intel, Advanced Micro Devices Inc and SoftBank Group Corp's ARM.
       
How have chipmakers and technology companies responded?

Chipmakers have teamed up with Google, Microsoft Corp, Apple Inc and other leading tech companies since the summer to devise software patches.
   
Do the fixes have side-effects?

The slowdown particularly affects Intel chips vulnerable to Meltdown.

Intel said on Wednesday that the performance decline is as much as 10%, but that a typical home and business PC user should not see big changes in how long it takes to save a document or open a photo stored on a computer.

The patches, however, do not always work with other software. For example, a fix for Spectre led to issues turning on some computers with AMD chips, and a Meltdown patch for Microsoft Windows required changes from antivirus makers.
   
What's being done to prevent similar problems in the future?

ARM's Segars said his company has been tweaking designs for future chips to add "maximum flexibility."

The biggest change is adding more transistors to chips, a negligible cost, to make it easier to turn chip features on and off, he said.

Giving yourself "maximum flexibility" means it will be easier to respond to future flaw discoveries, Segars said.

Chipmakers and operating system makers must also collaborate more.

"What’s important to establish there is guidelines around how to write software so you don’t run afoul," he said.

Add a Comment

 

 

global_insight_header_.jpg