Spectre and Meltdown CPU Vulnerabilities: What are they?

This week, we learned that billions of the microprocessors (CPUs) in existence today contain a flaw that could allow data and instructions to be monitored by an outside listener, as they are being processed. Affected CPUs are found in hardware devices ranging from smart phones, to PCs, to cloud infrastructures the size of a datacenter. The vulnerabilities are called Spectre and Meltdown, due to how each interacts with the CPU.

In plain English, for affected devices, a programmer (an attacker) could write a program that eavesdrops on a device as it processes data. Once uploaded to a device, it could listen in on the data and transmit it back to the attacker.

Unlike malware, which typically is unknowingly installed during an active user’s session, the Spectre and Meltdown vulnerabilities occur separate from the active user’s session, literally sampling and listening in on the data outside of the virtual programming space. Compare it to wiretapping, but at the bridge point between a CPU’s hardware and how it manages instructions.

The vulnerabilities take place in a way that would never be visible to the data owner or any portion of the programming space handling the data. Because the vulnerabilities exist at the hardware level, operating systems, which run firewall, security, and anti-virus services, would have no ability to prevent such intrusions.

If loaded onto your smartphone, consider that emails, messages, photographs — pretty much all of the data on your device — could theoretically be monitored without you or your phone’s operating system having any clue it was occurring. Now imagine it on a larger scale, such as with a cloud hosting service. With these vulnerabilities, customer data could be obtained, passwords and credit card information copied, and entire social media accounts compromised, all without a hint of anything awry. That’s what is so alarming.

And that leads me to a point regarding our stance on cloud hosting. Cloud has its use, but unless you’re looking at uncontrollable scalability concerns, in our opinion, the risks outweigh benefits. Since its advent, cloud hosting has concerned us due to the level of integration and reliance that both data and hardware share with one another. Your business might be located in Oregon, but your data could also be stored in New York, or Sweden, or Thailand, or all four places, wherever the cloud determined your data should be stored. And, your data neighbors in each of those places could be up to no good. Should there be a lapse in security, as with Spectre and Meltdown, the keys to the entire kingdom could effectively be handed over, all of your data obtained, and no way to know of or prove it.

And now, those concerns are a reality. Cloud computing takes advantage of pooled computer resources that are shared between users (tenants). With these vulnerabilities, one of those tenants could be an attacker, and simply implement their programs throughout cloud platforms, each snooping on countless other customers’ data. In several industry articles we’ve read, cloud hosting has been noted as the platform of greatest concern.

As a customer of Canvas Host, what we want you to know that while we are concerned about the potential impacts of these vulnerabilities, at this time we are confident your data is safe. None of your data is hosted in a cloud environment, and we carefully vet all customers in our network. Though we cannot guarantee your data is entirely safe from these vulnerabilities, through our business operations we have already taken many steps to protect you.

Patches for the vulnerability are already being finalized and released for most active operating systems. It has been noted that at least initially, the patches may cause as much as a 30% slow-down in CPU performance. This could considerably impact all data processing services, including hosting provider platforms like those we use.

We are actively monitoring our software vendors’ communications and are awaiting release of the patches. We will thoroughly test them before rolling them out to all of our hosting platforms, and will communicating directly with all of our dedicated customers to arrange for times when the patches can be rolled out to those systems, as well.

If you have any questions or concerns, please contact us and we’ll be happy to address them as best we can.

Thank you,

David Anderson, Owner

Sources:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

https://meltdownattack.com/#faq-why-spectre

Spectre and Meltdown logo credits:

Natascha Eibl, Graz University of Technology

David Anderson

This blog is published by David Anderson, Principal and owner of Canvas Host.