Sign In Register. Sign Out Sign In Register. Latest Insider. Check out the latest Insider stories here. More from the IDG Network. Patching Windows for Spectre and Meltdown: A complete guide. Review: BluVector enables machines to protect themselves.
Spectre and Meltdown Salted Hash Ep 17 Closed captioning available on our YouTube channel. Ransomware: Do you pay the ransom? Salted Hash Ep 19 Ransomware: Do you pay the ransom? Managing open-source mobile security and privacy for activists worldwide Salted Hash Ep 18 Managing open-source mobile The people you call when you've had a breach Salted Hash Ep 15 The people you call when you've What is it about the Spectre and Meltdown attacks that scared everyone so much?
Host Steve Ragan and J. Porup talk through the impact of these hardware flaws. Table of Contents What are Spectre and Meltdown? What's the difference between Spectre and Meltdown? Why are Spectre and Meltdown dangerous? Do Spectre and Meltdown patches hurt performance? Meltdown and Spectre news Show More.
What are Spectre and Meltdown? What is speculative execution? What is caching? What is protected memory? Related: Vulnerabilities Computers and Peripherals Security.
Josh Fruhlinger is a writer and editor who lives in Los Angeles. When software developers write an application, they generally expect the processor will follow their instructions as written. Features like speculative execution typically make no difference on the developer's end of things, so they go unnoticed other than the fact that the processor is nice and fast.
This means that software can be written and released with unexpected side effects the developers never noticed. Speculative execution is just one feature that has gone largely unnoticed and unchecked over the course of the careers of hardware developers.
The issues with it were hiding in plain sight for 20 years and could have theoretically been discovered at any time but only publicly surfaced recently. That means other long-standing issues could easily be hiding in the same way. Software and hardware providers have scrambled to push out patches to deal with the Meltdown and Spectre issues as best as they are able.
This catch-up game is not where they want to be, and it would be preferable if they had been prepared for the issue before releasing their products. These sort of hurried patches are a necessity and can help to prevent damage, but they can be unstable and introduce new issues in place of the one they fix hello regression testing. While some users can apply patches without interruptions, others cannot afford to stop production to apply them, such as hospital machines or airline control systems.
Board members will be scrutinizing new software more harshly in hopes of avoiding these sorts of problems in the future. Automated testing works well for detecting issues the developers know can happen or would expect to see. However, Meltdown and Spectre were issues that were present for years and were never discovered or detected by automated testing. While the code they used was specifically geared to see the issue in a proof of concept, it took a trial and error approach to actually see the resulting bug they were looking for.
While exploratory testing does not necessarily identify and isolate these hidden issues, it can reveal consistent unexpected effects they have on programs. Once you have repeatable steps to see an issue like this, it can give your developers a roadmap of what needs fixing and what to alter about their program, even if their code did not technically allow for the issue. You may be able to form an automated test from the results, but you can still use the steps as a testing script even if that is not possible.
Adding this to your workflow can help you to stay ahead the next time one of these issues surfaces, even if you did not technically identify what flaw there was in the chip or operating system. If you are interested in improving the exploratory testing ability of your QA department without increasing your headcount, we recommend looking through our Enterprise Exploratory Testing Guide.
This may include passwords and sensitive data stored on the system. Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since except Intel Itanium and Intel Atom before We successfully tested Meltdown on Intel processor generations released as early as Currently, we have only verified Meltdown on Intel processors.
At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM , some of their processors are also affected. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable.
Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers Meltdown and Spectre.
The vulnerability basically melts security boundaries which are normally enforced by the hardware. The name is based on the root cause, speculative execution.
As it is not easy to fix, it will haunt us for quite some time. Yes, there is an academic paper and a blog post about Meltdown, and an academic paper about Spectre.
Furthermore, there is a Google Project Zero blog entry about both attacks. CVE is the official reference to Meltdown. Both the Meltdown and Spectre logo are free to use, rights waived via CC0. Logos are designed by Natascha Eibl. Yes, there is a GitHub repository containing test code for Meltdown. We would like to thank Intel for awarding us with a bug bounty for the responsible disclosure process, and their professional handling of this issue through communicating a clear timeline and connecting all involved researchers.
Furthermore, we would also thank ARM for their fast response upon disclosing the issue. Meltdown and Spectre Vulnerabilities in modern computers leak passwords and sensitive data.
Meltdown Meltdown breaks the most fundamental isolation between user applications and the operating system. Meltdown Paper Cite.
0コメント