Meltdown and Spectre

A collection of articles on the Meltdown and Spectre attacks against speculative execution in processors. I’ve roughly organized these from the newest to the oldest, so if you check this page for new articles from time to time, you can just look at the top articles, with the exception of the first link.

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. —

Software containers can offer some respite against Spectre and Meltdown attacks — but without the help of critical security tools and practices, they remain relatively easy targets. “Containers are harder to exploit and are easier to protect than other systems, such as virtual machines, are. But I’m not trying to say you have nothing to worry about, either,” said Michael Cherny, head of research for, Aqua. “Containers are like a single-door house. In comparison, a virtual machine on the cloud can have many doors you can open with Spectre and Meltdown.” —B. Cameron Gain @The New Stack

Modern computers do lots of things at the same time. Your computer and your phone simultaneously run several applications — ­or apps. Your browser has several windows open. A cloud computer runs applications for many different computers. All of those applications need to be isolated from each other. For security, one application isn’t supposed to be able to peek at what another one is doing, except in very controlled circumstances. —Schneier on Security

Yesterday we looked at Meltdown and some of the background on how modern CPUs speculatively execute instructions. Today it’s the turn of Spectre of course, which shares some of the same foundations but is a different attack, not mitigated by KAISER. On a technical front, Spectre is as fascinating as it is terrifying, introducing a whole new twist on ROP. —the morning paper

Capsule8, unveils the beta version of the Capsule8 Open Source Attack Detection Sensor. The new Open Source Sensor is used as part of the Capsule8 Protect platform. It will facilitate real-time detection of Linux-based attacks.Next, the company has announced providing open source proof of concept code for the first fast, efficient detection of the Intel Meltdown vulnerability, with minimal false positives. —Capsule8

With the fixes for them are starting to appear, now it is up to the IT organizations of the world to start figuring out not only how to patch all of their machinery, but to calculate what impact these patches will have on the performance of their applications. As with everything in life, the impact of both Meltdown and Spectre will depend on the architecture of the systems and applications and the nature of the patches that become available to keep these security holes from being exploited. —Timothy Prickett Morgan @ The Next Platform

Both Meltdown and Spectre stem from a performance-related feature of modern CPUs called speculative execution. This comes into play when a processor reaches a conditional branch in a program’s control flow. Instead of entering an idle state and waiting to see the path the program will take, the CPU uses internal algorithms to guess the most likely path and to execute instructions in advance. If it later turns out the chosen path was incorrect, the speculative execution results are discarded before making them available to the system, and the CPU resumes execution down the correct path. —Lucian Constantin @ The New Stack

Apple, Google, Microsoft and other tech giants have released updates for a pair of serious security flaws present in most modern computers, smartphones, tablets and mobile devices. Here’s a brief rundown on the threat and what you can do to protect your devices. At issue are two different vulnerabilities, dubbed “Meltdown” and “Spectre,” that were independently discovered and reported by security researchers at Cyberus Technology, Google, and the Graz University of Technology. —Krebs on Security<

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution — which of course is not a solution — is to throw them all away and buy new ones. On Wednesday, researchers just announced a series of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15-20 years. They’ve been named Spectre and Meltdown, and they have to do with manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets elsewhere on the computer. (The research papers are here and here.) —Bruce Schneier

Windows, Linux, and macOS have all received security patches that significantly alter how the operating systems handle virtual memory in order to protect against a hitherto undisclosed flaw. This is more than a little notable; it’s been clear that Microsoft and the Linux kernel developers have been informed of some non-public security issue and have been rushing to fix it. But nobody knew quite what the problem was, leading to lots of speculation and experimentation based on pre-releases of the patches. —ARS Technica

You don’t have to worry if you patch. If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don’t have to worry. If you aren’t up to date, then there’s a lot of other nasties out there you should probably also be worrying about. I mention this because while this bug is big in the news, it’s probably not news the average consumer needs to concern themselves with. —Robert Graham @ Errata Security

The tl;dr version is this: the CPUs have no bug. The results are correct, it’s just that the timing is different. CPU designers will never fix the general problem of undetermined timing. —Robert Graham @ Errata Security

In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” — a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance. In addition, we have deployed Kernel Page Table Isolation (KPTI) — a general purpose technique for better protecting sensitive information in memory from other software running on a machine — to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform. —Google Security Blog