Meltdown and Spectre: the juiciest bug of 2018?
04/01/2018
2018 starts wonderfully: a new kind of vulnerability has been disclosed, an hardware bug!
Documentation about this is available from sources with considerable authority, from university researcher or google official blog.
However, a closer analysis of the threats raises doubts about their seriousness. The risk to be affected by them seems rather low.
"...Meltdown allows an adversary who can run code on the vulnerable processor..." [https://meltdownattack.com/meltdown.pdf]. Thus for dedicated server, the vulnerability implies a logged attacker. Of course for VM or VPS, you don't control who runs code on the physical host you share. But servers administrator core preoccupation is to keep attacker from logging on their systems.
As for "Spectre" [https://spectreattack.com/spectre.pdf], the so called proof of vulnerability - among other prerequisites unlikely to happen - relies on the "victim" code to have an instruction such as "if (x < array1_size) y = array2[array1[x] * 256];"! Who would write such a code and what for?
These two quoted papers remind of academic context where such unpractical conditions hidden behind well handled complexity are often observed. The underlying techniques are too complex to be easily understood but the presentation is convincing.
Even google (https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html) admits that "To take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system."
Anyway, even if the risk is much lower that it is presented, the inevitable result will be a massive update frenzy: an ideal opportunity to deploy other vulnerabilities, spywares or backdoors and to motive hardware replacement...
First, the software fix will decrease performance: a motivation to invest in faster - and more expensive - systems. Eventually the hardware fix will require new computers. Thus it is not surprising that all CPU vendors happily admit that their products are affected.
Whatever dangerous Meltdown and Spectre may be, they are certainly a huge opportunity of profit.
Well done.