Home Uncategorized Understanding Spectra And Meltdown Vulnerabilities
Uncategorized

Understanding Spectra And Meltdown Vulnerabilities

Spectra and Meltdown: Types of Computer Security Vulnerabilities

Vulnerability defines the coding or design flaw in the system that causes the security flaw at the end point of the system or the network (Lipp et al. 2018). Vulnerability enables the chances for the unauthorized users to access the memory or hardware of the system and manipulate the functions of the system. It also increases the chance of hacking the system which includes overrun of buffer and the code injection (Simakov et al. 2018). Many organizations appoint the cyber expert to find out the vulnerability in their system. This practice helps them to detect the flaw in the system and based o those flaws they can upgrade their system to a more secured one. Spectra and meltdown are two types of computer security vulnerabilities (Simakov et al. 2018). These are hardware vulnerabilities. Spectra and meltdown can access the information from the memory in the system and can get access of the important information like password of the system (Lipp et al. 2018). These vulnerabilities can be active in personal desktop, mobile and cloud. In a recent research it has been found out that nearly every system that has been manufacturing since last 20 years contains those vulnerabilities. The main cause of the flaw is the chips which are used in the system. The chips are designed to run faster and this mechanism has created these vulnerabilities. It has not been found yet that exploitation of those flaws has happened in a large scale but there are chances that these vulnerabilities can become a threat to the security of the system (Baker  2018). Spectra and meltdown are the vulnerabilities which are known as the catastrophic to the security experts as the impacts and presence of these two meltdowns are much whispered. There are some similarities between the spectra and meltdown but these two are the different types of vulnerabilities. The presence of these two security flaws has been discovered by the experts in the end of 2017 and the articles are publishing in 2018. Technically there are three vulnerabilities, categorized based on the CVE number. The first two types of vulnerabilities are specified as the spectra and the last one is categorized as meltdown.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Vulnerabilities in computer security:

Vulnerabilities are the way that leads the system prone to the security threats like hacking and stealing of confidential information from the system. In late 2017 it has been found out that there are three kind of vulnerabilities present in almost all the systems, which has been manufacturing since 2000.The three kinds of vulnerabilities are-

  • Variant 1 (CVE-2017-5753)
  • Variant 2 (CVE-2017- 5715)
  • Variant 3 (CVE-2017-5754)

Spectra and Meltdown Vulnerabilities

 The first two kinds of vulnerabilities are categorized as spectra and the last is called meltdown.

Spectra:

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Modern CPU has the facility called branch prediction. Using the branch prediction the CPU can execute a set of instructions at that particular location, where CPU believes the set belongs to. This feature of CPU increases the execution time as well as it ensures the utilization of CPU storage in a proper way and it minimizes the waiting time. This feature of the modern CPU helps the system to perform well. Spectra attack exploits the using of this branch prediction technology. The successful prediction of a branch will be followed by the retired of the code and after that memory read will be happened. In case, if the branch predication by the CPU is not successful the whole function will discard and the functions of those instructions will become ineffective (Kocher et al. 2018). During the discard of the function, some indirect effects of the processing of discard branch prediction remains the same – like change in cache in CPU. Extracting values from the speculatively executed code can be done from the cache by measuring the memory latency access. 

It also abuse the use of speculative execution chip the CPU can search the possible branches to which a set of instruction is involved, before the execution of the instructions (Kocher et al. 2018). This helps the CPU not to repeat the execution of same logical branch and this helps to reduce the CPU time cycle. . In speculative execution the Spectra leaks the data through cache lines (processer covert channels). This vulnerability can only steal data from the current process. However, it cannot get data from physical parts of the devices like kernel.  

The main feature of the spectra vulnerability is that it does not allow an unprivileged process to read the value or access the privileged process (Pieters, Hadžiosmanovi? and Dechesne 2016). It allows the execution of the victim’s process to access the data from the malicious program or execution.

Spectra misguide the user application to present the data in the wrong platform. This kind of attacks mostly happen the browsers where one tab can contain the sensitive information and another tab can contain the malicious code from the attackers. In this case the isolation of the two tabs can lessen the chances of attack.

In case of spectra variant 1 the conditional branch instruction is executed according to the prediction of the malicious code or predictions. In case of spectra variant 2, execution of instructions by the CPU happens in the location which is determined by the mispredicted branch.

Impact of Spectra and Meltdown on Business and Network Security

In case of attack caused by both the variant of spectra, there is a chance that the sensitive data in the system can be leaked in another process, which is not desirable. It also allows a part of the application to access the other part of the memory location of the same process which may not be permitted.

The access of spectra attack can not affect the kernel of the system. However, depending on the configuration of the user system, it can be possible for the spectra attack to access the kernel memory using user application.

Meltdown:

Meltdown uses the programs to read the information, which is only accessible to the operating system. It exploits the memory cache and speculative execution in order to do leak the data. In case of meltdown vulnerability, the attackers use a user program to gain access of data from the other parts of the system and sometimes data from the other system. Meltdown allows a program to gain access of the information from the other programs, which is not desirable and permitted. Meltdown does not require much knowledge of how the attackers work on the user program. It is a severe problem and this bug is present in some Intel chips.

The mapping of physical memory and virtual memory is contained in the page table. In order to increase the performance of the operating system, the address of kernel is mapped into user space. Generally, a kernel memory cannot read data from the user space (Kawakami,  Dahab and Nascimento 2015). User space reads a byte from the kernel address, it can create an exception and the leak of data can happen from the other side of the channel before the involvement of exception handler and generate an out of order execution (Park, Park and Kim 2014). This data is used to manipulate the array list which is accessible to the user space. The array is dependent on the value of the data (Di Pietro, Lombardi and Signorini 2016). In this case if an exception is generated the data cannot access the array list from the user space. The unpredicted process is accessed through the array list in the user space. The confidential data of the victim’s process get reveled to the other location as the element of the cache returns the value much faster.

The main mechanism of meltdown vulnerability is to create a race condition between out of order instruction and rising of exceptions (MUGARZA,  PARRA and JACOB 2018). Meltdown captures the memory value of kernel, which raise an exception as the user space cannot access the kernel space memory. However, out-of-order instruction along with the faulting instruction may execute. Some out-of-order exception is executed by the time when exception is raised. The raising exception causes the CPU to roll back the instructions but the cache state does not change 

Mitigation of Spectra and Meltdown Vulnerabilities

To mitigate the effect of the meltdown some patches are used. One of the important patches is KAISER which is Linux kernel mitigation (MUGARZA,  PARRA and JACOB 2018). The aim of this patch is to separate the kernel memory and the user space memory.

Meltdown breaks the system, which allows the application to access the arbitrary memory. The applications, can access the system memory.

It has been said that most Intel chips are affected by these vulnerabilities. Meltdown affects almost all Intel micro processors from 2010 (Mangelsdorf 2017). It has been noted that some AMD microprocessors are also affected by the meltdown vulnerability. Spectra works on non- Intel processor like ARM and AMD.

ARM and Intel provide details about the affected chips. However, AMD did not share any details about the products affected by these vulnerabilities.

Difference between meltdown and spectra:

Factors

Meltdown

Spectra

Triggering of CPU mechanism

Out-of-order execution

Speculative execution using branch prediction.

Platforms affected

Allows memory read in out-of-order execution.

Performs the speculative execution.

Difficulty to generate the  attack

Difficulty is low here because accessing kernel and modify the code can be done easily

Highly difficult as it is required to know the environment of the software at the user’s system.

Effects

Data from kernel memory get disclosed to the user space memory

Disclosure of data from inter-process memory

Patches used

Kernel –page table isolation

Indirect branch restricted speculation

The impact of these security flaws can affect on various fields like business, network. The main concern about spectra and meltdown is that these two security flaws are software and hardware independent. This indicates they can become a way of reveling data from any system.

Impact on business performance:

The systems those are involved in maintain the business information of the organization and handling the data of customer can be exposed to the security threats if these types of vulnerabilities are present in the system (Tatourian et al. 2017). In case of spectra o meltdown leads the attackers to get access of data from the system used in the business purpose; all the data regarding the consumers of the organization along with the sensitive information of the organization can be disclosed to the unauthorized source (Ferraiuolo et al. 2017). This can become a security threat for both the organization and the consumers.

Impact on the system:

Spectra and meltdown can make the violation of security through hardware to become more frequent like violation of the security through software (Devendorf, Zeliff and Jabbour 2016). There are some patches available in the market o fix these vulnerabilities but the best way in order to fix this problem permanently is to replace the CPU (Campbell  2016). This kind of flaws can develop in a large scale in future. The chances to get the access of the system through these flaws will make the hackers to exploit the opportunity. In this case, in order to get secured from hardware based attack, installing new hardware every time will not be a convenient option.

Impact on compatibility issue:

Installing the patching in different machines needs the perfect synchronization between the machine and the software (Abomhara 2015). The cause of vulnerabilities starts from microprocessor of the system. Microprocessors are the fundamental component of the system (Burleson, Mutlu and Tiwari 2016). There are many companies, who are inventing security patches in order to mitigate the security threat. The challenge is that if those patches are compatible with those machines and the versions of the software (Devendorf, Zeliff and Jabbour 2016). In this situation the application vendors are needed to customize those patches to make those compatible with the machines. During this course of customization the security patches cannot be kept secret. Unveiling the patch makes the malicious users and the hackers to get the opportunity to break the patch and access the system. 

Effect on the performance of the system:

Installing of these patches can reduce the performance and the speed of the system .However; it does not happen in many cases (Xiao,  Nahiyan and Tehranipoor 2016). It has been that the speed of most of the computers has not decreased much after installing the patches. However, in some cloud architecture the installing of the patches can slow down the speed of the computing (Arnbak et al. 2014). The main concern is that in future there may develop this kind of hardware vulnerability, in that case using more patches in the system may slow down the speed and it can hamper the performance.

The discovery of spectra and meltdown has given a certain impact on the security issues of the computer (Burleson, Mutlu and Tiwari 2016). Researches and the experts are focusing on the threats those come from hardware, which can allow the stealing of data from the system (More 2018). Stolen data can be password of the system and user’s data which can be sensitive and confidential. In this context of the vulnerability it has been found all the systems which have been manufacturing since 1995 are having these kinds of security flaws.

Since the discovery of these security flaws, many papers have been published in order to explain and prevent the situation (Balakrishnan 2015). The current situate implies to use certain patches which will be partially effective in order to mitigate the impact if the attack (Rob et al. 2014). However, there is no permanent solution of this problem has been found yet and the patches are not full proof solution- as for example- the patch to mitigate meltdown will not work to prevent the spectra attack.

In order to get the full proof solution to the problem of this situation, it has been recommended by the experts that a long term solution is required and updated guidance about the security is needed o be formed.

The impacts of these vulnerabilities can be-

  • Change in the design of the hardware:The hardware manufacturing companies will address the situation where these types of hardware security flaws can be detected and those companies will try to eliminate these situations while making the hardware.
  • Need of more advanced technology: The types and kinds of hardware security threat can be increased in future,  which means security experts needs to be more concerned about the possible threats on the system as , the threats can be come from both hardware and software end (Watson et al. 2018). This will make the technology to prevent the cyber attacks more advanced.
  • Increase of more complex cyber attacks:The CPU nowadays is more complex in nature with respect to the working principal (Watson et al. 2018). The complexity of the system enables hackers to find more vulnerability in the system and increase of number of these kinds of vulnerabilities will increase the possibility of attacks through hardware (Xiao,  Nahiyan and Tehranipoor 2016).. It can be said the discovery of spectra and meltdown has opened the new concept of hardware attack. 

There is no fixed solution or code to prevent this security flaw (Balik et al. 2015). However, there are some patches provided by the both microprocessor manufacturing companies and the application vendors (Campbell  2016). These patches can mitigate the effect of spectra and meltdown attack. However, there is no permanent solutions has been discovered yet for this problem.

Recommendations for the home users:

  • Operating system of the machine needs to be updated.
  • The update of firewall needs to be checked regularly.
  • Activation  and use of the anti-virus software are needed to be required

Recommendations for business organizations:

  • The operating system is needed to be updated along with the anti-virus and the firewall should be configured properly and maintained in a routine basis.
  • The browsers are needed to be updated. The security patches releases by the operating system providing company are needed to be installed properly.
  • The installation of patch in the system may make the speed of the system slow. In this case the administrator has to make it sure that the critical operations and the works are being monitored properly. In this case the administrators in the organizations can work with the application vendors, who are providing the patches, in order to mitigate the effect.
  • Only the use of trusted software needs to be allowed by controlling the access of the system.
  • In order to avoid the massive loss of data in the organization certain policy can be obtained by providing proper strategy and training of the employees.

Conclusion

It can be concluded from the above discussion that discovery of spectra and meltdown has a notable impact on the security of the system. The attack on the system through hardware was not much familiar before these two categories of vulnerabilities has come into the notice. The discovery of spectra and meltdown and spectra has increased the chances of violation of security through the hardware interface. There are patches available for different chips to mitigate the effects of the vulnerabilities. However, there is no permanent and convenient solutions to this problem .It can be assumed from the above discussion that these kind of hardware implantation flaws will lead to the various problems and concerns in the near future but, on the other hand it can be assumed that these types of security threats will help to develop the technology to protect the security of the system. The flaw in the design of hardware will help the hardware manufacturing companies to develop more advanced and flawless system which attributes towards an advancement of the technology. The awareness among the users about the identification and impacts of vulnerabilities and invention of long term mechanism in order to detect and prevent these kinds of security flaws can help the system to be secured from the attacks caused by the flaws in hardware mechanism. 

References

Abomhara, M., 2015. Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility, 4(1), pp.65-88.

Arnbak, A., Asghari, H., Van Eeten, M. and Van Eijk, N., 2014. Security collapse in the HTTPS market. Communications of the ACM, 57(10), pp.47-55.

Baker, M., 2018. Real, Unreal, and Hacked. IEEE Pervasive Computing, 17(1), pp.104-112.

Balakrishnan, N., 2015. The Principles of Dependability. In Dependability in Medicine and Neurology (pp. 1-31). Springer, Cham.

Balik, L., Horalek, J., Hornig, O., Sobeslav, V., Dolezal, R. and Kuca, K., 2015. Endpoint Firewall for Local Security Hardening in Academic Research Environment. In Computational Collective Intelligence (pp. 246-255). Springer, Cham.

Burleson, W., Mutlu, O. and Tiwari, M., 2016, June. Who is the major threat to tomorrow’s security? You, the hardware designer. In Design Automation Conference (DAC), 2016 53nd ACM/EDAC/IEEE (pp. 1-5). IEEE.

Burleson, W., Mutlu, O. and Tiwari, M., 2016, June. Who is the major threat to tomorrow’s security? You, the hardware designer. In Design Automation Conference (DAC), 2016 53nd ACM/EDAC/IEEE (pp. 1-5). IEEE.

Campbell, T., 2016. Threats and Vulnerabilities. In Practical Information Security Management (pp. 15-29). Apress, Berkeley, CA.

Devendorf, E., Zeliff, K. and Jabbour, K., 2016, August. Characterization of Antifragility in Cyber Systems Using a Susceptibility Metric. In ASME 2016 International Design Engineering Technical Conferences and Computers and Information in Engineering Conference (pp. V01BT02A014-V01BT02A014). American Society of Mechanical Engineers.

Di Pietro, R., Lombardi, F. and Signorini, M., 2016. Secure Management of Virtualized Resources. Security in the Private Cloud, p.193.

Ferraiuolo, A., Xu, R., Zhang, D., Myers, A.C. and Suh, G.E., 2017, April. Verification of a practical hardware security architecture through static information flow analysis. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems (pp. 555-568). ACM.

Kawakami, H., Gallo, R., Dahab, R. and Nascimento, E., 2015, August. Hardware security evaluation using assurance case models. In Availability, Reliability and Security (ARES), 2015 10th International Conference on (pp. 193-198). IEEE.

Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M. and Yarom, Y., 2018. Spectre Attacks: Exploiting Speculative Execution. arXiv preprint arXiv:1801.01203.

Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Mangard, S., Kocher, P., Genkin, D., Yarom, Y. and Hamburg, M., 2018. Meltdown. arXiv preprint arXiv:1801.01207.

Mangelsdorf, M.E., 2017. What Executives Get Wrong About Cybersecurity. MIT Sloan Management Review, 58(2), p.22.

More, A.C.Y., 2018. Security Alert!.

MUGARZA, I., PARRA, J. and JACOB, E., 2018. Analysis Of Existing Dynamic Software Updating Techniques For Safe And Secure Industrial Control Systems. International Journal of Safety and Security Engineering, 8(1), pp.121-131.

Park, J., Park, J. and Kim, Y., 2014. System lifecycle processes for cyber security in a research reactor facility. Science China Information Sciences, 57(7), pp.1-12.

Pieters, W., Hadžiosmanovi?, D. and Dechesne, F., 2016. Security-by-experiment: Lessons from responsible deployment in cyberspace. Science and engineering ethics, 22(3), pp.831-850.

Rob, R., Tural, T., McLorn, G.W., Sheikh, A. and Hassan, A., 2014, September. Addressing cyber security for the oil, gas and energy sector. In North American Power Symposium (NAPS), 2014 (pp. 1-8). IEEE.

Simakov, N.A., Innus, M.D., Jones, M.D., White, J.P., Gallo, S.M., DeLeon, R.L. and Furlani, T.R., 2018. Effect of Meltdown and Spectre Patches on the Performance of HPC Applications. arXiv preprint arXiv:1801.04329.

Tatourian, I.A., Nayshtut, A., Pogorelik, O. and Hunt, S., McAfee LLC, 2017. Cognitive protection of critical industrial solutions using IoT sensor fusion. U.S. Patent 9,817,676.

Watson, R.N., Woodruff, J., Roe, M., Moore, S.W. and Neumann, P.G., 2018. Capability Hardware Enhanced RISC Instructions (CHERI): Notes on the Meltdown and Spectre Attacks (No. UCAM-CL-TR-916). University of Cambridge, Computer Laboratory.

Xiao, K., Nahiyan, A. and Tehranipoor, M., 2016. Security rule checking in IC design. Computer, 49(8), pp.54-61.

Hire a Writer
Calculate your order
Pages (275 words)
Standard price: $0.00
Client Reviews
4.9
Sitejabber
4.6
Trustpilot
4.8
Our Guarantees
100% Confidentiality
Information about customers is confidential and never disclosed to third parties.
Original Writing
We complete all papers from scratch. You can get a plagiarism report.
Timely Delivery
No missed deadlines – 97% of assignments are completed in time.
Money Back
If you're confident that a writer didn't follow your order details, ask for a refund.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
$0.00
Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.
Power up Your Study Success with Experts We’ve Got Your Back.
Order Now Order Now