I ran into my favourite technophobe the other day. “I see,” he chortled, “that your tech industry (he holds me responsible for everything that is wrong with the modern world) is in meltdown!” The annoying thing is that he was partly right. What has happened is that two major security vulnerabilities – one of them has been christened “Meltdown”, the other “Spectre” – have been discovered in the Central Processing Unit (CPU) chips that power most of the computers in the world.
A CPU is a device for performing billions of apparently trivial operations in sequences determined by whatever program is running: it fetches some data from memory, performs some operations on that data and then sends it back to memory; then fetches the next bit of data; and so on. Two decades ago some wizard had an idea for speeding up CPUs. Instead of waiting until the program told them which data to fetch next, why not try to anticipate what’s needed and pre-fetch it? That way, the processor would become faster and more efficient. This meant that – in a nice analogy dreamed up by Zeynep Tufekci, an academic who writes beautifully about this stuff – the CPU became like a super-attentive butler, “pouring that second glass of wine before you knew you were going to ask for it”.
We have always known (though many still wilfully deny) that there is no such thing as a completely secure networked device
But what if you don’t want others to know about the details of your wine cellar? “It turns out,” writes Tufekci, “that by watching your butler’s movements, other people can infer a lot about the cellar.” Information (the bottle on the butler’s silver salver) is visible that would not have been available if he had patiently waited for each of your commands, rather than trying to anticipate them. Almost all modern microprocessors behave like attentive butlers – and the revealing traces left by their helpful actions mean that information that is supposed to be secret isn’t.
This is a big deal, given that it affects almost all the computing devices on the planet. “In essence,” says the UK’s Information Commissioner’s office, “the vulnerabilities provide ways that an attacker could extract information from privileged memory locations that should be inaccessible and secure. The potential attacks are limited only by what is being stored in the privileged memory locations – depending on the specific circumstances, an attacker could gain access to encryption keys, passwords for any service being run on the machine, or session cookies for active sessions within a browser. One variant of the attacks could allow for an administrative user in a guest virtual machine to read the host server’s kernel memory. This could include the memory assigned to other guest virtual machines.”
One of the most intriguing aspects of the story is that Meltdown and Spectre were independently discovered at more or less the same time by four separate groups of security researchers. If you’re of a suspicious turn of mind (and this columnist is), the obvious question is: who knew about these vulnerabilities but did not reveal them? It seems unlikely that something as big as this would have remained hidden for 20 years. Being able to exploit one of these so-called “zero-day” vulnerabilities would give hackers (or their employers) an amazing advantage in terms of covert mass surveillance. And we know that the NSA, GCHQ and their peers tend to hoard (and sometimes purchase on the black market) these kinds of vulnerabilities in case they turn out to be useful one day: a Harvard study, for example, estimated that as many as one-third of all zero-day vulnerabilities detected by independent researchers in any given year are in fact just “rediscoveries” of flaws already known to the NSA.
The biggest takeaway from the discovery (or rediscovery?) of Meltdown and Spectre is the realisation of the shakiness of the foundations on which we have constructed our networked world. We have always known (though many still wilfully deny) that there is no such thing as a completely secure networked device. Now we know that at the heart of every networked device there sits a vulnerable processor.
Initially, it was thought that the only answer would be to replace all those processors – an unconscionable option. But then it turned out that solutions exist in terms of patches to operating system software. The industry is working on those and every conscientious user ought to install them when they become available. But there’s no free lunch here: fixing the problem will slow down processors by an amount that will differ from chip generation to generation. Microsoft, for example, says that patches will “significantly slow down certain servers and dent the performance of some personal computers”. Sacking that attentive butler means that you have to fetch your own drinks. And that takes longer. Patience is a virtue, sometimes, even in computing.