The “Intel Chip problem” : an attempt to simplify a complex issue

Home / Uncategorized / The “Intel Chip problem” : an attempt to simplify a complex issue

 

Eric De Grasse
Chief Technology Officer
The Project Counsel Group

Paris, France

4 January 2018 – Yesterday, Google researchers confirmed that they had uncovered a set of major security flaws in devices containing chips from Intel Corp., Advanced Micro Devices and ARM Holdings – potentially affecting virtually every computer and smart phone on the planet.

 
 
 

They key is this is not an “Intel Chip problem” but an entire chipmaker design problem that affects virtually all processors on the market. Our cyber security team has spent two days looking at the issue and we have been on two emergency conference calls with our contacts at FireEye and F-Secure.  Here is my attempt to simplify a complex issue:

 
 
  1. So Christmas didn’t come for the computer security industry this year. A critical design flaw in virtually all microprocessors allows attackers to dump the entire memory contents off of a machine/mobile device/PC/cloud server etc.
  2. For a good background on this motherlode of all vulnerabilities read a good summary from the New York Times (click here).
  3. We’re dealing with two serious threats. The first is isolated to Intel chips, and has been dubbed “Meltdown”, and affects virtually all Intel microprocessors. The patch, called KAISER, will slow performance speeds of processors by as much as 30 percent.
  4. The second issue is a fundamental flaw in processor design approach, dubbed “Spectre”, which is more difficult to exploit, but affects virtually ALL PROCESSORS ON THE MARKET (note here: Intel stock went down today but Spectre affects AMD and ARM too), and as of 4pm Paris time there has been no fix but a few patches.
  5. Spectre will require a complete re-architecture of the way processors are designed and the threats posed will be with us for an entire hardware lifecycle, likely the next decade.
  6. The basic issue is the age old security dilemma: speed vs security. For the past decade, processors were designed to gain every performance advantage. In the process, chipmakers failed to ask basic questions about whether their design was secure. SURPRISE!! they were not.
  7. Meltdown and Spectre show that it is possible for attackers to exploit these design flaws to access the entire memory contents of a machine. The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals data from other customers renting space on that same Amazon/Google/Microsoft cloud server, then marches onto another cloud server to repeat the attack, stealing untold volumes of data (SSL keys, passwords, logins, files etc) in the process.
  8. Yes.  You got it. Basically, the motherlode. Meltdown can be exploited by any script kiddie with attack code. Spectre is harder to exploit, but nearly impossible to fix, short of shipping out new processors/hardware. The economic implications are not clear, but these are serious threats and chipmakers like Intel will have to do a full recall — it is unclear if there’s even manufacturing capacity for this — OR customers will have to wait for secure processors to reach the market, and do their own risk analysis as to whether they need to swap out all affected hardware.
  9. Intel is not surprisingly trying to downplay the threat of these attacks, but proof-of-concept attacks are already popping up online today, and the timeline for a full rollout of the patch is not clear. And that’s just for the Meltdown threat. Spectre affects AMD and ARM too.
  10. But judging by stock moves today (Intel down, AMD up), investors didn’t know that, taken together, Spectre and Meltdown affect all modern microprocessors.
  11. Meltdown and Spectre affect most chipmakers including those from AMD, ARM, and Intel, and all the devices and operating systems running them (Amazon, Google, Apple, Microsoft, etc.)
  12. The flaws were originally discovered last June 2016 by a researcher at Google Project Zero and then separately by Paul Kocher and a crew of highly impressive researchers at Rambus and academic institutions. Originally public disclosure was set for next week.
  13. But news of Meltdown started to leak out (shout out the fabulous team at The Register) yesterday, so the disclosure was moved up a week to right now. The problem with this rushed timeline is that we don’t necessarily know when to expect Meltdown patches from tech companies.
  14. Google says its systems have been updated to defend against Meltdown (click here) and Microsoft issued an emergency update today. Amazon said it protected AWS customers running Amazon’s tailored Linux version, and would roll out the Microsoft patch for other customers today.
  15. I am getting emails from vendors telling me all is fixed. But they are clearly not fully read up on Spectre, which should not be underestimated. Yes, it is far more difficult to exploit. But not above sophisticated cyber criminals/nation states looking to grab your SSL keys.
     
     
  16. So, no. This isn’t good …

 

If you are going to annual cyber security event in Lille, France in two weeks there will be several detailed presentations.
Related Posts