Security Spectres: Why the IT Industry is in a Meltdown

Over the past week there has been a growing sense of uncertainty across the webosphere as the discovery of two fundamental flaws in processor designs revealed one of the most serious security issues of the decade.

For those still unaware of the recent revelations, here is a quick overview to bring you up to speed:

  • Meltdown and Spectre are two major flaws that have been found in nearly all modern central processing units (CPUs) dating from over 20 years ago!
  • These bugs can circumvent the powerful protections in place to protect data when it’s in its raw, unencrypted form within CPUs
  • This means that potentially all devices are vulnerable to personal data leaks
  • As the flaws are at the architecture level it could affect any device that is running the effected chips, regardless of the software platform, be it Windows, Android, OS X etc.
  •  On top of this, there is a conceivable chance that these flaws can be applied to and across cloud platforms, leaving an inordinate amount of data exposed

As of yet there have been no known exploits of these vulnerabilities, which providers have been quick to stress. The concern remains though that IF hackers found a way to exploit these bugs, most devices built over the past twenty years would be exposed to one of the biggest security breaches of the last decade.

The last week has seen software giants scrambling to assuage doubts in their platforms, with statements released announcing the roll out of updates to mitigate any potential threats.

So why are we just hearing about this now?

Though it might seem strange to think that companies often know about major security flaws months before everyone else, it is understandable that researchers don’t announce their findings to the world at the time of discovery, for fear that they would be giving potential attackers access to the information at the same time as the companies that could fix the problem.

In ordinary circumstances, companies would announce the flaw and solution at the same time, once they’d quietly applied the fixes. However, in the case of Meltdown and Spectre, smart reporting by the likes of The Register forced the hand of several billion-dollar companies who wished to control the narrative.

Though perhaps a risky thing to have done, as revelations from the Spectre report demonstrate, it is partly due to these billion-dollar companies drive to maximize performance that resulted in processors, operating systems etc. evolving such security risks.

In this instance, perhaps Meltdown and Spectre have afforded an opportunity to cast a light over the methods favoured by the big dogs of the technology industry.

What does this mean for the security of cloud services?

Practically, Meltdown and Spectre expose a weakness at the traditional hardware level, flaws in the very architecture of a device.

The reason why these bugs pose such a potential worry to the cloud community is that it’s possible for many independent customers to be tenanted on the same hardware. Were hackers able to exploit these flaws in physical devices, they could (theoretically) expose the data from devices linked to the same cloud data centre.

But this is near impossible and to understand how difficult this would actually be to achieve, imagine Bob is trying to read a copy of Alice’s Encyclopedia Britannica over her shoulder. He can only read one eighth of a character at a time without having any idea when, or in what order each of those eighths of a character is going to be handed to him. And if Alice doesn’t even open a volume, Bob has no chance at all.

The good news? Researchers have been investigating these exploits for months now, informing those companies involved so they could begin issuing patches. As Apple stated, for some devices this was handled a while ago with ‘mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2.’

For now though, consumers of cloud services are at the mercy of the likes of Azure and AWS to keep their services secure.

Is this the end of cloud computing?

Despite the insistence by the likes of Google and Apple that there would be ‘no measurable reduction’ in benchmark scores, the patches are proving problematic for the economies of cloud computing, with reports warning of performance hits.

Meltdown and Spectre are bugs within one of the techniques modern processors use to speed themselves up. The recent series of patches (or ‘fixes’) work by disabling or turning down the effectiveness of some of those techniques. As a result, these processers become significantly slower under certain workloads.

Despite the initial reassurances, complaints of performance degradation after patches have been rolling in, and with them a concern that, literally overnight, cloud computing has got more expensive as people will need to spend more in cloud compute costs to get the same performance.

As an example, one AWS customer reported the following CPU utilisation over the period of a few days before Christmas, when AWS were patching their systems, but before details of the exploit were public knowledge:

In this graph, blue lines represent CPU utilisation of rebooted servers (that ‘pick-up’ the software updates), red arrows point to reboot events, and the red lines represent CPU utilisation of non-rebooted servers. It is evident that there is a divergence of performance to the right, which translates to an increase in costs for this particular customer.

This experience is not universal, however. The advice from AWS is that those customers using (older) para-virtual (or PV) type AMIs could be effected more. And indeed, other customers have reported that using newer hardware virtual machine (or HMV) type AMIs have seen better performance.

Unfortunately, the migration path from PV to HVM is non-trivial & time consuming, so it appears that, for many, there is no way to avoid some additional cost, and are left wondering why cloud is so attractive, if these kinds of issues are not taken care of for them.

Meltdown and Spectre are still only in the ‘potential problem’ faze. Like everyone else, we can only watch and wait to see how things develop.

Leave a Reply

Your email address will not be published. Required fields are marked *