The Day Everything Became Less Secure
This entry was posted in Security on Jan 9, 2018 by Mark Maunder
It’s January 9th here in London. I’m sitting in Heathrow waiting for my flight back to Seattle after spending new year with my South African family in Cape Town. It may be the disorientation one feels during a transcontinental flight, but I have a feeling I can’t shake. It feels as if the Earth has shifted under my feet slightly and as if the basic laws of physics that govern the universe have changed subtly.
That feeling is caused by the Meltdown and Spectre vulnerabilities that were made public on January 3rd, last week. These two vulnerabilities are a new class of vulnerability that comes built into the hardware that we run our operating systems and applications upon.
Every Intel CPU except three is affected, going all the way back to 1995. And one of the vulnerabilities, Spectre, is exploitable at any layer of the so called ‘stack’. It can be exploited in the base operating system, in a guest (virtual) operating system, in applications that run on a host or guest operating system and even by Javascript code, running inside a browser’s secure sandbox. Spectre and Meltdown have literally made everything less secure.
OS vendors have been working on patches since June of last year when the vulnerabilities were first confidentially disclosed to them, and some major players like Ubuntu, still have not released a fix.
If you’d like to get a bit of that earth-stood-still feeling that I have about these vulnerabilities, go ahead and read the WebKit blog post about how Spectre is exploitable using Javascript and their thinking on how to fix it. WebKit is the engine that powers Safari, the default browser on iPhone. It is a hard problem to solve and one of the short-term resolutions is to reduce the accuracy of timers in Javascript. A band-aid, to be sure.
Developers and Security experts have, I suspect, the same intuitive sense that I’m getting. This is a new kind of vulnerability that throws into question our basic assumptions about what we are able to secure. You can see some of this debate on Hacker News, where the top comment thread is a discussion about whether we should stop allowing any website to execute Javascript in our browsers.
As if having a vulnerability that is hard-wired into unchangeable hardware and which is exploitable by every layer above the hardware is not enough: The fix may incur performance penalties. RedHat has published data for their Linux distribution, for example, that indicates performance impacts may be from 2% to 19% based on their benchmarks.
I’m looking forward to the Ubuntu patches that are scheduled to be released today and their benchmarks. We will be deploying those as soon as possible on non-critical servers at Defiant that are in production and under high load, to gauge their performance impact.
Ubuntu is widely used and you will begin to see hosting companies deploy security patches this week. Tuesday, January 9th was actually the original disclosure date that researchers and developers had agreed upon, both for disclosure and for the release of patches. For reasons I explained last week, the disclosure happened early, but the release date for security patches remained today.
If you run a high traffic website that generates some load on servers, you’re going to want to sit up and take notice of your site performance this week. Your hosting company may do an excellent job of benchmarking any fixes before they deploy them and understanding the performance impact. They may also be running their servers with plenty of headroom for additional load. Or not. So keep an eye on your web server and database performance as the week progresses.
In discovering this vulnerability, Google’s Project Zero and the researchers involved in Meltdown and Spectre have blazed a trail for others to discover similar vulnerabilities in hardware. Expect to see more vulnerabilities in this class emerge during the coming months and years.
While developers and vendors are doing an admirable job of creating patches that prevent these underlying hardware flaws from being exploited, new methods to exploit these flaws may emerge that circumvent security patches. The vulnerability exists in the underlying hardware and until that is fixed, every patch in an operating system or application is really a band-aid. So we may see these vulnerabilities reoccur.
As we start 2018, we find ourselves in a new reality. A new kind of vulnerability has emerged where the underlying problem is not fixable without replacing chips, because it exists in hardware. Vendors at every layer of the OS/Guest/Application/Sandbox stack are scrambling to band-aid the hardware vulnerability. We are going to have to work incredibly hard and smart to find a way to continue to allow strangers to securely run their code on our machines.
Mark Maunder – Defiant Founder & CEO