Spectre and Meltdown

Will Spectre and Meltdown be the flagship computer security crisis of 2018? There is a good chance that it will be, although I doubt that many personal computer users will be directly affected.

Good news

These flaws are hard to understand and take advanced engineering skills to implement; when implemented they are hard to exploit; I struggle to imagine results that would be worth a hacker’s trouble. Also, exploiting these flaws on a computer you do not already have access to is close to impossible. Consequently, good basic computer hygiene will protect you from these attacks as well as everything else thrown at you. In addition, the exploits are read-only; they do not corrupt data or processes.

The patches are going out this week to all the major operating systems and so far, the bruited predictions of devastating across-the-board 30% performance degradations have not proven out. 10% degradation and only in limited circumstances seems more realistic according to early testing reports.

Less good news

Nevertheless, the fallout from Spectre and Meltdown is likely to cause migraines and insomnia among computer security experts for months, even years to come. And the picture is not quite as rosy for businesses, especially for businesses that rely on virtual computing in various forms, as it is for individuals.

Scope

These are not your garden variety zero-day exploits. When I wrote about KRACK a few months ago, I explained that the flaw is particularly bad because it is in the standard and every correct implementation is vulnerable. The Spectre and Meltdown flaws are in the processor chip design. Intel processors have the worst problems and they perform the vast majority of computer processing in the world today, but AMD and ARM processors are also affected. That covers most of the rest of computing, including phones and tablets. For reasons I will elaborate on later, I suspect other processors have not been cited only because no one has looked hard enough yet.

The patches that have been applied are crack sealers; they do not repair the broken foundation that caused the cracks. Fixing the source of the cracks will require new processor designs and new chips. In order to explain just what Spectre and Meltdown are, I have to explain several unfamiliar concepts.

Protection rings

One of the pillars of computer security is called a “protection ring.” They are what prevents one computer process from interfering with another. For example, without protection rings, forcing a user to pass through a login gate before using a computer is easier to circumvent. Protection rings have been built right into the silicon of most processors since the eighties and the concept goes back to the beginnings of multi-processing in the 60s.

To science fiction readers, I liken protection rings to Asimov’s laws of robotics—they are intended to be intrinsic in all computers. In theory, protection rings when properly used make it impossible to break into a well-written operating system without physically altering the processor. When a computer is hacked into, it usually stems from a flaw in the operating system’s use of protection rings, not the physical processor chip.

The Spectre and Meltdown flaws are special because they are gaps in the integrity of privilege rings that were inadvertently built into the processor chips. To see how these gaps were opened, we have to look at concepts of modern processor design.

Multi-core processors

One of these concepts is “multi-core processors.” Before the advent of multi-cores, the capacity of processors was beginning to be limited by the great physical speed limit: the speed of light. When a processor reaches a certain number of instructions per second, it is limited by the time a signal takes to travel across the chip at the speed of light. The processor can’t move on to the next instruction in less time than it takes to read he previous instruction’s results.

Processor designers got around that by putting multiple processors, cores, on a single chip. In theory, by putting two cores on a chip, the speed is doubled. But that does not really solve the problem because taking advantage of the doubled speed requires complex and expensive changes in program design.

Speculative execution

The designers hit on a solution to this: speculative execution. Most computer programs are long chains of “if-thens”. If X condition is met, do Y; if it is not met, do Z. Traditional computers first evaluate X, then decide whether to perform Y or Z. With speculative execution, at the same time one core evaluates X, another core performs Y, and a third performs Z. Depending on how X comes out, Y or Z is discarded. This is a gross simplification, but in the time a single core uses to evaluate X, the three cores already have both the Y and Z results. Thus, the multi-core processor executes a conventionally written program in much less time than a single core. And the speed of computing doubles in 18 months again. Nifty, huh?

Not so nifty. Those discarded speculative chunks of execution can be manipulated in such a way that protection rings are violated. I won’t go into how it’s done. A Google researcher explains it here.

Migraines and insomnia

I am not optimistic when I think about what these defects reveal about processor design. Software development underwent a revolution in the early part of this century when security rose in priority. You can read about it in my book, Personal Cybersecurity. Security was a neglected step-child in the pioneering days of software development in the last century, but around 2000, the industry realized that computing would die if software was not built with more secure methodologies. The revolution is still going on, but the slap-dash attitude toward security that characterized the software cowboys of the 90s is gone.

Spectre and Meltdown tell me that the security revolution did not make it into processor design. Makes you think about why the CEO of Intel sold a big block of Intel stock after the flaws in Intel chips were discovered.

I am afraid we have not heard the last of chip level security flaws. I hope processor designs are not easy pickings for hackers, but the fact that these flaws have been present for at least a decade is daunting. Also, to completely eradicate these flaws, processor chips or entire computers will have to be replaced, which suggests that heads will ache on for years.

Coming soon

I wrote a blog on hypervisor hacking and one on virtual machine security for Network World last year that are affected by the Spectre and Meltdown flaws, but I’ll save comments on the safety of virtual computing for another blog.

Privacy and Online Ads

Without ads monetizing the content of public computer networks, a service that is now low cost would be much more expensive. I’m willing to accept that. But there is something sinister in the online ad business.

Today, “monetize” usually means to change something that is popular in the digital world into a money-maker for someone. Online ads monetize most of what we think of as the internet. Google makes most of their money from online ads as does Facebook. Amazon makes their money from selling things, but their online ads are a crucial part of their business plan.

The ad business has changed

Remember “banner ads”? A seller like Rolex will be glad to pay a premium for a banner ad on a site like the New Yorker that has wide circulation and a good reputation among people with money to spend on luxury watches.

But the banner ad is an endangered species from the age of paper advertising. They are based on high-end, intelligent marketing that made many careers in the 20th Century. But no longer.

21st Century digital advertisers have facts. Traditional marketers knew that New Yorker readers were affluent and well-educated, but they were short on specifics on who was buying and why. Digital marketers today can tell you who sees an ad, how often viewers click on an ad, and, for digital sales, how often they spend money. And they know the age, location, income bracket, and browsing habits of most potential customers. They can target ads to the most likely customers and know exactly how the ads perform.

How do online ads work?

Traditionally, a big city daily newspaper could charge more for their ads than a community weekly because a seller could expect more people to see an ad in the big city daily and act on the ad. Sellers measure the effectiveness of ads by “return on investment” (ROI). If a seller invests $50 in an ad in a community fish wrapper and sees a $100 increase in sales, they get a 200% return. ($100 return/$50 investment = 200%. Sometimes a low-cost ad has better ROI, usually not.

Some businesses occasionally use advertising to improve their image or convey information, but the everyday advertising goal is ROI, using ads to make more sales. The lure of digital advertising is that digital advertising can be fine-tuned to increase ROI by reducing costs and increasing returns.

Digital advertisers can count how many times the ad was seen (impressions) and was followed (clicks). If the transaction is digital, they can count the number of times the ad resulted in a sale. Traditional paper advertising only knows how many copies of the ad were circulated, not how often the ad was seen and only generalities about readers.

The network collects information on buyers that can be used to target advertising toward people likely to buy. For example, people who don’t have cars are unlikely to buy car polish. Therefore, car polish sellers can improve their advertising ROI by directing their ads to car owners and ignoring people without cars.

Who are the players in the online ad biz?

  • Customers. That’s you.
  • The ad publishers. Google, Facebook, Amazon, etc. Ad publishers put the ads in front of potential customers.
  • Ad networks and exchanges. The folks in the background who match likely buyers to sellers and maximize the vigorish. When you open a web page with slots for ad, the slots are often auctioned off highest bidder in milliseconds. The bidders use information about you, to decide how much to bid. You may be familiar with some of these players like “DoubleClick” whose addresses flash by as you enter a site.
  • Ad agencies. Those waggish artists who think up cunning ads for the advertisers. These companies usually have bland names like “WPP Group.”
  • Data brokers. The vacuum cleaners that suck up data and sort it into a commodity they can sell to advertisers, ad agencies, networks, and exchanges. These are companies like Blue Kai or Live Ramp, whom you may not have heard of.

Except for customers, the players are often combined. There are one-stop shops that combine all the functions and boutiques that specialize in a narrow aspect of the process.

The network never forgets

The data collected on buying habits has grown rapidly in the last few years. If you do something on the network, someone, somewhere, has taken a note. The more we use computer networks, the more data is amassed on us. “Big data” arose to process the mountains of accumulated data.

Today, electronic payment is common, and many customers get discounts by identifying themselves when they purchase. Consequently, grocery store managers may know more about your food buying habits than you do. They can use that information to offer the items you want, but they also use it to find and persuade you to buy more profitable items. They can appeal to habits you may not even know you have. Online sales are even more effective at collecting data on customers.

Although you may not enjoy being manipulated in this way, most people still choose to use payment methods that identify themselves and trade their phone number at the point-of-sale for reduced prices. A lot of people feel that the convenience of electronic payment and a reduced price are reasonable tradeoff for subjecting themselves to manipulation by their sellers.

Why do online ads make me feel uneasy?

Using network habits to target ads is occasionally annoying. My grandfather died of colon cancer after a colostomy fifty years ago. Recently I wondered how those ugly colostomy bags had changed. I searched online. What a mistake! I still occasionally get an ad for disposable bags in cheery prints.

Creepy, yes, but not threatening. I, thank Heavens, am not remotely likely to purchase a colostomy bag according to my gastroenterologist. The sellers have made a mistake, but it only costs them a few cents and they certainly get a worthwhile ROI on their ads, winning the numbers game. And I get annoying ads. Nothing to lose sleep over.

Misuse of personal profiles

But let’s change the story some. Suppose you looked up alcoholism treatment out of curiosity. And the user of your profile was not an alcoholism treatment center selling their services, but an investigative agency running a check for a potential employer to whom you sent an application. Maybe the job was important to you and you were well-qualified, but your application was tossed on the first round because you were flagged as an alcoholic.

Do you see how the situation changed? A seller looking at ROI doesn’t grudge a fried fig for a few ads sent to the wrong place. A loss of a few cents to misdirected ads is nothing compared to all those colostomy bag sales. But you lost a job that you may have wanted, even needed, badly. And the potential employer lost a brilliant prospect. This happens when a personal profile is used in a scenario where much harm can result from inferences that are perfectly valid in other circumstances.

The danger is that the profiles will applied wrongly when they are harmless and useful in most circumstances. That is sinister.

Engineering In the Clouds

Yesterday, I began a new blog on Network World. It is called “Engineering in the Clouds,” and it calls on my experience at CA and my two earlier books, Cloud Standards and How Clouds Hold IT Together. My first blog is on some of the reasons cloud projects do not succeed. Cloud failures can occur anywhere in the hype cycle. My plan is to publish about once a month. Since privacy has been on my mind the last few days, I am thinking about clouds and privacy for my next blog.