The vulnerabilities discovered by Google’s Project Zero (GPZ) on a set of flaws in CPU architectures that create two kinds of exposures were recently announced and took the hardware world by storm.
While under embargo until next week, it is now known that the failings had been already reported by researchers to CPU manufacturers Intel, AMD and ARM since June 2017.
We start the 2018 year of with what is probably one of the biggest findings in security vulnerabilities affecting past hardware, specifically, most Intel chip processors from around 1995 forward.
That was the year where optimizations were put in place in the processors themselves to improve performance. Meltdown and Spectre were the names given to the vulnerabilities by the several collaborating researchers involved in the findings.
Since both rely on performance optimizations inside the processors themselves, the Kernel patches in the form of software are on public speculation that will impact current CPU performance, since it is believed it will cripple down the speed tuning made on the chips all over these past years.
These flaw patches will probably be delivered by the operating systems software makers, like Microsoft, Apple, Linux and Google. No firmware update in sight from the CPU industry as of today.
Both flaws exploit weaknesses on performance enhancements.
Meltdown can attack the host machine by reading “out-of-order execution” in arbitrary memory locations defined in the kernel, independent of the operating system and software running.
Spectre breaches a flaw in modern CPUs that helps improve performance – speculative execution. This code operates in the CPU as a guess to what the user or the software will do next and processes the data, if it won’t be used it will be discarded without the end user notice. Improves performance if it guessed right, but also allow Spectre to violate security processes and inject code that will lead to confidential leaks by reading data at memory locations that should not be otherwise available.
Being an imperfection in CPU design planning leads us to guess that the only way to fix these flaws definitely is only to get the next generation CPU’s.
Software and Operating Systems announced security fixes to be released the next few weeks, but is they have to tamper with performance improvements on the CPU’s, are we to get a tune down in processing speed on our workstations?
The impact in performance will most likely hit web host providers and cloud servers, where the performance is fine-tuned to specific levels, specifically those running many virtual machines – like hosting website services, backup and storage.
The processor industry is not announcing any particular dangerous loss in performance.
As of the earlier benchmarks I could get before this notice, gaming is not clearly affected and so the applications used in a workstation, as video rendering or image editing.
But these were just the earlier fixes benchmarked, we need to wait until the real fixes are all in place and what the different computer users have to say in the end.