CybersecurityMeltdown and Spectre: Exposing the ghost in our machines

Published 16 March 2018

Researchers had found that in an effort to make computer chips more efficient, major manufacturers had inadvertently inserted an opening that would allow hackers to spy on sensitive data. In two papers that were published on 3 January, researchers coined the cyber security threats Meltdown and Spectre. The name Meltdown was chosen for the attack’s ability to “melt” the security system typically enforced by a processor’s hardware. The name Spectre was based on the root cause of the security vulnerability, speculative execution, a speed-enhancing technique in which the processor tries to predict what part of code it will be required to execute next and starts executing it. And, much like a real spectre, the attack is nearly impossible to detect.

The threat started making headlines around New Years. Publications around the globe warned of the biggest computer chip vulnerability ever discovered. Dmitry Evtyushkin had been studying the root of it for years.

Researchers had found that in an effort to make computer chips more efficient, major manufacturers had inadvertently inserted an opening that would allow hackers to spy on sensitive data. In two papers that were published on 3 January, researchers coined the cyber security threats Meltdown and Spectre.

The name Meltdown was chosen for the attack’s ability to “melt” the security system typically enforced by a processor’s hardware. The name Spectre was based on the root cause of the security vulnerability, speculative execution, a speed-enhancing technique in which the processor tries to predict what part of code it will be required to execute next and starts executing it. And, much like a real spectre, the attack is nearly impossible to detect.

By the end of January, hardware companies like Intel, ARM Holdings Plc. and Advanced Micro Devices Inc. had released microcode updates to address the vulnerabilities. The companies also worked with operating systems developers, such as Windows and Linux, to design and release software updates. The flaws were physical, part of computer processing hardware. Entirely eliminating the problem would require modifying millions of computer chips.

Instead, developers and manufacturers opted to try their hand at fixing hardware flaws with software updates. The updates slowed performance and, in some cases, made systems inoperable, but the coordinated effort appeared to have been successful in guarding against Meltdown and lowering vulnerability to a Spectre attack.

WM says that the world quickly moved on, but Dmitry Evtyushkin couldn’t. He had known about Spectre-like processor flaws for years. In fact, his research had helped shine a light on them in the first place. And Spectre, like its name, still lurks out there.

“Researchers still are not completely sure what the real impact of Spectre is,” said Evtyushkin, an assistant professor in William & Mary’s Department of Computer Science. “They don’t know the full scope of what they’re dealing with. There are so many different processors and so many different ways of exploiting this type of vulnerability.”