Google experts consider these vulnerabilities to be inherent in modern processors design
According to network
security and ethical hacking specialists from the International
Institute of Cyber Security, the vulnerabilities Spectre
and Meltdown were reported for the first time about a year ago; since then,
countless teams of independent specialists and researchers have tried multiple
methods to mitigate the risk of exploiting these flaws, expecting to be able to
completely eradicate it in the future.
Unfortunately, for Google
network security specialists these vulnerabilities seem to be an inherent
feature of modern processors. In other words, software-based correction and
mitigation techniques are not enough to overcome these vulnerabilities.
It is worth noting that Meltdown and Spectre
attacks take advantage of the speculative execution, a feature of the currently
used processors. This means that a processor may assume that a condition can be
true or false. If it turns out to be true, the speculative results are
maintained; if the condition turns out to be false, the results will be
discarded.
Initially, network security specialists assumed
that speculative execution was invisible to running programs, as it is a
feature of implementations. However, evidence was later discovered that some
traces of false speculation were not completely eliminated.
A malicious user could take control of this
data through a side channel. In addition, attackers can trick computers into loading
sensitive data, such as administrators’ information, passwords, etc. To
mitigate the risks posed by these vulnerabilities, developers have resorted to
using software-based techniques, such as using sandbox environments, or
preventing the processor from running sensitive information.
While these software techniques are quite
functional, Google experts claim that this is just a shallow solution. A test made
in the Chrome browser showed that, in trying to implement a comprehensive
solution against a Spectre attack, the administrators generated a considerable
drop in the performance of their developments.
In conclusion, it is not possible to solve
Spectre-type vulnerabilities with software deployments only. Speculative
execution is a fundamental part of a modern processor; so many specialists
consider that Spectre and Meltdown will keep bringing problems for a long time.
