From Nor-Tech and CRN: Here is the latest on the Meltdown, Spectre Exploits
Intel said the processor side-channel analysis security issues known as Spectre and Meltdown are not a result of flaws in processors, which are performing as designed. The issues, which many in the industry have blamed on Intel’s processor design, instead stem from side-channel analysis, which Intel said impacts most modern processors.
Steve Smith, Intel’s corporate vice president and general manager for data center engineering, late Wednesday told financial analysts that the security issues lie in the approach researchers used to compromise a system, and not in the processors themselves. “The processor is, in fact, operating as it is designed,” Smith said. “And in every case, it’s been this side-channel approach that the researchers used to gain information even while the processor is executing normally its intended functions.”
Side-channel analysis, as defined by Intel, is “some observable aspect of a computer system’s physical operation, such as timing, power consumption or even sound” which can be analyzed to potentially expose sensitive data on computer systems that are operating as designed.
According to a blog post from the Google Project Zero team, one of the first research teams to notice the potential impact of the side-channel analysis issue in processors from Intel, AMD, and ARM Holdings, there are three possible ways it could be exploited, based on proofs-of-concept tests it developed.
Two of those variants are known as Spectre and include one that under certain circumstances be used to leak Linux kernel memory and another that could change how an application works based on the contents of memory. The third, known as Meltdown, could let an application read kernel memory from userspace without misdirecting the control flow of kernel code, the Google Project Zero team wrote. Potential attacks using side-channel analysis might allow an attacker to use the exploit to observe the contents of privileged memory, and thereby circumventing the privileged level, Smith said. These exploits do not have the potential to corrupt, modify, or delete data, he said. “Malware that’s using this method and running on the computer locally can expose sensitive data that attackers might be interesting in finding on the system,” he said.
During the financial analyst call, when asked by an investment analyst about comments from AMD that the issue does not impact that company’s processors, Smith responded that the researchers had demonstrated some of the exploits running across a variety of product implementations, both in hardware and software. “It’s an industry issue,” he said. “And you’ll have to ask each participant what their specific mitigation implementations are.”
Customers are already starting to ask about the processor security issues, said Dominic Daninger, vice president of engineering at Nor-Tech, a Burnsville, Minn.-based custom system builder with a focus on the high-performance computing market. In a way, the industry knew something like this was coming, Daninger told CRN. “We follow Linux closely,” he said. “Even during the holidays, people were looking at things being done in the Linux Kernel and could tell something big was coming up.”
The processor-related security issues will likely impact cloud providers and those heavily into virtualization the most, Daninger said. High-performance computing, on the other hand, is typically not connected to the Internet, and so will be less likely to be impacted. “Most of our high-performance computing systems have a firewall and/or an air gap between the system and the Internet,” he said. “One of our customers, the Federal Aviation Administration, never connects to the internet.”
The full article is available here: http://www.crn.com/print/news/data-center/300097471/processor-security-issue-intel-says-processors-working-as-designed.htm