Subscribe via RSS Feed

The Meltdown/Spectre CPU bugs: a dramatic global case of the “Unintended Consequences” pattern [UPDATED 4/4/18]

January 31, 2018

Back in 2000, PricewaterhouseCooper published my research white paper, “Patterns in IT Litigation: Systems Failure (1976-2000)” (PDF). This paper reflected research I and my staff had done over several months on roughly 120 two- or three-party lawsuits involving information technology. I found that almost all of these lawsuits fell into one or two of six major patterns:

  • Faulty Towers
  • Irrational Exuberance
  • Three’s a Crowd
  • The Never-Ending Story
  • Unplanned Obsolescence
  • Unintended Consequences

The last pattern, Unintended Consequences, was among the rarest of the patterns. I summarized it as:

The manufacturer makes some change in the functionality or configuration of the system, which is already in use. The change results in unpleasant or unintended consequences for one or more clients. (p. 6)

In most of the handful of cases of this type that I reviewed, the system at suit was a software system — that is, the manufacturer or developer made some changes to the software, updated the production software of the customer, and things broke. Typically, this affected only the customer, and the effects could be held at bay by rolling back to the prior version of the software.

However, over the past few weeks, we the public have learned generally about the inherent security flaws in literally billions of hardware central processing units — CPUs — found in billions of computers and mobile devices. These security attacks — known as Meltdown and Spectre — are the unintended consequences of efforts to improve computer performance, by ‘out of order’  and ‘speculative’ execution.

The Meltdown attack (PDF) is enabled by out-of-order (or dynamic) execution. This concept in computer processor architecture dates back 50 years and arose from an effort not to ‘waste’ time waiting for one computer instruction to complete when there were subsequent instructions that did not depend upon the result of the current one and thus could be executed safely. Put very, very simply, the Meltdown attack attempts to read from kernel (protected) memory, which raises an exception (error) and halts the process. However, before that process is halted, the CPU has done out-of-order execution on a small set of subsequent instructions that fetch data out of the kernel memory into a local data store (cache) on the CPU. A second process then fetches that data out of the CPU’s cache and stores or assembles it somewhere. The authors state that a program using the Meltdown attack can read all of kernel memory very quickly — which can including sensitive user data, such passwords in ‘clear text’ (unencrypted).

Here’s a video of the Meltdown exploit being used to retrieve passwords from kernel memory:

The Spectre attack (PDF) is a bit more software dependent and relies upon on speculative execution. Again, simply put, this is one step beyond out-of-order execution, where different sets of instructions are executed out of order based on ‘guesses’ as to what paths (or branches) the running program will take through its code. Spectre works by ‘training’ the CPU to expect a given sequence of code that reads user (unprotected) memory to be executed by multiple successful executions, then setting up the same read with a disallowed kernel memory address. The instruction testing whether the address is valid will eventually fail, but in the the meantime, the data is actually fetched from the kernel into the CPU cache and is left there. As with Meltdown, a separate “side channel” attack can then retrieve that data from the cache.

Here’s a video demonstrating the Spectre attack:

The real problem here is that the defect is built right into the very complex architecture of these hardware processors, and for most affected devices, it is impossible — or very, very difficult — to replace the CPU. Intel has been issuing software patches to help block the attacks, but those patches themselves have serious problems, leading (for example) to Microsoft issuing a security update just a day or two ago that disables the Intel patch.

Both Intel and Apple are now facing class action suits over these defects, both for the security flaws and for the reduced performance caused by Intel’s patches. Should be interesting.  ..bruce..

UPDATE: 04/04/2018

Intel has now announced that there is a large set of CPUs for which it will not be issuing microcode patches for Meldown and Spectre. From The Register:

The new guidance, issued April 2, adds a “stopped” status to Intel’s “production status” category in its array of available Meltdown and Spectre security updates. “Stopped” indicates there will be no microcode patch to kill off Meltdown and Spectre.

The guidance explains that a chipset earns “stopped” status because, “after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons.”

The CPUs in the set are mostly older ones and thus — as Intel thinks — not in use or in closed (not connected to the ‘nets) systems. I think Intel may underestimate how many older systems are in daily use, due to the entrenching nature of technology. Even if they’re right, as the Register points out,

Now all Intel has to do is sort out a bunch of lawsuits, make sure future products don’t have similar problems, combat a revved-up-and-righteous AMD and Qualcomm in the data centre, find a way to get PC buyers interested in new kit again, and make sure it doesn’t flub emerging markets like IoT and 5G like it flubbed the billion-a-year mobile CPU market.

..bruce..

About the Author:

Webster is Principal and Founder at at Bruce F. Webster & Associates, as well as an Adjunct Professor for the BYU Computer Science Department. He works with organizations to help them with troubled or failed information technology (IT) projects. He has also worked in several dozen legal cases as a consultant and as a testifying expert, both in the United States and Japan. He can be reached at 303.502.4141 or at bwebster@bfwa.com.

Comments are closed.