To eliminate Specter and Meltdown, you may have to create a completely new type of processor.
Is it true that Meltdown and Specter are too fundamental to release a patch for them? One expert thinks that way.
How to identify and correct errors such as Specter and Meltdown? This question was the hottest topic among microprocessor enthusiasts this year. At one of the main academic events of the industry, the Hot Chips conference, experts agreed that a final solution to the problem may require - yes, even more talk.
At a meeting in Cupertino, Professor Mark Hill from the University of Wisconsin was asked to speculate on the consequences of attacks from third-party channels or attacks on the speculative execution of commands from modern processors that are made by ARM, Intel, and others. He listed solutions such as specialized kernels, flushing the cache when changing context and business ideas, such as increasing fees for exclusive virtual machines.
But the real answer, as he and other speakers said, will be to improve the collaboration of software and hardware developers - and, perhaps, a complete reworking of today's microprocessors.
How the whole chip industry has been sneaked
Information about Meltdown and Specter was unexpectedly revealed at the end of 2017, shortly before these vulnerabilities were supposed to be formally, quietly disclosed at CES in January 2018. They were discovered by the zero-day vulnerability search team from Google, Google Project Zero. Attacks take advantage of modern microprocessors such as speculative command execution, when the processor, in fact, “guesses” which branch of instructions should be executed. Paul Turner, an engineer and head of the core backbone of Google’s developers, who attended the conference, said that no member of Project Zero had warned his colleagues about the opening; they found out about it along with everyone.
For 20 years, microprocessor developers believed that the wrong "guess" simply discards data without creating security risks. They were wrong, and they proved attacks on third-party channels.
From a practical point of view, this means that one browser tab can view the contents of another, or one virtual machine can look into another. This prompted the manufacturers of processors, in particular, Intel, together with Microsoft, to release corrective programs or patches. This is the most effective way to protect your PC from Specter, Meltdown, or any other subsequent attacks, such as Foreshadow.
Fortunately, the verification of such information takes time - in some cases, quite a lot. NetSpectre, which can remotely take advantage of Specter's vulnerability, can be used to break into a cloud service or a remote machine. On the one hand, data can flow no faster than 1 bit per minute, says John Hennessy, the famous microprocessor developer, member of the board of directors of Alphabet. On the other hand, the average time between hacking a server and detecting this fact is 100 days, he added, which may give the vulnerability time to work.
Next-generation Intel processors will probably not be able to completely correct Specter’s first version, as Hennessy said, despite the fact that the development of measures to eliminate this shortcoming will begin this fall in the design of the new Xeon processor, Cascade Lake.
Patch or redo?
ARM, Intel, AMD and other giants of the industry can fix the problem by taking the necessary measures fairly quickly, Hill added. But more fundamental changes may be required to completely eliminate the problem, he said.
“In the long run, the question is how to properly describe this process in order to potentially completely eliminate the problem,” Hill said. “Or we will have to treat it as a crime that we are only trying to contain.”
Speculative execution of commands is one of the reasons why the microprocessor, and therefore the PC, achieved record sales, said conference participant John Masters, an architect of computer systems from Red Hat. But such an execution was regarded as a “magic black box,” he said, without corresponding questions from users or customers. This genie is already out of the bottle. Eliminate speculative execution - and it will slow down the processor by twenty times, Hill said.
Hill’s proposed solutions include isolating the branch prediction element, adding randomization, implementing improved equipment protection. One solution might be to add slower and safer execution modes; to others, the separation of the command execution mechanism between “fast cores” and “safe cores”. He also proposed business solutions, among which an increase in the cost of virtual machines — instead of sharing equipment resources between several virtual machines, a cloud provider could provide exclusive access. Finally, Hill noted that attacks like Specter can also lead to a resurgence of accelerators: fixed-purpose logic, optimized for one task, and not relying on speculation.
But a fundamental solution to this problem would be a complete redesign of the architecture, Hill said. The computer architecture determines how the processor executes a set of program instructions using arithmetic devices, floating-point devices, and others. Today's chips have been designed to meet the demands of the original model. But if the underlying architectural model has a fundamental flaw, he said, perhaps it’s time for a new model. In other words, Specter and Meltdown are not bugs, but flaws in the design of modern chips, which may require a new model.
As a result, the conference participants agreed on simple truths, such as the one that equipment needs to be developed, bearing in mind software, and vice versa - and both parties must enhance security. “It often happens that hardware developers create some kind of beautiful machine, and we stop talking about it, or software developers say - well, it's iron, I have something to say about it. It’s time to stop it, ”said Masters.