Meltdown & Spectre
The New Year has just begun when new cyber threats are published.
Perplexing bewilderment again! And not only from one aspect: Published as new cyber threats, are immediately earmarked as known to specialists for a long time, but kept secret until recently. Are Meltdown and Spectre really new, or aren’t they? What is the secret behind keeping them secret? Hackers do not keep secrecy anyway and spread such news in their networks, as soon as it emerges. Processor chip manufacturers could have used that “radio silence” to create remedies – but they did not! Since Meltdown and Spectre went public, producers of operating system software hurry to close the gaps while their respective proprietary systems are left open to exploitation. However, as often underlined: Deficient hardware cannot be made acceptable by software fixes! Not only operational system software, other software suffer from Meltdown and Spectre as well! The heavy wave of patches needed to be applied to all vulnerable systems present a lot of extra work. https://www.theregister.co.uk/2018/01/09/patch_tuesday/
The processor functionality exploited by Meltdown and Spectre is called “speculative execution“ – how ambiguous! What does this expression mean? Within processors, instructions are not executed in one step, instead they are subdivided into small segments, which are processed one after the other. To increase processor speed, these subdivisions of several succeeding instructions are processed in parallel. The basic idea of processor designers is this: In general, instructions to be executed successively are ordered in memory in sequence. They follow each other in the same kind of order. If a branch in the software leads to the execution of an instruction outside of this order, all activities have to be undone, the processor performed speculatively on those instructions, which have not to be executed.
At this point, several processors displayed a vulnerability, which can be exploited to execute a different instruction than the one intended. This may be a malware instruction or it may lead to such. More detail is widely discussed on the web https://redmondmag.com/articles/2018/01/04/cpu-security-problem-updates.aspx
Now there is great clamor. Users call for new processors which are immune to this vulnerability. Developing new processors may cost several years of developmental effort. Besides, vulnerable systems in question have to be replaced. People speculate their number be up to 10 billion. That is a massive one followed by ten zeroes!
Yet, there is another possibility to coping with Meltdown and Spectre and the vulnerabilities of current CPUs that they exploit: Processors are built traditionally, but the architecture of the hardware surrounding them is modified to meet the European patent WO/2014/166753. Within this architecture, arbitrarily called CySCoS for Cyber-Safe Computer Systems, Spectre and Meltdown can cause no harm.
Hacking-resistant hardware architecture as described above has been invented five years ago, and is capable of repelling even this attacking strategy successfully. With this token, defenders of the realm might be one step ahead of the attackers beating their heads against the wall if only they applied the CySCoS hardware-architecture.
IT-security „Made in Germany“.