Home Archived Articles Pounding the Keyboard: Intel Flaws – Now What?

Pounding the Keyboard: Intel Flaws – Now What?

8
0

It’s not enough that there are viruses — Trojans, backdoors and “zero-day exploits” — out there, is it?

No, it’s not, because now there are flaws in the architecture of the processor chips that can be used to steal data from your computer or phone. A fair amount has been broadcast about the Spectre and Meltdown exploits. What are they?

First off, variations of these exploits can affect most every processor chip on the market. The 800-pound gorilla is, of course, Intel. But other competitors, such as AMD and ARM, are affected, though not as much; that means your Apple is vulnerable, as well as most PCs.
These flaws were first discovered last June by several independent research teams, including one from Google, called Google Project Zero, the function of which is to protect Google software and systems (including the Android software on your phone, as well as its search engine) from this stuff. It was shared with the processor manufacturers and some other software developers (think Microsoft and Amazon) in an effort to find cures before it was executed by hackers.

This has been partially successful. Many patches have been issued to shield users, but not everyone installs every patch or update, especially if they have had unhappy consequences of updates trashing things in the past.
And that they can do. A few weeks ago, I had three clients whose computers did killer updates in Windows that required wholesale rebuilding. Not good.

Where To?

Anyway, how can a processor that’s supposed to be happily executing instructions leak data? It comes from our never-ending quest for more speed.

Processors work tremendously faster than the memory chips that supply them the data. Rather than just wait around for the memory to deliver the instruction path, the processor will take a guess where it’s going next. This is called speculative execution. The processor executes some code while waiting, then when the data path arrives, it checks if the guess was correct.

If it wasn’t, it discards the results and runs with the new data. While nothing is lost (it was just using what would have been idle time), if it was right, time has been saved.

And time is the name of the game. Modern processors have three levels of processor cache that can be used for this speculation.
The specific techniques involved have names like “flush and reload” and “evict and reload,” which make the data stay in cache memory long enough to be diverted to a side channel. Chaining together a series of these reads will allow the attacker to direct where the data comes from and where it goes — which is off to them.

This causes a breakdown in all the techniques, such as “sandboxing,” that manufacturers have created to try to shield data from leaking. Of the two, Spectre is the most damaging, since it works on all processor brands; Meltdown has a slightly different technique, called “out-of-order execution,” which is specific to Intel.

JavaScript, Too

It is possible to write JavaScript code that will use these exploits while in a browser, such as Chrome, so there’s that way of introduction to your system. Research papers funded by the European Research Council, as well as the National Science Foundation and the Defense Advanced Research Project Agency, have documented this information.

Unfortunately, although they did give the manufacturers a heads-up in order to circumvent hacking, their papers offer a clear method (for those who can understand) for using the exploit. We can only hope that the head start provided enough time to create patches that work.

As for speed, unfortunately, closing off the speculative execution functions will slow the processing; so for most users, it will be unnoticeable. For massive users, such as Google and Amazon Web Services, however, it will be important. They will have to come up with new work-arounds to build speed back again. This may take some time, and will be complicated by the always intense battle between hackers and protectors.

Something Lighter

The Consumer Electronics Show recently wrapped in Las Vegas. There was little this year in the way of groundbreaking technology between the new versions of massive TVs, though there was a flexible model that rolled up into a tube, and connected devices that work with Amazon Alexa and Google Assistant.
And there was hope for your bathroom.

Kohler was big with smart fixtures. It showed off its Verdera Voice mirror, which uses Alexa to control lighting and two built-in speakers, so you can check the news and the weather as you shave; there’s also a shower system with 12 water streams that is thermostatically controlled; then there’s the Numi intelligent toilet, which offers a heated seat, ambient lighting and two flush settings — in addition to playing music. Marvelous.

Unfortunately, the U.S. is far behind Japan in our mastery of toilet control technology. The Japanese have toilets that gently wash your butt and dry it with a stream of heated air, as well as play music, etc.
How dare we lose this race for consumer dominance? Write your congressman. They have nothing better to do.

Cliff Feldwick is owner of Riverside Computing and offers PC troubleshooting, network setups and data retrieval for small businesses — when not contemplating how to add WiFi to an outhouse. He can be reached at 410-880-0171 or at cliff@feldwick.com. Older columns are online at http://feldwick.com.