In This Article:
What is Meltdown?
Let’s say you’re trying to get a person’s safety security box number from a bank. This particular bank has a security guard. You go up to them, ask for a security box using your name, and, if your credentials don’t match, they don’t tell you the number. However, next to the security guard is a helpful bank teller. This teller has a fantastic memory, and they’re really good at their job. When a person comes in asking for a box number, they already have it written down on a slip of paper behind their desk. Then, once the guard confirms your identity, they give you the slip of paper with the number.
Explaining #Meltdown to non-technical spouse.
“You know how we finish each other’s…”
“Sandwiches?”
“No, sentences. But you guessed ‘sandwiches’ and it was in your mind for an instant. And it was a password. And someone stole it while it was there, fleeting.”
“Oh, that IS bad.”— Scott Hanselman 🌮 (@shanselman) January 5, 2018
This tweet explains predictive computing security flaws like Meltdown and Spectre very well. I’ve included two tweet threads going into more detail below.
This particular metaphor falls apart because, well, the box is still locked. But let’s say the only thing you needed to get in to the box was the number. That number is like your password. Modern processors predict what your next actions might be and will do it ahead of time, so the result is there when you request it. These predictions have access to parts of the memory that you do not. Often, these results are simply thrown out if they’re not needed. Other times they greatly improve the performance of your computer by serving up results at the same time you request them. However, once it has created these predictions, it stores them in an area of memory that applications can access, using data from memory that applications cannot accss. That’s when the meltdown attack strikes, getting that decrypted information before it’s thrown away. Meltdown was named because it “melts down” the walls between the application and the memory, which should be inaccessible and secure.
What is Spectre?
I'm going to try explaining the Spectre attack with an analogy: Imagine a bank with safe deposit boxes. Every client has an ID card, and can request the contents of various boxes, which they can then take out of the vault.
— Clay Shirky (@cshirky) January 5, 2018
This Twitter thread (in full below) explains Spectre with a metaphor in just 10 tweets.
In this scenario, a hacker accesses the private memory of another application, such as your password. Like a ghost, a malicious application can slip in, undetected, and request that information. It won’t get it, but, if you’re observing the holding place where the processor is temporarily storing the information, you can gain access to it. Spectre tricks your machine into giving a malicious program the memory contents of another program.
How are they Different?
How Can I Protect Myself?
Simply put, update your computer, your iPhone, your Android device, and anything else. Most vendors, Apple, Google, Microsoft, Amazon, and others, already have patches out. You may have updated already (Apple’s were out late last year), so don’t panic if there are no updates for your machine or device yet. If you have an Android phone older than a year, you might have to wait a while for Google’s update to come—if it comes through the pipeline at all—so upgrading your phone may be the best option. The same goes for iOS users who are on iOS devices older than 4-5 years. If you’re on the latest version of macOS, iOS, Android, and Windows, you’re safe. If your device is too old for an update, you might be in trouble.
Here’s the thing with the patches though, for all current processors, the patch will slow your computer/device down. This is inevitable, as predictions will be walled off, slowing the system down. You can expect a 5% to 30% drop in performance, but it’s necessary. These hacks allow a hacker to access all the data on your computer, even encrypted information as it’s decrypted through transit through your machine. These are flaws in the very processor design itself, and the only way to protect users is to add additional firmware-based security between your software and the hardware. Most users won’t actually notice a difference at all, as all vendors have emphasized, but others will notice a large slowdown of some applications that relied on predictive computing.
Will this Always be a Problem?
Short answer: no. Longer answer: it will be a problem until you buy a new computer, or at least a new processor. Those of you who have built computers before might want to consider a new processor your next upgrade. Not only for the security, but also for the 5%-30% boost in improvement you can see just by allowing predictive computing back to your machine without software blockades.
https://twitter.com/selenalarson/status/949309486702866432
It’s true, but you should still update to protect yourself.
Meltdown and Spectre are fascinating, as they turn something vital for modern processor performance against us. Predictive computing like this will only grow, and we’ll have to be sure that we’re more careful in the future. On a larger scale, artificial intelligence will be able to (and already is) predict what users will want and have things, such as search results, pre-loaded in the cache, so it has finished loading a website before you finish your search phrase. We need tools like these, and we need rapid access to results, but security must always be considered first.
Sources:
- Devin Coldewey, TechCrunch: “Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?“
- MeltdownAttack.com: Meltdown and Spectre
- Paul Miller, The Verge: “Explaining Meltdown with parallel worlds, libraries, and a bank heist.“
- Jack Morse, Mashable: “Here’s what you need to know about Spectre and Meltdown.”
As promised, here are two full tweet threads explaining Spectre and Meltdown, respectively. Enjoy!