The Hindu Explains: Spectre and Meltdown

Computer processors are pictured on January 5, 2018 in Paris

Computer processors are pictured on January 5, 2018 in Paris   | Photo Credit: AFP

As serious security issues have been discovered with processors, tech companies have been trying to fix them. Intel’s processors are the worst affected with almost all the chips manufactured post-1995 at risk of an attack.

What happened?

On January 4, 2018, researchers from Google's Project Zero team reported that they discovered serious security flaws which affected processors built by Intel and other chipmakers.

These flaws could allow hackers to steal data from as far back as 1995.

What are Spectre and Meltdown?

Meltdown could allow hackers to circumvent the hardware barrier between applications run by users and the computer’s core memory. It is named ‘Meltdown’ because the “vulnerability basically melts security boundaries which are normally enforced by the hardware,” states the official website hosted by the Graz University of Technology. “This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.”

Spectre can cause applications to be tricked into giving up secret information. Spectre’s name comes from the phrase ‘speculative execution.’

The site states, “It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”


What was the issue?

Tech companies usually withhold information about security issues until they have a fix to deter hackers from exploiting them. In this case, Intel had to disclose the flaw after British technology site The Register reported it. Intel’s stock fell, and the company admitted to the existence of the flaw.

One of the researchers who found the flaw said that it is “probably one of the worst CPU bugs ever found.”

Who found it?

Meltdown was independently discovered and reported by three teams — Jann Horn from Google Project Zero; Werner Haas and Thomas Prescher from Cyberus Technology; Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology.

Spectre was independently discovered and reported by two people — Jann Horn from Google Project Zero); Paul Kocher in collaboration with Daniel Genkin from University of Pennsylvania and University of Maryland, Mike Hamburg from Rambus, Moritz Lipp from Graz University of Technology, and Yuval Yarom from University of Adelaide and Data61.

What have tech companies done?

Google has issued patches to fix the flaws on their devices. Users of Android OS on devices not manufactured by Google still have to wait for fixes. Apple has issued a security update. Cloud services such as Amazon Web Services and Google’s Cloud Platform have said that they are in the process of patching systems.

A letter from the Editor

Dear reader,

We have been keeping you up-to-date with information on the developments in India and the world that have a bearing on our health and wellbeing, our lives and livelihoods, during these difficult times. To enable wide dissemination of news that is in public interest, we have increased the number of articles that can be read free, and extended free trial periods. However, we have a request for those who can afford to subscribe: please do. As we fight disinformation and misinformation, and keep apace with the happenings, we need to commit greater resources to news gathering operations. We promise to deliver quality journalism that stays away from vested interest and political propaganda.

Support Quality Journalism
Related Topics
Recommended for you
This article is closed for comments.
Please Email the Editor

Printable version | May 26, 2020 1:50:17 PM |

Next Story