CPU Flaws: ‘Too Little Focus on Security in Processor Design’ – Researcher

Sputnik: How did you discover this security flaw?

Daniel Gruss:  We were investigating the activity around the Kaiser patch threat that we proposed, because we proposed this for some other type of threat that was less severe than Meltdown and Spectre. While we looked at the activity that happened around this patch set we noticed that the Amazon developers were working towards merging these patches, although they would have incurred a performance penalty of up to 400 percent, in the worst case, and we thought that it was impossible that they were doing that for some irrelevant side channel and thought they were doing this for something much bigger. So we started investigating and this is how we found Meltdown in the end.

Sputnik: Meltdown is reportedly the worst bug ever found. How much damage can it do?

Daniel Gruss: This bug has exists existed for a long time, maybe 10, 15 or 20 years, and no one had found it before, and anyone could have exploited it. So this is a bit shocking. Also, when we had our first program written to exploit this bug, we ran it on our own computers and saw that all the information stored on the computer was copied by the tool to some other security domain, to someone who should not be able to read that.

Sputnik: How dangerous is this really, and what kind of a risks is this for an ordinary computer user?  

Daniel Gruss:  Right now we don’t expect that anyone is going to exploit it from JavaScript script anytime soon, first because browser vendors have already made steps towards protecting them against Spectre attack, and the Meltdown attack has not been demonstrated from JavaScript script yet. The other attack vector is that you download a file somewhere, or install something which contains the attack code.  If this is the case, you are of course susceptible unless you have installed updates. Especially now and within the next days and weeks everyone should make sure they have their system updated  all the time. If you have a very old Android version, you might want to update it and if you have a very old Linux version, you might want to update it too. So you can get these new [security] patches, including the Kaiser patch.

Sputnik: Is this a normal kind of situation when technology advances, and things that were previously safe become risky because some other technology has grown exponentially, more than the original technology?

Daniel Gruss: I think it’s a very rare situation that we have a bug that is present on all processors, it’s affecting Intel, it’s affecting AMD and ARM, so all processor manufacturers are affected. I think there was too little focus on security in processor design during the past 10 to 20 years. So the focus for processor vendors is to improve their performance. No one will buy a CPU if it is 10 percent slower, but at the same time, it is safer against these and these attacks, which probably no one has heard of. So they wouldn’t make any money if they would do that. So they of course  have to focus on making processors faster and more efficient. Security so far was only something that you would accept if it does not decrease performance. If it decreases performance, then no-one would accept the security mechanism. But now this might change. The biggest danger now exists to personal computers and laptops and there will be increased risks for cloud systems and smartphones within the next weeks and months where when the Spectre attack might be weaponized. We don’t know how long this will take because writing and exploiting [security patches] might be difficult. It could also be difficult to prevent Spectre attacks completely.

READ MORE: Malware Attacks Faking Ransomware Likely to Continue in Next 3 Months

The views expressed in this article are solely those of Daniel Gruss and do not necessarily reflect the official position of Sputnik.