Strategic Communications and Marketing News Bureau

Are you vulnerable to newly discovered online security risks?

Last week, experts discovered two serious computer security flaws that could leave nearly all computer users vulnerable to hacking of personal information while online. The culprits, called Meltdown and Spectre, could wreak havoc on personal security if ignored. Physical Sciences editor Lois Yoksoulian spoke with computer science professor Chris Fletcher about the issue.

What exactly are Meltdown and Spectre?

Meltdown and Spectre are new vulnerabilities that allow hackers to steal your private information through malware. The culprit is a hardware feature called “speculative execution,” a feature found in modern processor chips. Speculative execution is a performance technique where processors predict and perform work that they think will be needed in the future.  

Suppose you are logging into your computer account, and that you are currently typing in your password. With speculative execution, your processor can predict that you correctly type your password, thereby allowing it to speculatively obtain your account details ahead of time. If this really is your account, and the prediction is correct, your account information appears faster. If this is not your account, and the prediction is incorrect, your processor will throw out the speculative work. Despite this, however, the account details were prepared and lived on your computer for a short period. The Meltdown and Spectre vulnerabilities are ways for hackers to grab this information before it gets thrown out.

How were these vulnerabilities discovered?

Meltdown and Spectre were discovered independently by several teams of researchers in academia and industry, including Google, Cyberus Technology, the University of Graz and several others. These teams became aware of each other’s work through their responsible disclosure of the vulnerabilities to Intel, which worked with its major clients (Microsoft, Amazon, etc.) to prepare a software patch, before the attacks were publicly announced last week.

Right now, the patch defends against Meltdown but not for all forms of Spectre. This was a critical first step. Meltdown is the more immediate danger in that it is relatively easy for a hacker to exploit. Spectre is harder to exploit but also harder to mitigate. As it stands, Meltdown only impacts Intel processors, whereas Spectre impacts processors from Intel as well as those from other vendors such as ARM and AMD.

Is it true that everybody is vulnerable?

Yes.  Hardware speculative execution has been around in commercial chips since the 1990s. Nowadays, everyone (Intel, AMD, ARM, etc.) uses it for performance reasons.

What can everyday computer and mobile device users do to protect themselves?

The most important action to take is to check and keep rechecking all of your devices – laptops, desktops, mobile phones – for security updates. The major operating system vendors are pushing out the software patch for Meltdown, but not all vendors are there yet. Keep an eye out for updates in the next week. Even better, check online as to whether your current operating system is sufficiently up to date. There have been reports about third-party software that have been inadvertently blocking the updates. So, it is good to be proactive.

A hacker simply needs to run malware on your machine to perform the attacks. The easiest way for malware to creep into your system is through your web browser – for example, if you accidentally visit a malicious website due to phishing. Therefore, in the immediate future, it is also a good idea to be extra vigilant about which web pages you visit and which links you follow.

Even if there is a fix now, are future devices at risk?

Unfortunately, speculative execution is here to stay, as it is too vital to a processor’s performance. Furthermore, Meltdown and Spectre are only the first attacks that exploit speculative execution. Even after fixing these two, it is likely that new speculative execution-based attacks will crop up in the future.

The recent events are also a wake-up call that we must take what are called “microarchitectural side channel attacks” more seriously. MASCAs are an essential ingredient in both Meltdown and Spectre, and have been an active area of research for at least the last decade. Over the years, there has been a steady trickle of malicious things done with MASCAs (for example, they can steal a user’s keystrokes or password), but these occurred mostly in a lab setting due to the steep requirements they imposed on attackers. One of the novelties in Meltdown and Spectre is to amplify the damage of MASCAs to steal more data than was possible before.

Thus, a compelling direction to protect future systems is to implement protection against MASCAs. MASCA protection and speculative execution are not mutually exclusive.  Multiple research proposals from the computer architecture and security communities support both.  The catch is that for real, long-term protection, chip vendors must commit to broad MASCA protection. Point defenses against specific MASCAs are doomed to fail: Attackers will simply find another MASCA to exploit. We must invest in provable protections against broad classes of MASCAs, without making assumptions about which MASCA the attacker will try to use next.

 

Editor’s note: To reach Chris Fletcher, email cwfletch@illinois.edu.

Read Next

Life sciences Portrait of the research team posing together.

Minecraft players can now explore whole cells and their contents

CHAMPAIGN, Ill. — Scientists have translated nanoscale experimental and computational data into precise 3D representations of bacteria, yeast and human epithelial, breast and breast cancer cells in Minecraft, a video game that allows players to explore, build and manipulate structures in three dimensions. The innovation will allow researchers and students of all ages to navigate […]

Arts Photo of seven dancers onstage wearing blue tops and orange or yellow flowing skirts. The backdrop is a Persian design.

February Dance includes works experimenting with live music, technology and a ‘sneaker ballet’

CHAMPAIGN, Ill. — The dance department at the University of Illinois Urbana-Champaign will present February Dance 2025: Fast Forward this week at Krannert Center for the Performing Arts. February Dance will be one of the first performances in the newly renovated Colwell Playhouse Theatre since its reopening. The performances are Jan. 30-Feb. 1. Dance professor […]

Honors portraits of four Illinois researchers

Four Illinois researchers receive Presidential Early Career Award

CHAMPAIGN, Ill. — Four researchers at the University of Illinois Urbana-Champaign were named recipients of the Presidential Early Career Award for Scientists and Engineers, the highest honor bestowed by the U.S. government on young professionals at the outset of their independent research careers. The winners this year are health and kinesiology professor Marni Boppart, physics professor Barry Bradlyn, chemical and biomolecular engineering professor Ying […]

Strategic Communications and Marketing News Bureau

507 E. Green St
MC-426
Champaign, IL 61820

Email: stratcom@illinois.edu

Phone (217) 333-5010