This Wednesday (3), we found that there are two major faults in the processors developed in the last twenty years. Security researchers from Google say that the Spectre affects the chips from Intel, AMD and ARM; while the Meltdown seems to be restricted to Intel.
This means that security loopholes are present in laptops, servers, and smartphones — areas in which Google operates. Therefore, the company has detailed what it is doing to mitigate the problem.
Basically, the Spectre allows an application to leak sensitive information to another application, breaking security mechanisms like the sandbox of Google Chrome.
As we explain here, the problem is in execution, speculative (speculative execution). Modern processors try to guess which code will be executed the following to speed up the performance. They can be induced to rotate a code that seems to “guessed”, but it is malicious.
Meanwhile, the Meltdown is in to access the reserved memory to the operating system kernel, which has greater permissions. There is a safety mechanism to prevent this in the Intel processors, but it can be broken.
To fully resolve the Meltdown, it would be necessary to redesign the chips. For this, the way is to act via software, completely separating the processes of user and kernel memory. The technique is called KPTI (Kernel Page-Table Isolation), and can reduce the performance between 5% and 30%.
Here is what Google is doing to mitigate the problem via software:
The Chrome 64, to be released on 23 January, will have additional protections to prevent exploits. Future versions will include more preventive measures, but Google warns that this “can lead to a reduction in performance”.
Currently, Chrome already has a feature to mitigate the Spectre, called Full Site Isolation. It can be enabled in the address chrome://flags/#enable-site-per-process. This works in Windows, macOS, Linux and Android; the browser uses the rendering engine of Apple in the iOS.
Devices with Chrome OS will receive the same measures that the Chrome browser. In addition, the laptops with Intel processor “kernels 3.18 and 4.4 are corrected with the Kernel Page Table Isolation (KPTI) in Chrome THE 63 and above”. Kernels older will be updated soon.
According to Google, the flaw does not affect Chromebooks with ARM processor. Still, they “will also be updated with the KPTI in a future version”. This list shows which devices have received (or will receive) the update.
Google says that to use the newly-discovered crashes “proved to be difficult and limited in most of the Android devices”.
Still, the system received a security update, distributed to the manufacturers in December 2017. It “includes the mitigations reducing the access to high precision timers that limit attacks in all known variants on ARM processors”. Updates the future will come with mitigations, additional.
Google have already updated your Nexus 5, Nexus 6P, Pixel C, Pixel/XL and Pixel 2/XL. As for other Android devices, there depends on each manufacturer.
Google Home, Chromecast, Google Wifi, Google OnHub
These devices “run only trusted code from Google and are not under risk of this attack,” the company says.
Google services, including Google Apps/G Suite
The company says that its infrastructure is protected, including its services — search, ads, YouTube, Maps, G — Suite and “customers ‘ data stored by Google.”
The platforms Google Cloud “isolate the workloads of the clients to each other, and are protected against known attacks for the three variants”. You can check out more details in this link.