Specifically, the attacker could make the processor speculatively execute some code to read a part of memory it shouldn’t be able to.
While it pays off in performance speed, it also creates new security issues. To keep performance up, engineers employ a trick: they give the processor the power to execute multiple instructions while it waits for memory - and then, once memory is ready, discards the ones that weren’t needed. If systems always had to wait for memory before doing the next step of an action, they’d spend much of their time sitting idle. To use a simplified example, someone who’s guessing a PIN might first try combinations “1111” through “9111." If the first eight guesses take the same amount of time, and "9111" takes a nanosecond longer, then that one most likely has at least the "9" right, and the attacker can then start guessing "9111" through "9911", and so on and so forth.Īn operation that’s especially vulnerable to these so-called “timing attacks” is accessing memory. With Meltdown and Spectre, hackers exploited the fact that operations all take slightly different amounts of time to execute. Their method could have immediate applications in cloud computing, especially for fields like medicine and finance that currently limit their cloud-based features because of security concerns. Lebedev and his colleagues believe that they’ve made an important new breakthrough in this field, with an approach that makes it much harder for hackers to cash in on such vulnerabilities. “They’ve shown that we need to be paying much more attention to the microarchitecture of systems.” “These attacks fundamentally changed our understanding of what’s trustworthy in a system, and force us to re-examine where we devote security resources,” says Ilia Lebedev, a PhD student at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL). Instead, they arose from the architecture of the processors themselves - that is, the millions of transistors that work together to execute operations.
#Spectre meltdown software#
Perhaps the most alarming thing about these vulnerabilities is that they didn’t stem from normal software bugs or physical CPU problems. While lawyers for the plaintiffs have yet to comment, Davila has given them until June 30 to repeal their claims.In January the technology world was rattled by the discovery of Meltdown and Spectre, two major security vulnerabilities in the processors that can be found in virtually every computer on the planet. By saying its newer processors were faster and longer-lasting wasn’t a falsehood as the patches may have disrupted performance. Davila also stated that the company’s marketing wasn’t false or misleading. Customers claimed Apple first learned about the flaws in June 2017 and didn’t share until the New York Times reported the issue.ĭavila dismissed the case as Apple assertions that its products were ‘secure’ and ‘private’ were too general to support customer claims. These flaws could potentially let hackers access computer devices and steal memory contents. Reuters says the lawsuit came after Apple revealed the Meltdown and Spectre security flaws in 2018. District Judge Edward Davila in San Jose, California said customers failed to prove that they overpaid for their devices because Apple knowingly concealed defects, and provided security patches that made its devices significantly slower. Apple defeats the class-action lawsuit over security flaws The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory – including that of the kernel – from a less-privileged user process such as a malicious app running on a device.
#Spectre meltdown mac#
While all Mac and iOS devices were hurt by the vulnerability, Apple stated there were no known exploits affecting customers. This week, a US judge is dismissing a proposed class-action lawsuit that accuses Apple of defrauding customers, according to Reuters.īack in 2018, Meltdown and Spectre security flaws were affecting ARM-based and Intel processors. Four years ago, we learned of the Spectre and Meltdown security flaws affecting Mac and iOS devices.
0 kommentar(er)
