Worrying about the tyres while the car’s on fire
Growing up, my father constantly gave me advice in the form of single-sentence philosophical soundbites. I couldn’t stand it at the time, but, over the course of my career I have parroted them far more often than I care to admit. The one I’ve found myself repeating more than any other is: “you’re worrying about the tyres while the car is on fire”. It is easy to get excited about new or dramatic information, especially when it potentially affects our business – yet too often organisations focus on the hot topics, while the broader enterprise is jeopardised by risks that remain overlooked or are simply put into the “too hard basket”. This article will provide a high-level technical breakdown of what has likely been the most widely-reported group of vulnerabilities to date, collectively referred to as Spectre and Meltdown. It will cover how speculative execution works, how it is vulnerable to attack, why the reach of Spectre and Meltdown is so broad and their impact potentially so catastrophic, and the current mitigations available. But I will also offer a case for why they are – at least for the time being – unlikely to be your business’ top cyber risk. For most readers Spectre and Meltdown are unlikely to even be your organisation’s most severe technical vulnerability – but they are almost certainly the most well-known. In closing, I will outline how a solid implementation of the security basics is typically the best protection against emerging threats.
To understand the risk posed by Spectre and Meltdown, it is worth briefly outlining the principle of speculative execution. For decades CPUs have been designed to perform their number-crunching duties ‘out-of-order’ to attain processing speeds beyond what is achievable from a simple sequential instruction cycle. Modern processors typically achieve this via speculative execution, in which multiple execution branches are prepared simultaneously and the hardware assumes – or ‘speculates’ – about which branch is likely to be taken. When this speculation is accurate, the processing time is decreased as the instructions have already been calculated; when it is not, the unnecessary calculations are simply discarded. The fundamental flaw in this process is that speculative execution allows for privileged information to be observed by a process of lower privilege…Click here to read full article.