Home / Blogs

Meltdown and Spectre: Security is a Systems Property

I don't (and probably won't) have anything substantive to say about the technical details of the just-announced Meltdown and Spectre attacks. (For full technical details, go here; for an intermediate-level description, go here.) What I do want to stress is that these show, yet again, that security is a systems property: being secure requires that every component, including ones you've never heard of, be secure. These attacks depend on hardware features such as "speculative execution" (someone I know said that that sounded like something Stalin did), "cache timing", and the "translation lookaside buffer" — and no, many computer programmers don't know what those are, either. Furthermore, the interactions between components need to be secure, too.

Let me give an example of that last point. These two attacks are only exploitable by programs running on your own computer: a hacker probing from the outside can't directly trigger them. Besides, since the effect of the flaws is to let one program read the operating system's memory, single-users computers, i.e., your average home PC or Mac, would seem to be unaffected; the only folks who have to worry are the people who run servers, especially cloud servers. Well, no.

Most web browsers support a technology called JavaScript, which lets the website you're visiting run code on your computer. For Spectre, "the Google Chrome browser… allows JavaScript to read private memory from the process in which it runs". In other words, a malicious website can exploit this flaw. And the malice doesn't have to be on the site you're visiting; ads come from third-party ad brokers.

In other words, your home computer is vulnerable because of (a) a hardware design flaw; (b) the existence of JavaScript; and (c) the economic ecosystem of the web.

Security is a systems property…

By Steven Bellovin, Professor of Computer Science at Columbia University – Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

Cybercrime

Sponsored byThreat Intelligence Platform

IP Addressing

Sponsored byIPv4.Global

New TLDs

Sponsored byAfilias

Brand Protection

Sponsored byAppdetex